Shared devices – how do you avoid shared logins?
Posted by Illustrious-Tone-442@reddit | sysadmin | View on Reddit | 15 comments
Hi,
We have shared PCs (shop floor, meeting rooms etc.) where people use the same login.
We need to change this (Cyber Essentials).
How do you handle this, please?
Thank you,
Ivy
evilcreedbratton@reddit
I like setting it up as a multi-app kiosk with assigned access and using the autologon account option.
TheBrones@reddit
Physical login keys to facilitate fastogin and automatic logoffs? Something like a yubikey or smartcard will do the trick
One-Environment2197@reddit
This is the best way to balance security and user experience.
Though, instead of logging off, I'd recommend you "switch user" when they take out their hardware token. That way people who have to sign in frequently won't have to wait for their profile to reload every time.
Make it so inactive users are logged out after X hours.
Garix@reddit
Can you describe how to do this at a high level? Tie yubikey to login logout actions?
One-Environment2197@reddit
https://support.yubico.com/s/article/YubiKeys-for-Microsoft-Entra-ID-passwordless-sign-in-guide
Something like this. You may need to do some custom work to get it to work as you'd like.
Garix@reddit
I have yubikeys deployed already, I guess I was more asking how you approach this plug in/unplug behavior for shared desk users
Kumorigoe@reddit
Shared PCs are okay.
Shared logins are not.
Have people log in with individual accounts when they need to use the PC.
jreykdal@reddit
That's not always possible. Operators running some kind of bespoke software and such.
Sometimes it's more important to restrict access to the device physically (locked doors etc).
StatementNext682@reddit
Can it not run as a service so it persists when someone logs out it persists? Of course I'm sure there exists niche cases but that's super super niche.
Kumorigoe@reddit
Then those systems will either have to be considered outside the scope of compliance (not always possible), or other measures (such as access control systems that are auditable) will have to be implemented to provide the necessary control to gain and maintain compliance.
MonstersGrin@reddit
I recommend a good paddlin'.
Writing down login info - that's a paddlin'.
Using a computer on someone else's account - that's a paddlin'.
Not locking the computer when walking away - ooh, better believe that's a paddlin'.
soloshots@reddit
We had a shared login and used DUO MFA logs to track which user authenticated the session. That way we were able to track action d back to a specific individual using a “shared” account.
Roland_Bodel_the_2nd@reddit
maybe you can reframe is as physical isolation or something, presumably the shop floor does not allow outsiders to just come up and use the computer
but yea, we just use a local shared user account for things like instrument control software
Motor-Marzipan6969@reddit
Each user should have their own account, but it's fine if they share workstations.
Do you use an identity provider like Microsoft Active Directory? You can use this to manage user accounts.
cjcox4@reddit
Depends. Some "things" inherently don't come with mechanisms to allow access control. For such things you might have to put "something in the way" that only has access to "that thing" where access controls can be enforced. If that makes sense. Usually, nowadays, PCs themselves have access controls. So, it would be a special case of "something" maybe connected/controlled by the PC which can't distinguish access control. In which case, the PC might have to sit behind something with access controls. AFAIK, this is "the way".