Managing Logon Hours

from Chapter 5, Windows NT Administrator's Pocket Consultant by William R. Stanek.

Windows NT allows you to control when users can log on to the network. You do this by setting their valid logon hours. You can use logon hour restrictions to tighten security and prevent system cracking or malicious conduct after normal business hours.

During valid logon hours, users can work as they normally do. They can log on to the network and access network resources. During restricted logon hours, users can't work normally. They can't log on to the network or make connections to network resources. If users are logged on when their logon time expires, the action taken depends on the Account Policy set for users. Generally, one of two things happens to the user:

• Forcibly disconnected You can set a policy that tells Windows NT to forcibly disconnect Windows NT users when their logon hours expire. If this policy is set, remote Windows NT users are disconnected from all network resources and logged off the system when their hours expire. (For more information, see the section of this chapter titled, "Password and Account Policies.")

• Not disconnected Users are not disconnected from the network when they enter the restricted hours. Instead, Windows NT simply doesn't allow them to make any new network connections.

To configure the logon hours, click on the Hours button in the New User, User Properties, or Copy Of dialog boxes. You can now set the valid and invalid logon hours using the Logon Hours dialog box shown in Figure 5-13, on the following page. Logon Hours features are listed in Table 5-2, on the following page.

Figure 5-13:

In this dialog box each hour of the day or night is a field that you can turn on and off.

• Hours that are allowed are filled in with a dark bar—you can think of these hours as being turned on.

• Hours that are disallowed are blank—you can think of these hours as being turned off.

To change the setting for an hour, click on it, then use either the Allow or Disallow button.

Table 5-2 Logon Hours Features

Tip When setting logon hours, you'll save yourself a lot of work in the long run if you give users a moderately restricted time window. For example, rather than explicit 9–5 hours, you may want to allow a few hours on either side of the normal work hours. This will let the early birds onto the system and allow the night owls to keep working until they finish for the day.

Setting Permitted Logon Workstations

Windows NT has a formal policy that allows users to log on to systems locally. This policy controls whether or not a user can sit at the computer's keyboard and log on. By default, on Windows NT workstations you can use any valid user account to log on locally, including the guest account.

Figure 5-14: To restrict access to workstations, specify the permitted logon workstations.

As you might imagine, allowing users to log on to any workstation is a big security no-no. Unless you restrict workstation use, anyone who obtains a user name and password can use it to log on to any workstation in the domain. By defining a permitted workstation list, you close the opening in your domain and reduce the security risk. Now hackers must not only find a user name and password, they must also find the permitted workstations for the account.

Note: The permitted logon workstation restrictions only affect Windows NT computers in the domain. If there are any non-Windows NT computers in the domain, they are not subject to the restrictions, which means you only need a valid user name and password to log on to these systems.

For domain users, you define permitted logon workstations as follows:

• Open the Logon Workstations dialog box by clicking the Logon To button in the New User, User Properties, or Copy Of dialog boxes.

• Select the User May Log On To These Workstations radio button, then specify up to eight logon workstations (see Figure 5-14).

Setting Account Information and Dial-In Privileges

The Account Information dialog box allows you to specify an expiration date for an account and whether an account is local or global. By default, accounts do not expire. If you set an expiration date, the account will be disabled on the expiration date and the user will not be able to log on. To open this dialog box, click the Account button in the New User, User Properties, or Copy Of dialog boxes.

Windows NT lets you set dial-in privileges for accounts using the Dial In Information dialog box. Access this dialog box by clicking on the Dial In button in the New User, User Properties, or Copy Of dialog boxes. By default, dial-in privileges are disabled for new user accounts. To allow users to dial in, select the Grant Dial-In Permission To User check box, then define the call back parameters. Call back parameters are used as follows:

• No Call Back The user is allowed to dial in directly and remain connected. The user pays the long-distance telephone charges if applicable.

• Set by Caller The user is allowed to dial in directly, and then the server prompts the user for a call back number. Once entered, the user is disconnected and the server dials the user back at the specified number to reestablish the connection. The company pays the long-distance telephone charges if applicable.

  Note: You should not assign call back for users who dial in through a switchboard. The switchboard may not allow the user to properly connect to the network.

• Preset To Allows you to set a predefined call back number for security purposes. When a user dials in, the server calls back the preset number. The company pays the long-distance telephone charges if applicable and reduces the risk of an unauthorized person accessing the network.

Note: You should not use preset call back numbers with multilinked lines. The multilinked lines will not function properly.

from Windows NT Administrator's Pocket Consultant by William R. Stanek. Copyright © 1999 Microsoft Corporation.

Click to order