Описание
Best Practices Regarding Sharing of a Single User Account Across Multiple Users
Microsoft strongly recommends customers avoid the use of a 'common' or 'shared' Windows logon account. A single user account should never be shared amongst different users. This is especially true when users are logging into the same physical machine. Customers who have solutions designed this way are encouraged to engage their solution vendors for assistance in configuring their product to support independent user accounts.
Microsoft considers the practice of sharing the same user account with multiple users a significant security risk. There is no security boundary between sessions using the same user account on the same Windows client or server.
For more information on User and Session boundaries, please see the Security Servicing Criteria for Windows.
FAQ
What is a session?
A session consists of all the processes and other system objects which represent a single user's logon session. These objects include all windows, desktops and windows stations.
How can Windows be configured to allow a single user to have multiple sessions?
This can be achieved by either First-party or Third-party applications. One example, applicable to some versions of Windows Server, is by enabling the group policy setting under:
Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections
The setting is "Restrict Remote Desktop Services users to a single Remote Desktop Services session". If this policy is disabled, then users are allowed to make multiple simultaneous remote connections using the same user account to an RDS server via Remote Desktop Services.
Is this information related to a security vulnerability?
No, this is guidance on best practices in your network environment. There are no security updates planned for this issue.
Возможность эксплуатации
Publicly Disclosed
Exploited
DOS