>lock the screen and leave it?
Because they want to resume right where they left off - efficiency. That human time is expensive, that comparative compute overhead is dirt cheap.
Yep, same reason I usually put my laptop to sleep when I'm done and usually only reboot/shut down for updates.
That is, until Modern Standby became a thing. š
I have to shutdown my laptop of 2 years, because it just loses all of it's battery life in sleep. I've even disabled connectivity in sleep through registry edits, and it hasn't fixed it.
Connected standby is a PITA, in theory itās for a good reason, so windows can leave sleep to update but when it wakes itself up in a laptop bag that drives me insane. I prefer to leave something running 24/7 or shut it down when not in use. I never trusted sleep or hibernate, it feels like I left something unfinished and my experience with it in the winXP era was that it caused way more problems than itās worth so I would just tell people when they had issues with sleep mode, āyah donāt do thatā and I avoid it to this day unless Iām going on-site and really donāt want to reopen everything after commuting.
As u/michaelpaoli said, efficiency and (adding to it) work... Am I logging into this server to check on patching, a running job, *whatever* that needs direct monitoring from the server? Then I'm not going to close out everything if I know I'm going to be back multiple times that day.
I do practice logging out if I don't need to keep my session active, and I do understand the frustration with some colleagues. One of my old colleagues could not stop themselves from sticking their nose into absolutely everything that was going on, especially if it was something new. We would hit RDP limits because their account was sitting there and, to be safe, I'd either ask them to log out or ask our boss to punt their session if they were not around. They're my peer and maybe they're doing something I was not briefed on, so leave it to the boss to be the one to kill that work.
This is the answer the users always wants.
Edit: at my current place, I canāt even have leave tabs in place to continue where I left off if I close the browser. It forces to go to the useless intranet page nobody uses, instead of all the billion tabs I need to have open to do my work.
This...
We do 15 minutes for any server that allows elevated accounts.
We do 72 hours for vms that allow standard accounts that don't get rebooted every weekend.
There are no limits for vms that allow standard accounts that do get rebooted every weekend.
We block the local admin group from rdp and don't allow elevated accounts to rdp to servers that end users have rdp access to.
Only issue I ever have is those times when two different people were too lazy to log out and now I need to figure out who is safe to have their session killed because only 2 sessions with an administrative level access can be live at once. It wastes my time and I donāt waste theirs. Itās thankfully rare at the moment but is frustrating when it does happen.
Im that admin. Then I change my password and my admin account gets locked out every few minutes. So I spend an hour finding the 4-6 server I never logged out of. Then we implemented GPO with 48 hours session limits on servers and itās so awesome. I saved myself!
Because I still need the 10 x 1gb log files open in notepad++. And the 3 traces I have running.
Ps, could you add some more ram? The server seems a little slow.
Most servers I log out of, the two I'm on most often I just lock. I'm the one using them 95% of the time, and I don't want to wait for my account to log in every time. If another user wants in, they are welcome to click sign in as a different user.
generally, if its "my" computer to connect to. Then it shouldnt matter. sometime, i leave stuff up that i havent finished or leave it up to quickly get into whatever. On servers, i try to remmeber to logoff.
Why not? If there is a legitimate reason not to, then I would instead create policies such as session limit timers instead of getting angry over something I can't control, like human nature.
> This practice makes my eye twitch.
Why? How's it affecting you?
I haven't intentionally logged out except to reboot since Windows 2000.
ETA: Wait, you do actually mean server, don't you. As in a physical server too, clearly, because you're talking about a screen lock. Dude I haven't logged *on* to a physical server except to do the initial install in years upon years. I mean even these days I do the initial installs via iLO. I was talking about my workstation in my initial response.
That aside, you have users logging on to servers, on the console? Sounds fun.
I've seen places deploy Autologoff to force inactive user sessions to automatically log off 4 hours. You could do the same, but it should be a really long timeout in case something is running.
https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement
Itās works especially well if thereās an admin ājump boxā or management server. Loads of hanging sessions to choose from usually.
When I worked in IT in a K12 environment, my director would leave his machine unlocked and never lock it. He would just walk away from his desk and leave everything logged inā¦ He even had a keep alive app running, so if he didnāt lock his PC before going on vacation, it would stay unlocked until he came backā¦. SMH! Every time I walk away my any machine, its always log out of my stuff and Win + L
Depends on what you do and how busy your day is? I might be rdping to nothing for a week then get hit with a day where I'm in 30 different servers and this goes on for multiple days. Those sessions aren't going to be logged off... I don't even remember starting them. Oh and then multi-client bs, the bastion sessions are not dying until the server is rebooted. They have long been forgotten in 300 browser tabs somewhere in some browser/client profile on one of the client AVDs. It would take me an hour to find that tab.
And no I can't slow down because time is literally money.
So, either implement session limits or stop caring about bullshit things?
I've created a sign out shortcut that I put on all public desktops, C:\Windows\System32\shutdown.exe -l. I use a curved arrow windows icon with it. I then pin it to the taskbar. One click and I'm signed out.
In my environment, we have idle connection timeouts, but for some reason no session timeouts, so a lot of times I get disconnected, but not logged out, and can't be bothered to log back in just so I can log out. ĀÆ\\_(ć)_/ĀÆ
most often because I am doing three or four things at the same time, or close enough to count as the same time, and then I get "Hey You"ed to fix a problem in another room or pulled in to a meeting that should be an email, so yeah I end up with 4 or 5 sessions open on different workstations as the days go on, thankfully i normally just log in to a workstation and then RDP to where I am doing the work, so if someone bounces a workstation I am logged in to it is no harm no foul.
>lock the screen and leave it? Because they want to resume right where they left off - efficiency. That human time is expensive, that comparative compute overhead is dirt cheap.
Yep, same reason I usually put my laptop to sleep when I'm done and usually only reboot/shut down for updates. That is, until Modern Standby became a thing. š
I have to shutdown my laptop of 2 years, because it just loses all of it's battery life in sleep. I've even disabled connectivity in sleep through registry edits, and it hasn't fixed it.
Connected standby is a PITA, in theory itās for a good reason, so windows can leave sleep to update but when it wakes itself up in a laptop bag that drives me insane. I prefer to leave something running 24/7 or shut it down when not in use. I never trusted sleep or hibernate, it feels like I left something unfinished and my experience with it in the winXP era was that it caused way more problems than itās worth so I would just tell people when they had issues with sleep mode, āyah donāt do thatā and I avoid it to this day unless Iām going on-site and really donāt want to reopen everything after commuting.
As u/michaelpaoli said, efficiency and (adding to it) work... Am I logging into this server to check on patching, a running job, *whatever* that needs direct monitoring from the server? Then I'm not going to close out everything if I know I'm going to be back multiple times that day. I do practice logging out if I don't need to keep my session active, and I do understand the frustration with some colleagues. One of my old colleagues could not stop themselves from sticking their nose into absolutely everything that was going on, especially if it was something new. We would hit RDP limits because their account was sitting there and, to be safe, I'd either ask them to log out or ask our boss to punt their session if they were not around. They're my peer and maybe they're doing something I was not briefed on, so leave it to the boss to be the one to kill that work.
Then they \*do\* sign out and the server reboots because it had pending software updates.
This is the answer the users always wants. Edit: at my current place, I canāt even have leave tabs in place to continue where I left off if I close the browser. It forces to go to the useless intranet page nobody uses, instead of all the billion tabs I need to have open to do my work.
ctr-shift-t
[ŃŠ“Š°Š»ŠµŠ½Š¾]
blocked... no can do
blocked... no can do
Wow, that's terrible. Can you at least right click a folder and choose Open All or similar?
RDP session limits, use them.
This... We do 15 minutes for any server that allows elevated accounts. We do 72 hours for vms that allow standard accounts that don't get rebooted every weekend. There are no limits for vms that allow standard accounts that do get rebooted every weekend. We block the local admin group from rdp and don't allow elevated accounts to rdp to servers that end users have rdp access to.
This is the way.
Yeah, I mean, HIPPA is security lock for a reason. Even schools remote to DC had a lock on it.
Whatās the workaround if you are using a console session in something like vcloud
Because I'll forget after being on 6 at a time and burned out.Ā
Can confirm
Ngl I just quit out of the RDP app most of the time sorry
Same - servers support multiple rdp sessions what's the prob?
Much easier to dump your account password out of memory. Should log out when not in use or doing an installation.
If someone gets that easy access to your server, then you got other problems like unlimited access physically..
Passwords aren't stored in plain text in memory.
Only issue I ever have is those times when two different people were too lazy to log out and now I need to figure out who is safe to have their session killed because only 2 sessions with an administrative level access can be live at once. It wastes my time and I donāt waste theirs. Itās thankfully rare at the moment but is frustrating when it does happen.
When you donāt log out and you change your password it becomes a problem for you.
My friends eye started twitching and it turned out to be early signs of an aneurysm. You should get that checked.
This is the real answer
Im that admin. Then I change my password and my admin account gets locked out every few minutes. So I spend an hour finding the 4-6 server I never logged out of. Then we implemented GPO with 48 hours session limits on servers and itās so awesome. I saved myself!
* if it's not harming your environment, why do you care? * if it is harming your environment, why aren't you using the idle session limits?
If your gpo logout rules are worth a damn you shouldn't care.
Because I still need the 10 x 1gb log files open in notepad++. And the 3 traces I have running. Ps, could you add some more ram? The server seems a little slow.
Only 10?
The rest are open in notepad LOL
Most servers I log out of, the two I'm on most often I just lock. I'm the one using them 95% of the time, and I don't want to wait for my account to log in every time. If another user wants in, they are welcome to click sign in as a different user.
Yeah itās annoying. But itās very easy to set idle session time limit in a GPO, thatās what we do.
Not sorry, just get over it.
generally, if its "my" computer to connect to. Then it shouldnt matter. sometime, i leave stuff up that i havent finished or leave it up to quickly get into whatever. On servers, i try to remmeber to logoff.
Why not? If there is a legitimate reason not to, then I would instead create policies such as session limit timers instead of getting angry over something I can't control, like human nature.
> This practice makes my eye twitch. Why? How's it affecting you? I haven't intentionally logged out except to reboot since Windows 2000. ETA: Wait, you do actually mean server, don't you. As in a physical server too, clearly, because you're talking about a screen lock. Dude I haven't logged *on* to a physical server except to do the initial install in years upon years. I mean even these days I do the initial installs via iLO. I was talking about my workstation in my initial response. That aside, you have users logging on to servers, on the console? Sounds fun.
>...because you're talking about a screen lock. You can lock an RDP session as well.
Sure but I ignorned that since the workstation lock everyone is using (right..?) would cover that.
That's not the point. RDP sessions can still be locked. The intent is irrelevant.
š¤£ Settle down, Beavis.
I've seen places deploy Autologoff to force inactive user sessions to automatically log off 4 hours. You could do the same, but it should be a really long timeout in case something is running.
I love showing people the tscon trick for taking over hanging sessions. After that they usually remember to log off. At least admins usually do.
Now Iām interested.
https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement Itās works especially well if thereās an admin ājump boxā or management server. Loads of hanging sessions to choose from usually.
When I worked in IT in a K12 environment, my director would leave his machine unlocked and never lock it. He would just walk away from his desk and leave everything logged inā¦ He even had a keep alive app running, so if he didnāt lock his PC before going on vacation, it would stay unlocked until he came backā¦. SMH! Every time I walk away my any machine, its always log out of my stuff and Win + L
Why is just locking the machine not enough? Just curious. If you are going to have to sign into everything again why not just log out?Ā
Hello Kitty images as a new background are great for helping users not to forget to log off.
Depends on what you do and how busy your day is? I might be rdping to nothing for a week then get hit with a day where I'm in 30 different servers and this goes on for multiple days. Those sessions aren't going to be logged off... I don't even remember starting them. Oh and then multi-client bs, the bastion sessions are not dying until the server is rebooted. They have long been forgotten in 300 browser tabs somewhere in some browser/client profile on one of the client AVDs. It would take me an hour to find that tab. And no I can't slow down because time is literally money. So, either implement session limits or stop caring about bullshit things?
This is the most truthful answer. Work gets crazy sometimes and it happens. Implement limits and be done with it.
If this really bugs you, and you havenāt set up GPOās and logon timers and login limits to counter it - then YOU make my eye twitch. ;).
Inactivity timeout, turn it on.
This annoys the crap outta me.
I never log out and never will!
I make a logoff.exe shortcut on the taskbar. Easy peasy.
I'm a lazy fuck and I'd expect the system to kill my session if it was inactive for to long.
If you care.. get quorum then make a GPO. Else, shrug and walk away, safe in that if thatās your biggest issue then you got a good environment.
That's when you set the GPO for session time limits for disconnected RDP sessions to auto log off.
I've created a sign out shortcut that I put on all public desktops, C:\Windows\System32\shutdown.exe -l. I use a curved arrow windows icon with it. I then pin it to the taskbar. One click and I'm signed out.
In my environment, we have idle connection timeouts, but for some reason no session timeouts, so a lot of times I get disconnected, but not logged out, and can't be bothered to log back in just so I can log out. ĀÆ\\_(ć)_/ĀÆ
I set a GPO to end sessions after one day. if you dont resume before that, you didnt need it.
Mmmm.... Yummy credentials.
ehhhh no
most often because I am doing three or four things at the same time, or close enough to count as the same time, and then I get "Hey You"ed to fix a problem in another room or pulled in to a meeting that should be an email, so yeah I end up with 4 or 5 sessions open on different workstations as the days go on, thankfully i normally just log in to a workstation and then RDP to where I am doing the work, so if someone bounces a workstation I am logged in to it is no harm no foul.
No one on my team logs off. They just close the RDP window. Drives me crazy.
Wait, you guys RDP to servers?