- Disable NetBIOS in Windows networks - Wed, Oct 13 2021
- Migrate print servers to Windows Server 2019 / 2022 - Mon, Oct 11 2021
- Migrating roles and features to Windows Server 2022 using WSMT - Wed, Oct 6 2021
One of the most dangerous security risks to your organization is end user credentials. The age-old username and password are still used in most environments to access network resources. Attackers commonly target weak passwords to successfully compromise business-critical systems.
What's more, compromised user credentials or malicious insider threats are difficult to detect using standard security tools such as anti-virus, anti-intrusion, firewall, and other technologies. In this post, we take a look at a product from IS Decisions called UserLock that proposes to help solve the challenges around user login security.
What is IS Decision's UserLock? ^
Traditional security tools do not enable insight into logons. Also, while two-factor authentication helps to solve many of the problems associated with traditional username/password logins, it can be challenging to implement across the board. Organizations often find that many solutions are needed to effectively implement two-factor authentication across different technologies.
UserLock is a logon security application that easily integrates into your Active Directory infrastructure and allows easily adding two-factor authentication, contextual restrictions, and real-time insight around account logons. It sets out to provide tools for administrators to monitor and secure end user access.
It can also protect standalone terminal servers located in a workgroup configuration. For workgroups with the standalone UserLock configuration, the solution uses and protects local accounts on the terminal server without Active Directory integration.
It also helps to identify and attribute data and resource access to an individual user. This helps to enforce accountability for all end users. In addition, the amplified security on account logins helps to ensure administrators have the tools needed for both visibility into account-based attacks and the ability to block access to suspicious logon behavior.
What are the key benefits to UserLock?
- By providing monitoring and security around account logons, it helps to avoid network and data breaches
- Enables protection against insider threats
- Stops external threats and laterally moving attackers through the network
- Prevents users from sharing passwords in an unauthorized way
- Secure wireless and remote access solutions
- Protect all your user accounts, including the most dangerous accounts—administrators
- Monitor and interact with user sessions
- Gather forensic data around user account logons
- Enable effective "working hours" restrictions for user logins
- Secure and optimize workstations that are shared between employees
- Enable meeting compliance regulations such as GDPR, PCI DSS, HIPAA, SOX, and others
Let's take a look at the installation of the product and see what it takes to get it up and running.
To explore the full requirements as detailed by IS Decisions for UserLock, see the full requirements documentation here.
I installed the solution on a Windows Server 2019 VM and had no issues with the install process. It is a "next, next, finish" type process that simply has you click through a few of the expected screens (EULA, etc.) and the product is installed.
Immediately following the installation, the UserLock configuration wizard launches. The configuration wizard, among other things, will have you select the type of UserLock server you are configuring. Additionally, you will configure the service account that will be used to interact with the clients and servers in your environment.
Installing the UserLock Agent
After you configure your installation, the UserLock management console will launch. Note that you will see the button to Install UserLock Agents. The UserLock solution can automatically deploy agents via an automatic process if you choose, or you can manually install the UserLock agent to manage the logon features on a server-by-server basis.
As you can see below, when the console first launches, the Welcome screen has a button to easily Install UserLock Agents.
Below, I manually install the agent on a server that I want to manage with UserLock. The agent installed very quickly and without issue.
Configuring a protected account
Now that we have a machine to work with, let's protect a user account. The UserLock solution lets you define protected accounts. These are the accounts that you want to protect with the UserLock solution. When you protect an account, you can start securing various properties of the user account login and implement the various UserLock features.
The Protect a New Account wizard enables protecting:
- Organizational Units
The Group and Organizational Unit options allow protecting accounts in bulk. Below are the screens for adding a single user.
Select the account you want to protect. You can use the search feature to find a specific account.
The final step is choosing whether you want to copy settings from an existing protected account and whether you want the protected account to be protected only on a temporary basis. After you choose your configuration here, click Finish.
Properties of protected accounts ^
After you set up a protected account and you have an agent installed on the resource that the protected account will be logging into, you can start to control the logon security behavior for the user. Below are various restrictions and configurations you can put in place for a user.
There are a wide range of controls available. Below, you can see the following restrictions:
- Number of initial access points allowed
- Number of concurrent sessions allowed
- Advanced custom session limits
These allow very granular controls based on the type of connectivity or technology being used.
In addition, you can configure the multi-factor authentication option for a user. This is extremely powerful, as you can configure granular settings based on:
- Connection types
Account will be asked to use MFA (specify different time periods or IPs, days, etc.)
You can enforce restrictions based on logons from certain workstations or terminals, as well as specific times of day.
Geolocation Restrictions and Time quotas round out the functionality to allow restricting or blocking access from specific locations as well as restricting the amount of time the user is allowed access.
After configuring a simple MFA policy for the administrator user, in logging into my win19test server where the UserLock agent is installed, the user is prompted to set up MFA. This will allow the user to add the connection to their authenticator app of choice.
If you cancel the MFA prompt here, you are simply logged out of the machine and the session is terminated. This helps to ensure that users have to prove their identity at login using a second form of authentication.
In just a few short configuration steps, you can greatly bolster your account logon activity on business-critical servers across a number of technologies in your environment. UserLock's solution makes implementing MFA extremely easy.
Reporting and auditing ^
An extremely powerful part of the UserLock solution is the visibility, auditing, and reporting that you get. You can see in great detail how users are conducting themselves throughout various login sessions. As you can see, you can even see when a user simply cancels the MFA prompt during a roll-out of MFA. Notice that a user can only cancel the MFA prompt if allowed by the administrator during, for example, a roll-out time. The visibility allows user sessions to be monitored effectively and any security events found quickly.
Blocking users ^
What if there is malicious activity on a specific account and you want to block the user from accessing those accounts, including closing existing sessions? UserLock allows you to do this easily. You can simply choose to block the user.
When you block the user, you can customize the block message as well as choose how to handle the user's existing sessions to protected resources. You can:
Close existing sessions and block the user
Leave existing sessions open but block the user from opening new sessions
Wrapping up and impressions of UserLock ^
All in all, the UserLock solution allows you to do what it says it will do—control all aspects of user login activity. The beauty of the solution is that you can do this in a granular way, and it is highly customizable. The auditing and reporting are very detailed and provide great visibility into activities around user login activity.
When you see suspicious activity happening in your environment related to a specific user, you can easily block access to a specific user account and close all the connections that user may currently have. This essentially closes out a malicious connection from an attacker who may be using a compromised account.
The features as shown only scratch the surface of what it is capable of. I really like the features and protection the solution offers to bolster user login security. It does use an agent to manage endpoints, which means there will be agents to manage across your environment. However, the console seems to make this fairly painless and automated if you so choose. The solution allows easily configuring security mechanisms like multi-factor authentication. It does this with a wizardized approach that makes the setup painless.
Subscribe to 4sysops newsletter!
Check out IS Decisions UserLock for a fully featured trial version of the product here.