Hi All,

W10-pro 22H2

I have a customer with two machines. Both have the
same issue

If you goof the first attempt to logon, your account gets
locked out for five minutes.

Password and attempts is set as follows:

--> <win><r> secpol.msc
--> Security Settings (very top of the left pane)
--> Account Policies (left pane)
--> Account Lockout Policy (left pane)
--> Adjust the following (you have to set the threshold first):
x Account lockout threshold (middle one) (10)
x Account lockout duration (5)
x Reset account lockout counter after (5)
https://imgur.com/JBWWAuw.png

The normal way to unlock an account before the wait period
expires is
--> logon as Administrator
--> <win><R> lusrmgr.msc
--> users
--> select user
--> uncheck "Account is disabled"

Problem: the account is not disabled (lusrmgr.msc):
https://imgur.com/2rxTBQo.png

<editorial comment> AAAAAAHHHHHH!!!!!!</editorial comment>

Any Words of Wisdom?
-T

T <T@invalid.invalid> wrote:

> W10-pro 22H2
>
> I have a customer with two machines. Both have the
> same issue
>
> If you goof the first attempt to logon, your account gets
> locked out for five minutes.
>
> Password and attempts is set as follows:
>
> --> <win><r> secpol.msc
> --> Security Settings (very top of the left pane)
> --> Account Policies (left pane)
> --> Account Lockout Policy (left pane)
> --> Adjust the following (you have to set the threshold first):
> x Account lockout threshold (middle one) (10)
> x Account lockout duration (5)
> x Reset account lockout counter after (5)
> https://imgur.com/JBWWAuw.png
>
> The normal way to unlock an account before the wait period
> expires is
> --> logon as Administrator
> --> <win><R> lusrmgr.msc
> --> users
> --> select user
> --> uncheck "Account is disabled"
>
> Problem: the account is not disabled (lusrmgr.msc):
> https://imgur.com/2rxTBQo.png

So, is your question how to disable the lockout interval timeout
(duration) to just use the max attempt count (threshold)?

Or do you still want a 5-minute lockout interval, and always use an
admin account to unlock the lockout? By the time you get to the
workstation, login under an admin account, and navigate into policies to
unlock an account, you might've just waited the 5-minute login interval.

I would expect a lockout interval does NOT mean the account is disabled,
just the login gets stalled for that interval. Keep a login fail count
(lockout threshold), but I'd probably up that from 10 to 30 for
uber-boobs using the workstation.

The lockout threshold (now at 10) cues it takes that many logins to fail
before a lockout. You sure your customer is telling the truth that just
1 failed login is locking up the login screen? Customers sometimes lie
to save face.

I had my dad with his SOHO office tell me that he didn't install any
software since I last worked on his company computer. I'd find and show
several programs he installed since then. He said he figured those
didn't count. Uh huh. And it was one of those insignificant installs
that fucked his computer.

Alternatively, and if the image you showed is not of the customer's
computer, a lockout duration of 0 (zero) means the account gets locked
(not disabled). An admin then needs to unlock the account. The
duration should be 1, or higher (measured in minutes). Once the
threshold is exceeded, the account is locked for the interval set in
duration, but a value of 0 means immediate lockout on a failed login.
Some companies set the duration to 1440 minutes (24 hours), but the
threshold of 5 means the authorized user could end up locked out for a
day in just 5 failed logins. A duration of just 5 minues is way too
short as a brute-force attacker can begin again in a very short time to
hack into an account.

Disabled and locked out are not the same regarding account status. Your
image at https://i.imgur.com/2rxTBQo.png shows the "Account is disabled"
option is disabled, so that account is /not/ disabled. Your image also
shows "Account is locked out" is grayed out, so the account is not
locked out, either. When you saved that image (after logging under a
different admin-level Windows account and using lusmgr), had the
duration already expired, so it was no longer locked out by the time you
got around to looking at that account?

https://www.tenforums.com/tutorials/87665-unlock-local-account-windows-10-a.html
"If Account is locked out is grayed out and unchecked, then the account
is not locked out."

Since these login security measures are policies, and since a PDC can
push policies onto a workstation, you didn't mention if the user is
logging on using a local account, or an account in a domain. No matter
what you set for policy, a workstation logging into a PDC will get those
policies pushed onto their host. The only way I know of around this is
to get the IT folks to give you the admin account login credentials to
define a script for the Logon event that rewrites the registry settings
for the policies. IT was pushing a short screen saver timeout that we
needed disabled for a kiosk workstation in our Alpha Lab. Once I
explained why we need that host (in a locked lab) to NOT allow the
password-protected screen saver, they gave me the admin account (the one
from the PDC, not a local admin account) to write a Logon script to use
reg.exe to undo some of the corporate policies. They had no way to
differentiate which policies were pushed onto which workstations, like
excluding our kiosk host from their policies. Not a problem for hosts
in our Lab that were on a different network segment where domain logins
weren't used, but the kiosk host was outside our Lab's network, subject
to corporate policies pushed via PDC, but in a locked office.

Unlock account in a PDC setup:
https://www.youtube.com/watch?v=O8KWgt4oHRM

On 4/19/24 22:43, VanguardLH wrote:
> is your question how to disable the lockout interval timeout
> (duration) to just use the max attempt count (threshold)?

I want the 10 not the one

On 4/19/24 22:43, VanguardLH wrote:
> Or do you still want a 5-minute lockout interval, and always use an
> admin account to unlock the lockout? By the time you get to the
> workstation, login under an admin account, and navigate into policies to
> unlock an account, you might've just waited the 5-minute login interval.

That is what I originally thought too, but I was quick and when
I=tried to relogin as the user, I was still locked out.

I want it to work the way I configured it. I have about
20 other customers with that same configuration and they
all work as expected.

On 4/19/24 22:43, VanguardLH wrote:
> The lockout threshold (now at 10) cues it takes that many logins to fail
> before a lockout. You sure your customer is telling the truth that just
> 1 failed login is locking up the login screen? Customers sometimes lie
> to save face.

It has done it to me several times, both in person and remotely

On 4/19/24 22:43, VanguardLH wrote:
> I had my dad with his SOHO office tell me that he didn't install any
> software since I last worked on his company computer. I'd find and show
> several programs he installed since then. He said he figured those
> didn't count. Uh huh. And it was one of those insignificant installs
> that fucked his computer.

I did this customer's PCI (payment card industry) audit.
I when though all his programs to remove unused stuff
as required. I put him through both UCHeck and VulnDetect.

> Alternatively, and if the image you showed is not of the customer's
> computer, a lockout duration of 0 (zero) means the account gets locked
> (not disabled). An admin then needs to unlock the account. The
> duration should be 1, or higher (measured in minutes). Once the
> threshold is exceeded, the account is locked for the interval set in
> duration, but a value of 0 means immediate lockout on a failed login.
> Some companies set the duration to 1440 minutes (24 hours), but the
> threshold of 5 means the authorized user could end up locked out for a
> day in just 5 failed logins. A duration of just 5 minues is way too
> short as a brute-force attacker can begin again in a very short time to
> hack into an account.

It is the minimum I can set it at to appease the PCI gods. Keep
in mind that he gets locked out by the screen saver every
fifteen minutes (10 minutes to screen saver and 5 minutes grace)
and has to log back in. One goof up and ...

It has also happened to me on a fresh boot up when I
put my own password in, instead of his.

And the bad guys are going to choke on the multi-factor
authentication (MFA), the firewall (a real one), and the
masked RDP port. I did check with the customer and he had
this issues before I installed the MFA. MFA is only set up for
remote RDP.

> Disabled and locked out are not the same regarding account status. Your
> image athttps://i.imgur.com/2rxTBQo.png shows the "Account is disabled"
> option is disabled, so that account is/not/ disabled. Your image also
> shows "Account is locked out" is grayed out, so the account is not
> locked out, either. When you saved that image (after logging under a
> different admin-level Windows account and using lusmgr), had the
> duration already expired, so it was no longer locked out by the time you
> got around to looking at that account?

Still locked out when I tried to get back into the user's account.

> https://www.tenforums.com/tutorials/87665-unlock-local-account-windows-10-a.html
> "If Account is locked out is grayed out and unchecked, then the account
> is not locked out."
>
> Since these login security measures are policies, and since a PDC can
> push policies onto a workstation, you didn't mention if the user is
> logging on using a local account, or an account in a domain.

Local account. Just two computers. No server.

> No matter
> what you set for policy, a workstation logging into a PDC
> ...
> Unlock account in a PDC setup:
> https://www.youtube.com/watch?v=O8KWgt4oHRM

Fortunately, no windows server involved. Windows servers
are not useful in small businesses.

What is weird is that I have about 20 other customers
with the same configuration. And they have no such issue.

I am thinking that my secpol.msc, Account lockout
threshold is not the mechanize that is throwing
the lockout. It is beyond me what is though.

One of my major complains about Windows 10+ is the "one off"
problems, where only one computer in the entire world
has a particular issue. I wonder if I have come across
my first "two off" problem.

On 20/04/2024 03:00, T wrote:
>
>
> <editorial comment> AAAAAAHHHHHH!!!!!!</editorial comment>
>
> Any Words of Wisdom?
>
>
>

Windows continues to get worse.
https://youtu.be/GkJihLz1DY0?si=GAmWpuxnBeKSmU-S

Did you disable fast startup in your customers' systems? Chinese made
battery powered vibrators are getting better. They are now using AI
meaning augmented intelligence not artificial intelligence. But people
should disable fast startup so that they get time to use Chinese made
battery powered vibrators with AI, Even the price is dropping so you can
make more profits by selling them to your customers. Do you still go to
a massage parlour in the rougher end of your town for a social
rendezvous? Always disable fast startup to get maximum benefit. Tell
your customers you are a Windows expert and soon will start selling
doors. Chinese made battery powered vibrators with AI can help you get
started but selling doors will augment your bottom line.  So now you
have Windows, Doors and Chinese made battery powered vibrators. You can
also advertise for your local massage parlours and charge them for the
service.

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Proin mollis
vulputate dictum. Donec ut velit est. Nam pretium odio non placerat
varius. Aenean vel metus lectus. Donec enim enim, egestas id ex quis,
ullamcorper convallis nunc. Phasellus iaculis, diam ac viverra
consequat, ipsum elit aliquam metus, nec aliquam quam lorem eget lorem.
Curabitur id lacus sit amet dolor laoreet feugiat ut id ipsum. Curabitur
scelerisque dui quis placerat efficitur. Duis vel lectus bibendum,
ornare dui eu, gravida lectus. Donec tellus ante, ornare a arcu nec,
commodo pulvinar augue. Nam malesuada felis id velit aliquet vestibulum.
Morbi tempor, diam sit amet aliquam mattis, leo libero lobortis diam,
non luctus sapien libero at arcu. Morbi tincidunt nisi ut metus
tincidunt, at maximus ex scelerisque. Suspendisse potenti. Aliquam sit
amet iaculis odio.

Etiam egestas lorem ut odio semper suscipit. Nulla semper elit ac leo
vestibulum, et placerat lacus imperdiet. Donec vitae lacus id turpis
maximus fermentum. Aliquam at nisl et velit rhoncus aliquam. Vivamus in
pulvinar sem, sed consequat mauris. Vestibulum ut porta ligula. Donec
ullamcorper urna in aliquam ullamcorper. Fusce lobortis purus ut
tristique elementum. In commodo malesuada augue, sit amet sollicitudin
mauris dictum nec. Sed tempor, nisl eget varius feugiat, odio eros porta
urna, non aliquet orci sapien a justo. Interdum et malesuada fames ac
ante ipsum primis in faucibus. Cras elementum massa id nisl pulvinar
blandit. Fusce justo tortor, sodales sed nunc congue, dignissim ultrices
nisi. Class aptent taciti sociosqu ad litora torquent per conubia
nostra, per inceptos himenaeos. Nulla quis tincidunt leo, ac bibendum
tortor. Fusce bibendum est sed magna fermentum, a malesuada lacus lacinia.

T <T@invalid.invalid> wrote:

> One of my major complains about Windows 10+ is the "one off"
> problems, where only one computer in the entire world
> has a particular issue. I wonder if I have come across
> my first "two off" problem.

The Home editions are betaware. Microsoft stopped maintaining labs with
tons of scenarios to try testing the most common user setups, about the
time they fired a ton of programmers. Microsoft uses Home users as
though they were beta testers.

On 4/20/24 14:21, VanguardLH wrote:
> T <T@invalid.invalid> wrote:
>
>> One of my major complains about Windows 10+ is the "one off"
>> problems, where only one computer in the entire world
>> has a particular issue. I wonder if I have come across
>> my first "two off" problem.
>
> The Home editions are betaware. Microsoft stopped maintaining labs with
> tons of scenarios to try testing the most common user setups, about the
> time they fired a ton of programmers. Microsoft uses Home users as
> though they were beta testers.

Believe me, they do it with Pro users too.

The term "what were they thinking" was coined
for M$.

Wang Yu <T@invalid.invalid> wrote:

> Path: ...!paganini.bofh.team!not-for-mail
> User-Agent: Eternal September v2024

No such client. Poster lied.

> Content-Language: cn

Why specify Chinese when the content is ASCII?

> Chinese made battery powered vibrators are getting better.
....
> Lorem ipsum dolor sit amet, consectetur adipiscing elit. Proin mollis
<data block attempting to avoid anti-spam filters using a hash>

An example why free access (no account registration) is a bad idea at
BOFH Pagainini. No way to use Paganini's headers to determine if a
poster used free access (unregistered) or an account there (registered).
Google Groupers are migrating to Paganini, including trolls, peuriles,
malcontents, nymshifters, and uber-boobs. A lot of trash would be
avoided if Paganini dropped their free (unregistered) access to require
account login (registered). There's no privacy issue when registering
for an account, just something to lose by violating their TOS.

No idea if the posting-account="9dIQLXBM7WM9KzA+yjdR4A" string arg in
Paganini's Injection-Info header identifies free access, or the actual
account through which a post got submitted. For all the Paganini
submissions that I've found, they all have:

Injection-Info: ...; posting-account="9dIQLXBM7WM9KzA+yjdR4A";

So, that won't help to differentiate between freeloaders using free
access to Paganini, and those using account to login.

On 4/19/24 19:00, T wrote:
> Hi All,
>
> W10-pro 22H2
>
> I have a customer with two machines.  Both have the
> same issue
>
> If you goof the first attempt to logon, your account gets
> locked out for five minutes.
>
> Password and attempts is set as follows:
>
> --> <win><r> secpol.msc
>   --> Security Settings (very top of the left pane)
>     --> Account Policies (left pane)
>       --> Account Lockout Policy (left pane)
>         --> Adjust the following (you have to set the threshold first):
>              x  Account lockout threshold  (middle one)   (10)
>              x  Account lockout duration                   (5)
>              x  Reset account lockout counter after        (5)
> https://imgur.com/JBWWAuw.png
>
>
> The normal way to unlock an account before the wait period
> expires is
>     --> logon as Administrator
>       --> <win><R> lusrmgr.msc
>         --> users
>           --> select user
>             --> uncheck "Account is disabled"
>
> Problem: the account is not disabled (lusrmgr.msc):
> https://imgur.com/2rxTBQo.png
>
> <editorial comment> AAAAAAHHHHHH!!!!!!</editorial comment>
>
> Any Words of Wisdom?
> -T

Figured it out.

Everything was working as it was suppose to. The
reason why the account kept getting locked out was
due to a "Brute Force RDP attack". The attacker
kept running up the failed log in attempts in
rapid succession.

Fortunately, the security provisions I
had put in place held.

Now that I know what was causing the issue, I
blocked the attackers multiple IP addresses
at the network firewall.

<editorial comment> OH HOLY [expletive deleted] !!!! </editorial comment>

Thank you all for the help and tips!

-T

On 2024-04-23 11:02, T wrote:
> On 4/19/24 19:00, T wrote:
>> Hi All,
>>
>> W10-pro 22H2
>>
>> I have a customer with two machines.  Both have the
>> same issue
>>
>> If you goof the first attempt to logon, your account gets
>> locked out for five minutes.

....

>> Any Words of Wisdom?
>> -T
>
>
> Figured it out.
>
> Everything was working as it was suppose to.  The
> reason why the account kept getting locked out was
> due to a "Brute Force RDP attack".  The attacker
> kept running up the failed log in attempts in
> rapid succession.

Gosh :-(

>
> Fortunately, the security provisions I
> had put in place held.
>
> Now that I know what was causing the issue, I
> blocked the attackers multiple IP addresses
> at the network firewall.
>
> <editorial comment> OH HOLY [expletive deleted] !!!! </editorial comment>
>
> Thank you all for the help and tips!

Expletive indeed.

--
Cheers, Carlos.

On 4/23/24 06:31, Carlos E.R. wrote:
> On 2024-04-23 11:02, T wrote:
>> On 4/19/24 19:00, T wrote:
>>> Hi All,
>>>
>>> W10-pro 22H2
>>>
>>> I have a customer with two machines.  Both have the
>>> same issue
>>>
>>> If you goof the first attempt to logon, your account gets
>>> locked out for five minutes.
>
> ...
>
>>> Any Words of Wisdom?
>>> -T
>>
>>
>> Figured it out.
>>
>> Everything was working as it was suppose to.  The
>> reason why the account kept getting locked out was
>> due to a "Brute Force RDP attack".  The attacker
>> kept running up the failed log in attempts in
>> rapid succession.
>
> Gosh :-(
>
>>
>> Fortunately, the security provisions I
>> had put in place held.
>>
>> Now that I know what was causing the issue, I
>> blocked the attackers multiple IP addresses
>> at the network firewall.
>>
>> <editorial comment> OH HOLY [expletive deleted] !!!! </editorial comment>
>>
>> Thank you all for the help and tips!
>
> Expletive indeed
Hyperventilated a bit too!

T <T@invalid.invalid> wrote:

> On 4/19/24 19:00, T wrote:
>> Hi All,
>>
>> W10-pro 22H2
>>
>> I have a customer with two machines.  Both have the
>> same issue
>>
>> If you goof the first attempt to logon, your account gets
>> locked out for five minutes.
>>
>> Password and attempts is set as follows:
>>
>> --> <win><r> secpol.msc
>>   --> Security Settings (very top of the left pane)
>>     --> Account Policies (left pane)
>>       --> Account Lockout Policy (left pane)
>>         --> Adjust the following (you have to set the threshold first):
>>              x  Account lockout threshold  (middle one)   (10)
>>              x  Account lockout duration                   (5)
>>              x  Reset account lockout counter after        (5)
>> https://imgur.com/JBWWAuw.png
>>
>> The normal way to unlock an account before the wait period
>> expires is
>>     --> logon as Administrator
>>       --> <win><R> lusrmgr.msc
>>         --> users
>>           --> select user
>>             --> uncheck "Account is disabled"
>>
>> Problem: the account is not disabled (lusrmgr.msc):
>> https://imgur.com/2rxTBQo.png
>>
>> <editorial comment> AAAAAAHHHHHH!!!!!!</editorial comment>
>>
>> Any Words of Wisdom?
>> -T
>
> Figured it out.
>
> Everything was working as it was suppose to. The
> reason why the account kept getting locked out was
> due to a "Brute Force RDP attack". The attacker
> kept running up the failed log in attempts in
> rapid succession.
>
> Fortunately, the security provisions I
> had put in place held.
>
> Now that I know what was causing the issue, I
> blocked the attackers multiple IP addresses
> at the network firewall.
>
> <editorial comment> OH HOLY [expletive deleted] !!!! </editorial comment>
>
> Thank you all for the help and tips!
>
> -T

Wouldn't RDP'ing from the outside to a host on the inside of a firewall
mean there was a hole punched in the firewall (a rule) to allow those
externally sourced RDP requests?

https://finerdp.com/blog/how_to_enable_rdp_in_Windows_10

If an intranet host is exposed to externally-instigated connections, why
isn't this host in a DMZ?

Why was the problematic host running an RDP server? I thought this was
for a workstation since some user was on the host using it as their
workstation. Now it's a server? If a server, what is a user doing
putzing around on the server host?

On 4/23/24 11:00, VanguardLH wrote:
> T <T@invalid.invalid> wrote:
>
>> On 4/19/24 19:00, T wrote:
>>> Hi All,
>>>
>>> W10-pro 22H2
>>>
>>> I have a customer with two machines.  Both have the
>>> same issue
>>>
>>> If you goof the first attempt to logon, your account gets
>>> locked out for five minutes.
>>>
>>> Password and attempts is set as follows:
>>>
>>> --> <win><r> secpol.msc
>>>   --> Security Settings (very top of the left pane)
>>>     --> Account Policies (left pane)
>>>       --> Account Lockout Policy (left pane)
>>>         --> Adjust the following (you have to set the threshold first):
>>>              x  Account lockout threshold  (middle one)   (10)
>>>              x  Account lockout duration                   (5)
>>>              x  Reset account lockout counter after        (5)
>>> https://imgur.com/JBWWAuw.png
>>>
>>> The normal way to unlock an account before the wait period
>>> expires is
>>>     --> logon as Administrator
>>>       --> <win><R> lusrmgr.msc
>>>         --> users
>>>           --> select user
>>>             --> uncheck "Account is disabled"
>>>
>>> Problem: the account is not disabled (lusrmgr.msc):
>>> https://imgur.com/2rxTBQo.png
>>>
>>> <editorial comment> AAAAAAHHHHHH!!!!!!</editorial comment>
>>>
>>> Any Words of Wisdom?
>>> -T
>>
>> Figured it out.
>>
>> Everything was working as it was suppose to. The
>> reason why the account kept getting locked out was
>> due to a "Brute Force RDP attack". The attacker
>> kept running up the failed log in attempts in
>> rapid succession.
>>
>> Fortunately, the security provisions I
>> had put in place held.
>>
>> Now that I know what was causing the issue, I
>> blocked the attackers multiple IP addresses
>> at the network firewall.
>>
>> <editorial comment> OH HOLY [expletive deleted] !!!! </editorial comment>
>>
>> Thank you all for the help and tips!
>>
>> -T
>
> Wouldn't RDP'ing from the outside to a host on the inside of a firewall
> mean there was a hole punched in the firewall (a rule) to allow those
> externally sourced RDP requests?

This is true. You have to do a port forward and allow and
unestablished connection for that port. It helps narrow
the rule down if you know from what network and mask they
are coming from, but that kills the ability to do roaming.
>
> https://finerdp.com/blog/how_to_enable_rdp_in_Windows_10
>
> If an intranet host is exposed to externally-instigated connections, why
> isn't this host in a DMZ?

DMZ does not give access to what the customer needs.

> Why was the problematic host running an RDP server?

Customer needs remote access those two computers.

> I thought this was
> for a workstation

It is. You get one free RDP server license with a Pro workstation.

> since some user was on the host using it as their
> workstation. Now it's a server?

This is the old serve vs workstation marketing tags.
Any workstation can act as a server. It depends
on how the software on it is configured.

If a working stations is sharing files, that function
is a server. Same with their single license for RDP.

> If a server, what is a user doing
> putzing around on the server host?

Not a marketing tag as a server. They are Pro workstations.

T wrote:

[snip]

>> Wouldn't RDP'ing from the outside to a host on the inside of a firewall
>> mean there was a hole punched in the firewall (a rule) to allow those
>> externally sourced RDP requests?
>
> This is true.  You have to do a port forward and allow and
> unestablished connection for that port.  It helps narrow
> the rule down if you know from what network and mask they
> are coming from, but that kills the ability to do roaming.

A much better option would be to configure the router to accept incoming
VPN connections. You will have to use a router (e.g. Draytek) that has
VPN capability. That way the remote user establishes the VPN connection
to the router using whatever mechanism is appropriate to allow roaming;
and is then able to RDP to any or all of the machines on the LAN.

When I ran a computer support business I used this mechanism to support
my customers. It is made much easier if the customers have static
public IP addresses; I also have a static IP address.

>> Why was the problematic host running an RDP server?
>
> Customer needs remote access those two computers.

There is now a different way to achieve access to your files, which is
to use Microsoft OneDrive. In effect, you store all your files in the
"cloud" in the storage that M$ sells you, and these files are accessible
from anywhere that has an internet connection given that you log in with
a Microsoft Account.

If you are happy with this M$ environment it does work for the employees
within a small business, who are then able to access company documents
from, for example, a customer site.

It does fail if the employee wishes to run some proprietary software for
which there are only sufficient licenses to support the two machines at
head office. In this case RDP to those machines would work better, but
of course it denies use to staff at head office for the duration of the
remote connection.

Given that you are running a business that tries to support customers,
do you think you should be better informed about how to support those
customers? It worries me that you appear to be putting those customers
at risk. Clearly they don't have expert knowledge - they come to you!

--
Graham J

Graham J <nobody@nowhere.co.uk> wrote:

> It does fail if the employee wishes to run some proprietary software for
> which there are only sufficient licenses to support the two machines at
> head office. In this case RDP to those machines would work better, but
> of course it denies use to staff at head office for the duration of the
> remote connection.

We had a Windows host used as an RDP server that allowed 2 concurrent
user sessions. Alas, too many times users would leave their computers
with the RDP session left active which consumed a connection. Only took
2 users to fuck up everyone else wanting to connect. I found out there
is an admin session you can use to kill those user connects.

https://v2cloud.com/tutorials/mstsc-admin

Only took at couple complaints to the managers to get their employees to
stop abusing the RDP connections by leaving them active when they left
their computer for any reason (bathroom break, lunch, meeting, leave
work). One user just couldn't remember to logoff when he left, so we
firewalled him out. Forgetfullness was not an excuse.

On 4/24/24 00:38, VanguardLH wrote:
> Graham J <nobody@nowhere.co.uk> wrote:
>
>> It does fail if the employee wishes to run some proprietary software for
>> which there are only sufficient licenses to support the two machines at
>> head office. In this case RDP to those machines would work better, but
>> of course it denies use to staff at head office for the duration of the
>> remote connection.
>
> We had a Windows host used as an RDP server that allowed 2 concurrent
> user sessions. Alas, too many times users would leave their computers
> with the RDP session left active which consumed a connection. Only took
> 2 users to fuck up everyone else wanting to connect. I found out there
> is an admin session you can use to kill those user connects.
>
> https://v2cloud.com/tutorials/mstsc-admin
>
> Only took at couple complaints to the managers to get their employees to
> stop abusing the RDP connections by leaving them active when they left
> their computer for any reason (bathroom break, lunch, meeting, leave
> work). One user just couldn't remember to logoff when he left, so we
> firewalled him out. Forgetfullness was not an excuse.

I have several customer that have told me they
want to leave their computers on all night so
in the morning they do not have to waste time
booting up. I think it is dumb but ...

So, after a few day, Windows goes to hell. To
cope I install a nightly reboot at 3 in the
morning. Solved the going to hell issue.

But, you would not believe that crap they leave
running just to have the reboot kill (/f). I am
surprised they have not lost all their work.
They must remember to save before walking out
the door,

On Wed, 24 Apr 2024 08:19:30 +0100, Graham J <nobody@nowhere.co.uk> wrote:

>T wrote:
>
>[snip]
>
>>> Wouldn't RDP'ing from the outside to a host on the inside of a firewall
>>> mean there was a hole punched in the firewall (a rule) to allow those
>>> externally sourced RDP requests?
>>
>> This is true.  You have to do a port forward and allow and
>> unestablished connection for that port.  It helps narrow
>> the rule down if you know from what network and mask they
>> are coming from, but that kills the ability to do roaming.
>
>A much better option would be to configure the router to accept incoming
>VPN connections. You will have to use a router (e.g. Draytek) that has
>VPN capability. That way the remote user establishes the VPN connection
>to the router using whatever mechanism is appropriate to allow roaming;
>and is then able to RDP to any or all of the machines on the LAN.
>
>When I ran a computer support business I used this mechanism to support
>my customers. It is made much easier if the customers have static
>public IP addresses; I also have a static IP address.
>
>>> Why was the problematic host running an RDP server?
>>
>> Customer needs remote access those two computers.
>
>There is now a different way to achieve access to your files, which is
>to use Microsoft OneDrive.

If he's supporting remote users, he'll likely need access to the PCs themselves,
not just access to a few selected files.

<snip>

>Given that you are running a business that tries to support customers,
>do you think you should be better informed about how to support those
>customers? It worries me that you appear to be putting those customers
>at risk. Clearly they don't have expert knowledge - they come to you!

You may have to tread lightly there. I said much the same thing several years
ago and he got offended.

Char Jackson wrote:

[snip]

>>>> Why was the problematic host running an RDP server?
>>>
>>> Customer needs remote access those two computers.
>>
>> There is now a different way to achieve access to your files, which is
>> to use Microsoft OneDrive.
>
> If he's supporting remote users, he'll likely need access to the PCs themselves,
> not just access to a few selected files.

No, you've misunderstood. The OP (named T I think) is trying to support
his customers. So he might well need access to those PCs.

But T's customer requires remote access to files. So I presume that T's
customer is a small business of some sort. The suggestion that I'm
making is that T's customer should use OneDrive thereby avoiding all the
difficulties with RDP and security.

>> Given that you are running a business that tries to support customers,
>> do you think you should be better informed about how to support those
>> customers? It worries me that you appear to be putting those customers
>> at risk. Clearly they don't have expert knowledge - they come to you!
>
> You may have to tread lightly there. I said much the same thing several years
> ago and he got offended.

If the OP is not prepared to listen to advice and evaluate its
credibility - entering into a dialogue where appropriate - then he's
doomed anyway. All that happens is that he gives computer support
businesses a bad name. So we have a duty to help him where we can.

But we should be polite and not insult him, I agree.

--
Graham J

Graham J <nobody@nowhere.co.uk> wrote:

> Char Jackson wrote:
>
> [snip]
>
>>>>> Why was the problematic host running an RDP server?
>>>>
>>>> Customer needs remote access those two computers.
>>>
>>> There is now a different way to achieve access to your files, which is
>>> to use Microsoft OneDrive.
>>
>> If he's supporting remote users, he'll likely need access to the PCs themselves,
>> not just access to a few selected files.
>
> No, you've misunderstood. The OP (named T I think) is trying to support
> his customers. So he might well need access to those PCs.
>
> But T's customer requires remote access to files. So I presume that T's
> customer is a small business of some sort. The suggestion that I'm
> making is that T's customer should use OneDrive thereby avoiding all the
> difficulties with RDP and security.
>
>>> Given that you are running a business that tries to support customers,
>>> do you think you should be better informed about how to support those
>>> customers? It worries me that you appear to be putting those customers
>>> at risk. Clearly they don't have expert knowledge - they come to you!
>>
>> You may have to tread lightly there. I said much the same thing several years
>> ago and he got offended.
>
> If the OP is not prepared to listen to advice and evaluate its
> credibility - entering into a dialogue where appropriate - then he's
> doomed anyway. All that happens is that he gives computer support
> businesses a bad name. So we have a duty to help him where we can.
>
> But we should be polite and not insult him, I agree.

Alas, T's customers have admin privs when logged into Windows, and want
to use workstations as both end user computers and servers rather than
dedicating each to a separate role. His customers can easily fuck up
their computers which T has to repair, but his customers really don't
have the expertise to be sysadmins. I'm pretty sure T does backups of
his customers' computers to give him an escape route for recovery, but
then his customers can be stingy, so he doesn't have the needed hardware
resources, like more drives, an FTP server host (which is NOT used as a
workstation), or some means of saving those backups out of reach of his
customers.

On 4/25/24 10:47, VanguardLH wrote:

> Alas, T's customers have admin privs when logged into Windows, and want
> to use workstations as both end user computers and servers rather than
> dedicating each to a separate role. His customers can easily fuck up
> their computers which T has to repair, but his customers really don't
> have the expertise to be sysadmins. I'm pretty sure T does backups of
> his customers' computers to give him an escape route for recovery, but
> then his customers can be stingy, so he doesn't have the needed hardware
> resources, like more drives, an FTP server host (which is NOT used as a
> workstation),

Have one customer with that. Awesome! And it defeated
a ransomware attack once too

>or some means of saving those backups out of reach of his
> customers.

I can only push things so far. Most of their programs will
not work without admin privileges. And hackers can easily
bypass that. Yes, I have them backing up, but it is
like pulling teeth getting them to read their backup reports.

On certain users I have taken away their admin privileges
to keep them off of junkware and viruses, but
had to restore them as they could not get their stuff
to work after a bit (no upgrades they needed would install).

I can only sell UPS's for about three days after a big
thunderstorm. Backup is difficult until they lose
their first drive.

It is the nature of things to be suspicious of things
you do not understand.

It's a living.

T wrote:

[snip]

> I can only push things so far.  Most of their programs will
> not work without admin privileges.

Classic problem with financial accounts programs. You would have
thought that the accountants that designed these programs would have
understood the concept of security. But most of these programs were
written for Windows 3.1 and have not been properly revised since.

[snip]

> I can only sell UPS's for about three days after a big
> thunderstorm.  Backup is difficult until they lose
> their first drive.

I have seen this problem with customers. Mostly they underestimate the
reliance they place on computers. Their argument is: "If I spend the
money as you suggest, I won't be able to afford the raw materials with
which to make my product so I will go broke".

So they live in hope that nothing goes wrong. Is it any wonder that
businesses fail, when they don't equip themselves with the proper tools
to do the job?

As a support service you have to be tough. Increase your prices so you
can justify being a virtual on-site IT manager. And look for other work
so when that customer fails you don't lose out.

Ultimately tell that customer you cannot support him/her any more
because he/she does not take your advice. I only had to do this once in
about 20 years of trading.

--
Graham J