Leaving administrator logged in but terminal locked.....

Posted on 2006-11-09
Medium Priority
Last Modified: 2008-02-01
Just a general question.

I am wondering if there are any know security issues when leaving the administrator account logged in but the the terminal locked (by using windows key + L) when using Windows Server 2003???

Question by:amerretz
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +3
LVL 48

Expert Comment

ID: 17912110
not that i have an issue with....i often leave my servers "locked"
LVL 39

Expert Comment

ID: 17912310
Same, infact I have servers that MUST be like this to run custom (horrible) applications

LVL 14

Expert Comment

ID: 17912368
You need to sure that you are locking the terminal. You may also set the Screen saver policy to lock the system if it is idle for about 5mins. This way you can make sure that system will locked after 5 min even if you forget to do it. This is extra caution since it is going to Administrator.

Note :
But if you are choosing screen saver choose one that doesn't consume more CPU cycles. Because we had issue in our production environment where Screen saver use to consume abt 80% cpu cycle since it was custom built one. But the one's which comes with OS by default are OK.

Reducing screen saver idle below 5 min some times will annoy the users/admins who are working on the server.because it will get locked while they are thinking to do something.

Hope this helps you
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI


Author Comment

ID: 17912988
THanks for all your responses guys. I too have to leave the administrator account logged in due to horrible applications (DB engine) that don't run as a service.

I only ask as I have a client which seems to think its a security risk to leave the administrator logged in to the server even though the terminal is locked.

Just confirming my thoughts before I get back to him. I don't see it as a risk!
LVL 39

Expert Comment

ID: 17913109
Locking the server is MORE secure than leaving it logged out.

Any monkey (assuming the server is misconfigured, and allows users to log on to it) can log in to the server, but only domain admins can unlock it if a domain admin is logged in :)



Author Comment

ID: 17913294
Is there any issue of rouge processes running easier if the administrator account is left logged in but locked?

Thank you.
LVL 33

Accepted Solution

NJComputerNetworks earned 800 total points
ID: 17914028
Yes, there a many security opportunities for attacks to occur on a machine that will assume the rights of the logged in user.  Microsoft tries to combate these monthly by releasing security updates... If you read through the security updates, the vulnerability, many times, is that the attacker of the system gets the same rights as the logged in user...  

I don't agree with this statement: "Locking the server is MORE secure than leaving it logged out."  

In my opinion, there is some risk by staying logged in.  However, the risk is minimal.  I would say, log out of a machine if possible... if you must stay logged into a machine, at least make sure that it is patched to the latest level and you have turned off as many uneeded services as possible.

LVL 18

Assisted Solution

PowerIT earned 800 total points
ID: 17914076
An issue? If it is a rouge process that runs only from an logged on console. But that also means that it would ALSO run if just logged in to manage the server and not locked. The locking does not change that.
Security measures should be taken to prevent that from happening. If you have such an issue, then it's already far to late. Logged on or not.
Also, there are many many exploits that don't need a logged on console, which just run as service. Again, you also must prevent those.
Just eliminating a locked console is like sticking your head in the sand and hoping that nothing bad happens.
It does not add any level of security and, as -red mentioned, is more secure in some cases.
I can understand your client's concern if he as just a PC user, who has no idea of architectures. To him it would seam logical. He would think that a PC is only 'working' once logged on. But a lot of things are not what they seem to be, especially if you are not a specialist.
E.g I don't make any assumptions about cars any more. I love cars but am not a specialist. Once had a clunky noice whenever I used the brakes. Turned out that it had nothing to do with the brakes but with the engine suspension. I know, silly story, but you get the idea.

LVL 39

Assisted Solution

redseatechnologies earned 400 total points
ID: 17920480
Let me qualify that,

Locking the server is MORE secure than leaving it logged out, assuming the domain is configured incorrectly (allowing any user to log on to a DC, it happens, especially with Terminal Services) AND physical access to the server is possible.

Of course, the other end of that is anyone could just RDP to the server, so I will withdraw that statement entirely.  That'll teach me for not thinking :)



Author Comment

ID: 17921259
Thanks for all the input from everyone. It seems as though there is no hard and fast way to truely combat all security risk, either through services holes or logged on privillage exploits. I guess I will pass on your advice and let the client decide how mission critical their data really is!

One can only try their best to combat all know sercurity exploits in a windows system, but there seems to be a never ending group of people who wish to cause havok. Sure keeps you on your toes.
LVL 33

Expert Comment

ID: 17933146
lol Red...

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question