Preventing Windows Users from Bypassing the ITM On-Prem (ObserveIT) Identification Prompt

If a Forced-Identification user enters incorrect credentials (by mistake or intentionally) when logging on to an ObserveIT-monitored server or workstation using the regular Windows logon process, they will be presented with the error: "Invalid Credentials or Access Denied". In order to continue, the user must re-enter their credentials.

The ITM On-Prem (ObserveIT) log on screen or identification prompt is not configured to entirely prevent access to the system; by design, since the user has successfully logged on to the system, the user's identity was already granted the appropriate security token. This means that while the secondary authentication ITM On-Prem (ObserveIT) log on screen prompt is still open, waiting for the user's input, the user may be able to press a combination of keys in order to invoke the Task Manager. From the Task Manager, the user may execute other applications.

Although this may seem like a security flaw, ITM On-Prem (ObserveIT) is not designed to work inline with the Windows operating system. It will never prevent a user from logging on to the system, even if they cannot pass the Identification prompt. All the user's actions are still recorded. The only effect is that the user is not identified, for the specific session. Only the Windows log on name is displayed in the Endpoint and User Diaries, similar to when Identification Services is not enabled.

If you need to entirely lock the monitored systems and prevent users from being able to pass the ITM On-Prem (ObserveIT) logon screen or identification prompt, you will need to modify the systems security settings and prevent users from being able to run and use the Task Manager. This can be done either at the local computer level by using the Local Group Policy, or at the Active Directory domain or Organization Unit (OU) level by using Group Policy Objects (GPOs). For further details, refer to the Microsoft Knowledge Base article: "Task Manager has been disabled by your administrator" error message.

It is beyond the scope of this topic to discuss all the security considerations, requirements, best practices and implementation procedures for the system.