Prevent Mimikatz Attacks with Lithnet Idle Logoff and Automation
Table of Contents
🔐 Why Auto-Logging Off Idle Sessions Matters for Security
Leaving Windows sessions logged in—especially on shared or managed systems—can expose your environment to credential theft via tools like Mimikatz. One forgotten session can open the door to serious security breaches.
To help prevent this, we’ve created a PowerShell script that automates the installation of Lithnet Idle Logoff. It handles everything: downloading necessary files, installing the software silently, and deploying the correct Group Policy definitions—whether you’re working with domain-joined systems or standalone machines.
The script is built for versatility and reliability, with detailed logging for easy troubleshooting, making it a powerful tool for IT admins looking to harden their environment against post-exploitation attacks.
🕵️♂️ What Is Mimikatz—and Why Should You Care?
Mimikatz is a tool that can be used to extract passwords and other sensitive data from Windows systems. It is an open-source application that can be used by both attackers and security professionals:
- Attackers: Use Mimikatz to steal credentials and gain access to systems and networks. Mimikatz can be used to bypass authentication measures like multi-factor authentication. Attackers can also use Mimikatz to perform attacks like pass the hash and pass the ticket.
- Security professionals: Use Mimikatz to detect and exploit vulnerabilities in networks.
🖥️ Managing Logoffs on Windows Servers
To handle automatic user logoffs on our servers, I used a third-party solution called Lithnet Idle Logoff. This tool displays a logout prompt and automatically signs out inactive user sessions—helping to reduce security risks from unattended sessions.
Lithnet Idle Logoff can be fully configured via Group Policy, making it easy to deploy across your environment. If you only want the policy to apply to specific servers, you can attach a WMI filter to your GPO.
🎯 Targeting Specific Servers with a WMI Filter
To ensure the policy only applies to certain machines, set up a WMI filter using the following configuration:
- Namespace:
root\CIMv2 - Query:
SELECT * FROM Win32_ComputerSystem
WHERE Name LIKE "WR-SVR-VM-DC"
OR Name LIKE "WR-SVR-VM-FS"
OR Name LIKE "WR-SVR-VM-APP"You can use OR and just keep adding more servers if needed.
⚙️ Installing Lithnet Idle Logoff via PowerShell
The following PowerShell script automates the entire setup process for Lithnet Idle Logoff. It will:
- ✅ Download the latest version of the tool
- ✅ Copy the required Group Policy Definitions (ADMX/ADML files)
- ✅ Prepare the environment for Group Policy configuration
This makes it easy to deploy across multiple machines—whether you’re working with domain-joined servers, standalone workstations, or lab environments.
Use this script as part of your standard Windows hardening process to enforce idle logoff policies with minimal manual effort.
# Check if the OS is Windows 10 Pro or Windows 11 Pro and not a Server OS
$OSInfo = Get-ComputerInfo
if (($OSInfo.OsArchitecture -eq "64-bit") -and
(($OSInfo.OsName -match "Windows 10") -or ($OSInfo.OsName -match "Windows 11")) -and
($OSInfo.ProductType -eq "WinNT") -and
(($OSInfo.OsName -match "Windows 10 Pro") -or ($OSInfo.OsName -match "Windows 11 Pro"))) {
Write-Host "Windows 10 Pro or Windows 11 Pro detected, continuing compatibility check..." -ForegroundColor Cyan
} else {
Write-Host "This script is intended for Windows 10 Pro or Windows 11 Pro only. It will not run on other versions or Windows Server." -ForegroundColor Red
exit
}
# Define file URLs
$URL1 = "https://github.com/lithnet/idle-logoff/releases/download/v1.2.8134/lithnet.idlelogoff.setup.msi"
$URL2 = "https://github.com/lithnet/idle-logoff/archive/refs/tags/v1.2.8134.zip"
# Define paths
$Destination = "C:\TEMP"
$LogFile = Join-Path $Destination "Lithnet_Install.txt"
$DownloadPath1 = Join-Path $Destination "lithnet.idlelogoff.setup.msi"
$DownloadPath2 = Join-Path $Destination "idle-logoff-1.2.8134.zip"
$ExtractedPath = Join-Path $Destination "idle-logoff-1.2.8134"
$PolicyPath1 = "C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions"
$PolicyPath2 = "C:\Windows\PolicyDefinitions"
# Function to log messages
function Log-Message($Message) {
"$((Get-Date).ToString("yyyy-MM-dd HH:mm:ss")) - $Message" | Out-File -Append -FilePath $LogFile
}
# Function to create directory
function Ensure-Directory($Path) {
if (!(Test-Path $Path)) {
New-Item -Path $Path -ItemType Directory -Force | Out-Null
}
}
# Function to download files with error handling
function Download-File($URL, $OutputPath) {
try {
Invoke-WebRequest -Uri $URL -OutFile $OutputPath -ErrorAction Stop
Log-Message "Downloaded: $OutputPath"
} catch {
Log-Message "Failed to download: $URL"
exit 1
}
}
# Function to install MSI silently
function Install-MSI($MSIPath) {
if (Test-Path $MSIPath) {
Start-Process msiexec.exe -ArgumentList "/i `"$MSIPath`" /quiet /norestart" -NoNewWindow -Wait
Log-Message "Installed MSI: $MSIPath"
} else {
Log-Message "MSI file not found: $MSIPath"
exit 1
}
}
# Function to extract ZIP
function Extract-ZIP($ZIPPath, $DestinationPath) {
if (Test-Path $ZIPPath) {
Expand-Archive -LiteralPath $ZIPPath -DestinationPath $DestinationPath -Force
Log-Message "Extracted: $ZIPPath to $DestinationPath"
} else {
Log-Message "ZIP file not found: $ZIPPath"
exit 1
}
}
# Function to copy policy files
function Copy-PolicyFiles($Source, $Destination) {
if (Test-Path $Source) {
Ensure-Directory $Destination
Copy-Item -Path $Source -Destination $Destination -Recurse -Force
Log-Message "Copied policy files to: $Destination"
} else {
Log-Message "Source policy files not found: $Source"
exit 1
}
}
# Execute functions
Ensure-Directory $Destination
Log-Message "Starting script execution"
Download-File $URL1 $DownloadPath1
Download-File $URL2 $DownloadPath2
Install-MSI $DownloadPath1
Extract-ZIP $DownloadPath2 $ExtractedPath
# Only copy to SYSVOL if it's a server OS
if ($OSInfo.OsName -match "Server") {
Copy-PolicyFiles "$ExtractedPath\idle-logoff-1.2.8134\src\Lithnet.IdleLogoff\PolicyDefinitions\*" $PolicyPath1
} else {
Copy-PolicyFiles "$ExtractedPath\idle-logoff-1.2.8134\src\Lithnet.IdleLogoff\PolicyDefinitions\*" $PolicyPath2
}
Log-Message "Script execution completed successfully!"This makes deployment simple across multiple systems—whether they’re domain-joined or standalone.
🔄 Note: You’ll need to run this script on each client computer where you want Lithnet Idle Logoff installed. While domain-joined systems will receive the GPO settings from the SYSVOL folder (after the script is run on your PDC or domain controller holding the GPOs), the actual software must still be installed locally on each targeted machine.
📄 Script Summary
🧩 Key Steps (Simplified Breakdown)
- 🧪 OS Check
Verifies the system is running Windows 10/11 Pro (not Server). Exits if requirements aren’t met. - 🌐 Download Setup Files
Downloads the MSI installer and ZIP archive from GitHub toC:\TEMP. - 🗂️ Define Paths
Sets up required paths for temp files and policy definition folders (SYSVOL&PolicyDefinitions). - 🧱 Helper Functions
Log-Message📋 – Logs actions with timestampsEnsure-Directory📁 – Creates folders if missingDownload-File⬇️ – Pulls files viaInvoke-WebRequestInstall-MSI⚙️ – Silently installs the softwareExtract-ZIP🗜️ – Unpacks the policy archiveCopy-PolicyFiles🔄 – Moves ADMX/ADML files to system paths
🚀 Script Execution Flow
- ✅ Ensures working directory exists
- 📝 Logs script start
- 🔽 Downloads MSI & ZIP files
- 🧩 Installs Lithnet Idle Logoff silently
- 🗜️ Extracts policy ZIP
- 📤 Copies Group Policy files to:
C:\Windows\SYSVOL\domain\Policies\PolicyDefinitionsC:\Windows\PolicyDefinitions
- 🏁 Logs successful completion
⚠️ Things to Keep in Mind
- 🔐 Admin Rights Required – For installing software and modifying system folders
- 🌍 Internet Access Needed – To download files from GitHub
- 📁 Path Accuracy – Ensure all target paths exist and are accessible
- ✏️ File Overwrites – Existing files may be replaced during copy/extraction
🧾 Final Note
This script provides a reliable and repeatable method for deploying Lithnet Idle Logoff and its Group Policy templates—perfect for automating session timeout enforcement across your organization.
✅ Conclusion
Automating the installation and configuration of Lithnet Idle Logoff with PowerShell is a powerful way to enhance security across your Windows environment. By enforcing idle session logoffs, you reduce the risk of credential theft from unattended sessions—especially from tools like Mimikatz. Whether you’re managing domain-joined servers or standalone workstations, this script offers a streamlined, repeatable, and auditable deployment method.
🌿 Final Thoughts
Idle sessions are often overlooked in system hardening efforts, but they can pose a serious risk in modern threat landscapes. Taking the time to deploy automated solutions like Lithnet Idle Logoff helps enforce good security hygiene without burdening end users. Combine this with other best practices—like least privilege access and regular patching—for a more resilient infrastructure.
My name is Dex, author at WinReflection.
I am a Christian, conservative, truth-seeker, and problem-solver who is not afraid to be vocal about important or controversial issues—silence leads to death. There’s more to life than the worldly status quo, and that’s why many are sad and depressed—they’re suffocating. Truth and purpose can bring fresh air into one’s life, and that’s my mission. My sidebar content should not trigger you, the proof is all there.
📖 John 3:16: For God so loved the world that he gave his one and only Son, that whoever believes in him shall not perish but have eternal life.
Leave a Reply
Want to join the discussion?Feel free to contribute!