Reading all of these equally applicable points and bearing in mind your
opening summary statement of 'there is no way to remotely log off users
without loss of data..' prompted a thought. Flip it over.

Instead of worrying about logging people off at a certain time and
potentially creating a data-loss situation...explore the possibility of
registry editing so that all company "mission critical" applications are set
to auto-save every minute/two minutes or similar, perhaps an agreed -
documented- company standard. That way, which ever of the afore mentioned
log off ideas you implement will not create a data-loss situation and when
people log back on they will have up to date work.

I haven't got the specifics of how to achieve this to mind as yet, as I said
it was a thought prompted by the other suggestions. And it possibly is a
lot of work. But it would be work that needed to be done only once, and
then incorporated into future company standard roll-outs so you wouldn't
lose the ground you've gained.

d.

-----Original Message-----
From: Talisker [mailto:TaliskerNETWORKINTRUSION.CO.UK]
Sent: 30 April 2001 20:17
To: FOCUS-MSSECURITYFOCUS.COM
Subject: Re: Gracefull NT Logoff - Summary

Thanks very much to everyone who responded, I'll try and summarize what was
suggested, please accept my apologies if I aggregate similar replies giving
credit to a single individual, also I've tried to be brief.

Original
I was looking for a way to gracefully logoff users so that they could see
that their passwords were about to expire. Currently many are locking their
workstations for weeks on end.

Solution
There was no perfect solution, all I can do is minimize the risk of data
loss and cover my butt for when they do. I'm opting for (not necessarily
the best)
Tweak registry to remind users to change password 17 days before actual
change
Monthly email reminding users to log off each evening
Set Policy hours to not include 0300-0315 on a Saturday morning
Set Policy to forcibly log off "out of hours" users
Net Send * 1300 on a Friday afternoon reminding users to log off at cease
work or lose data
Net Send * 0240 on a Saturday morning - final warning
Ensure security policy refers to the above

Brian Lucas and Andrew Maclachlan
Suggested the shutdown utility that comes with the NT Resource Kit.

Response
This would mean identifying individuals on a regular basis. However, I'm
dealing with 1000,s of users across many domains, and with insufficient
rights to shut them down remotely. Also this would have to be carried out
in the early hours of the morning, paying sys admins triple time (they get
paid enough already)

Adam
I had it set ti log off idle sessions after 2 hours

Response
I would love to do this but feel my future in the company would be
shortlived

Adam
As for passwords.. you say it isnt prompting them to change... double check
your policies and user account..

Response
The reason for this is that they wern't logging off in order to get the
reminder.

Frank Knobbe
Well, there are a few ways to get the workstation to log off. Being it the
LOGOFF.SCR either as screen saver or scheduled

Response
I prefer to use standard screensaver with password set to around 15 mins,
this will protect those users who get sidetracked. Funny story (ish), a
male colleague went out at lunchtime leaving his machine unlocked, on his
return someone had sent a message, coming out of the closet on his behalf to
every company employee, explaining how he would like to be called Mandy at
weekends.

By using logoff.scr as a screen saver the standard screensaver is not an
option, and setting logoff.scr to 15 mins would reult in some revolting
users.

Frank Knobbe
Went on to give some good technical detail about logging users off and "...I
would include in the policy that any unattended, logged-in PC poses a risk
to the data, and workstations are to be logged off."

Response
Already done, but ignored. Though this does provide top cover when users do
lose data.

Frank Heyne
Either you unlock the workstation with the user's password. If you don't
know it use l0phtcrack to learn it. Now you can save the user's work.

Response
There are too many users to do this with, and don't see a locked workstation
as justification to compromise their password.

You seem to imply that generally you know the users passwords, beware this
could prejudice any investigations into computer misuse and may contrevene
the users privacy rights.

Kevin Mikkelson
Notify all by e-mail that forced logoff will occur, and that if users fail
to logoff they could lose work.

Response
Nice one, though I'd back it up with a Net Send *

Michael Lang
cause i m not quite sure for NT 4.x but Windows 2000 has features included
for Loging Users off after lets say Time expirenced Settings .

Response
Yes it does but it's not gracefull

Thomas Szabo
My personal opinion is if the lusers are warned, and choose to ignore your
warning, its lights out for them

Response
Agreed, hence the need for inclusion in a policy

Ben Greenbaum
Hmm I know how I would react if I was working at 11pm or midnight and my
system shut down automatically due to some administrative hack.

Response
Agreed, but hence only doing it once per week with plenty of backup in the
security policy
Also, "working at midnight" Ben you need to get out more ;o)

Chris DeVoney
Frankly, if it was written company policy to logoff, tough cookies on what
gets lost. On the other hand, I'd be real p'offed if my machine were logged
off 10 hours into a 12 hour program run.

Response
The administrator would need to be proactive in his/her enforcement of the
policy. ie The nightwatchman may be about to reach his best score on
minesweeper at 0300

Brian
You can also schedule (AT) or use Cartman hack to reboot machines early
Sunday morning 3:00am when it is very likely that someone is working. Inform
all users to save their work before leaving for the weekend (or to shutdown
their machines).

Response
Sound advice though prefer to use policy hours as it's easier to enforce
across a domain of many machines

LVD
Getting back to the core of the original query, the admin wants to allow
users to logon in order to change their passwords. Go to Account Policies
in user manager for domans and uncheck user must logon to change passwords.
Also, setting Min and Max password ages should notify users in advance to
change passwords.

Response
The reason I wanted users to logon was to make them aware that their
passwords were about to expire.

Steve Willis
Am I right in assuming that your real problem is password expiry without the
users knowledge? It is fairly easy to write something (cmd,script,VB etc)
that can check when the password is about to expire and mail the user. You
could then run this job on a scheduled basis and alert the user say at 14
days, 7 days and then every day until its changed. If you find some users
are ignoring this, then put them on a shutdown list and log them off.

Response
Sounds perfect, have you an example?

Nick Palmer
This is true, I've been faced with a similar problem, and used some
discrimination as to who I shut down, by checking the amount of time they'd
been logged on over a period of a few days (via Server Manager).

Response
This would be ideal on a LAN but when faced with 1000's of users it gets to
be too difficult.

Harry Anderson
Write a script that sends a message to users before their password expires.
Determine the expire time from NET USERS username . Either E-Mail or Win
Pop-up a warning message. Several days later when they haven't changed the
password do a "somewhat graceful" shutdown.
Here are a couple of links to get it started:
Example batch of getting Password expire time:
http://www.jsiinc.com/subc/tip1200/rh1246.htm
Supposed to be a graceful close window program:
http://www.jsiinc.com/suba/tip0400/rh0431.htm
A "faster" shutdown: http://www.jsiinc.com/suba/tip0100/rh0166.htm

Response
This sounds good, though, analysing multiple expiry times may be a little
difficult, the close program looks as though it would have to be run on a
case by case basis as you need to know exactly what is in the Title Bar of
the program in question

Once again, thanks to all who answered

Take Care
Andy
http://www.networkintrusion.co.uk
Talisker's Network Security Tools List

Security Tools Notification
http://groups.yahoo.com/group/security-tools/join

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]