Posted by brendo | Posted in security | Posted on 27-03-2009
0
Just installed windows server 2008 for our test team and remoted in to configure it. I set up remote desktop and gave it the max number of connections (which was limited to 2).
I restarted the server to ensure the changes would be applied and logged into a remote desktop session. A colleague then logged in off his machine and it booted me out, sighting someone else had logged into this session.
After a number of searches through the remote desktop settings, it turns out that by default, Windows Server 2008 only allows one remote desktop user per session.
To change this, go to Administrative tools > Terminal Services Configuration and double click on the item “Restrict each user to a single session”. From this window, uncheck the “Restrict each user to a single session” box. Voila! 2 users remote desktop’ed in simultaneously.
Posted by brendo | Posted in All Posts, security | Posted on 01-10-2007
2
The expiring password is a practice that I am not a fan of.
I see the benefit(s?):
- If someone has intercepted/cracked your password, changing it will block their access.
- Umm…
I’m sure there are others… While I try to think of those, let’s look at the drawbacks:
- Whenever you change your password it is something more that you have to remember. Passwords are usually required to be 6-10 characters, even though the human short-term memory can, generally, only remember between five and nine things of a particular kind: letters, digits, words etc. A new 10 character password every 30 days is keeping that overworked brain very busy.
- People have bad memories and often forget their new passwords which results in lost time, lost productivity and general stress and frustration. This applies not only to the user forgetting the password, but the poor sod who has to reset 100 passwords every month because people keep forgetting what their new password is.
- If you need to remember something what do you do?… I write it down. Surely an old password that no-one knows is more secure than a new password written down on paper/txt document with a username and website so that you can remember what this password is for. Don’t write this one off… In client places, I have seen post-its on the monitor with eBay, internet banking and email username and password combinations labeled just to name a few.
- When put on the spot (your password has expired, please enter a new one, NOW!) – people are more likely to just make “an easy password for now and change it later”. We all know that these never get changed.
This is just my take on the ever frustrating process of remembering far too many passwords and having to change those far too often.
The inspiration for this post was an error message I got at work today while trying to use my old password, forgetting that it had expired and I now have a new one. The message made me giggle:
Login Failed:
# You may have typed the wrong password
# This user ID may not exist
# If you are a resident of Italy, your password may have expired.
Moral of the story is, watch out Italians.
