STAS Logoff Detection & RDP

Question

Since the implementation of STAS SSO, we&rsquo;ve had a problem with users being logged out of the firewall (logged out of STAS) when the user is connected to their workstation via RDP. Note, when the user is connected directly to the console of their workstation machine, STAS works beautifully. 
 The cause is easy to figure out, but the answer is not. I&rsquo;m wondering what the short-term solution is, and if the knuckleheads at Sophos have ever thought about a better way to do logoff detection? Like the Sophos recommendations suggest, we have enabled STAS Logoff Detection with workstation polling using WMI. It is widely known that WMI will not report the current user who is logged on to a workstation via RDP. WMI will only report the current user logged in via the machine console. Hence, while RDP users initially authenticate with the firewall via STAS, after the detection polling interval, they are &ldquo;logged out.&rdquo; 
 Our environment is comprised of workstations which can be accessed locally or remotely via RD Gateway and RDP. Note, these are single-interactive-session Windows workstations, not multi-user RDP terminal servers. This setup is not unusual, which leads me to believe someone, somewhere has come across this. So, what should we do, and what are the ramifications of each? 
 
 Turn off Logoff Detection. Do I really care whether STAS detects logoffs? We do have several &ldquo;community use&rdquo; workstations, where many different users log on and off throughout the day. It is imperative that AD User & Group based firewall policies be applied correctly to the currently logged on user. At present, this is working correctly, but I fear turning off Logoff Detection might make this less reliable. 
 Change the Workstation Polling method to Registry Read Access. I understand that this method requires turning on the remote registry service on the workstations (which is a pain in the ass). And, assuming running the Remote Registry service doesn&rsquo;t present some unforeseen security risk, I&rsquo;m not even sure it will solve the problem. Will the Registry Read Access polling method identify a user logged on via RDP? 
 Wait for Sophos to find a better way to do logoff detection. 
 Find a better firewall vendor.

Patrick Hindall · Answer

I do have my RDS Session Hosts IP addresses exempted from STAS, as suggested. But, to be clear, the problem is not with RDS Session Hosts. It is with traditional single-user, single-session Windows 10 workstations. Like any traditional workstation, these do participate in STAS and do not run the SATC client like an RDS Session Host server. It just so happens that users can and will access their traditional workstation remotely via RDP. And as stated, WMI does not report the current user of a workstation logged on via RDP. Thus, log-off detection using WMI polling does not work for users logged into a workstation via RDP. The real answer was to forgo using WMI polling for log-off detection and to use Registry Read Access instead. Then, we had to enable the Remote Registry Service on all our workstations (this was easily done via Group Policy). Now log-off detection works regardless of whether a user logs into the console of their workstation or accesses their workstation remotely via RDP.