UserLock: Control user logon activity

User accounts, passwords, and logins are some of the most dangerous security risks in your environment. UserLock provides powerful tools to help secure and control user logon activity. In this review of UserLock, we take a look at the features and capabilities of the solution to help secure your environment.

One of the most dangerous security risks to your organization is end user credentials. The age-old username and password are still used in most environments to access network resources. Attackers commonly target weak passwords to successfully compromise business-critical systems.

What's more, compromised user credentials or malicious insider threats are difficult to detect using standard security tools such as anti-virus, anti-intrusion, firewall, and other technologies. In this post, we take a look at a product from IS Decisions called UserLock that proposes to help solve the challenges around user login security.

What is IS Decision's UserLock? ^

Traditional security tools do not enable insight into logons. Also, while two-factor authentication helps to solve many of the problems associated with traditional username/password logins, it can be challenging to implement across the board. Organizations often find that many solutions are needed to effectively implement two-factor authentication across different technologies.

UserLock is a logon security application that easily integrates into your Active Directory infrastructure and allows easily adding two-factor authentication, contextual restrictions, and real-time insight around account logons. It sets out to provide tools for administrators to monitor and secure end user access.

It can also protect standalone terminal servers located in a workgroup configuration. For workgroups with the standalone UserLock configuration, the solution uses and protects local accounts on the terminal server without Active Directory integration.

It also helps to identify and attribute data and resource access to an individual user. This helps to enforce accountability for all end users. In addition, the amplified security on account logins helps to ensure administrators have the tools needed for both visibility into account-based attacks and the ability to block access to suspicious logon behavior.

What are the key benefits to UserLock?

  • By providing monitoring and security around account logons, it helps to avoid network and data breaches
  • Enables protection against insider threats
  • Stops external threats and laterally moving attackers through the network
  • Prevents users from sharing passwords in an unauthorized way
  • Secure wireless and remote access solutions
  • Protect all your user accounts, including the most dangerous accounts—administrators
  • Monitor and interact with user sessions
  • Gather forensic data around user account logons
  • Enable effective "working hours" restrictions for user logins
  • Secure and optimize workstations that are shared between employees
  • Enable meeting compliance regulations such as GDPR, PCI DSS, HIPAA, SOX, and others

Let's take a look at the installation of the product and see what it takes to get it up and running.

Installing UserLock

To explore the full requirements as detailed by IS Decisions for UserLock, see the full requirements documentation here.

I installed the solution on a Windows Server 2019 VM and had no issues with the install process. It is a "next, next, finish" type process that simply has you click through a few of the expected screens (EULA, etc.) and the product is installed.

Beginning the UserLock installation process

Beginning the UserLock installation process

Immediately following the installation, the UserLock configuration wizard launches. The configuration wizard, among other things, will have you select the type of UserLock server you are configuring. Additionally, you will configure the service account that will be used to interact with the clients and servers in your environment.

Selecting the type of UserLock server that you are configuring

Selecting the type of UserLock server that you are configuring

Installing the UserLock Agent

After you configure your installation, the UserLock management console will launch. Note that you will see the button to Install UserLock Agents. The UserLock solution can automatically deploy agents via an automatic process if you choose, or you can manually install the UserLock agent to manage the logon features on a server-by-server basis.

As you can see below, when the console first launches, the Welcome screen has a button to easily Install UserLock Agents.

Launching the UserLock console for the first time

Launching the UserLock console for the first time

Below, I manually install the agent on a server that I want to manage with UserLock. The agent installed very quickly and without issue.

Installing the UserLock agent on a server

Installing the UserLock agent on a server

Configuring a protected account

Now that we have a machine to work with, let's protect a user account. The UserLock solution lets you define protected accounts. These are the accounts that you want to protect with the UserLock solution. When you protect an account, you can start securing various properties of the user account login and implement the various UserLock features.

The Protect a New Account wizard enables protecting:

  • Users
  • Groups
  • Organizational Units

The Group and Organizational Unit options allow protecting accounts in bulk. Below are the screens for adding a single user.

Choosing to protect a new account group or organizational unit

Choosing to protect a new account group or organizational unit

Select the account you want to protect. You can use the search feature to find a specific account.

Choose the account you want to protect

Choose the account you want to protect

The final step is choosing whether you want to copy settings from an existing protected account and whether you want the protected account to be protected only on a temporary basis. After you choose your configuration here, click Finish.

Choosing copy settings and temporary protection

Choosing copy settings and temporary protection

Properties of protected accounts ^

After you set up a protected account and you have an agent installed on the resource that the protected account will be logging into, you can start to control the logon security behavior for the user. Below are various restrictions and configurations you can put in place for a user.

There are a wide range of controls available. Below, you can see the following restrictions:

  • Number of initial access points allowed
  • Number of concurrent sessions allowed
  • Advanced custom session limits

These allow very granular controls based on the type of connectivity or technology being used.

Setting the General protected account properties

Setting the General protected account properties

In addition, you can configure the multi-factor authentication option for a user. This is extremely powerful, as you can configure granular settings based on:

  • Workstation
  • Server
  • Connection types

Account will be asked to use MFA (specify different time periods or IPs, days, etc.)

Configuring multi factor authentication

Configuring multi factor authentication

You can enforce restrictions based on logons from certain workstations or terminals, as well as specific times of day.

Configuring workstation and hour restrictions

Configuring workstation and hour restrictions

Geolocation Restrictions and Time quotas round out the functionality to allow restricting or blocking access from specific locations as well as restricting the amount of time the user is allowed access.

Setting geolocation restrictions and time quotas

Setting geolocation restrictions and time quotas

After configuring a simple MFA policy for the administrator user, in logging into my win19test server where the UserLock agent is installed, the user is prompted to set up MFA. This will allow the user to add the connection to their authenticator app of choice.

If you cancel the MFA prompt here, you are simply logged out of the machine and the session is terminated. This helps to ensure that users have to prove their identity at login using a second form of authentication.

User is prompted for MFA setup including a QR code for adding to an authenticator app

User is prompted for MFA setup including a QR code for adding to an authenticator app

In just a few short configuration steps, you can greatly bolster your account logon activity on business-critical servers across a number of technologies in your environment. UserLock's solution makes implementing MFA extremely easy.

Reporting and auditing ^

An extremely powerful part of the UserLock solution is the visibility, auditing, and reporting that you get. You can see in great detail how users are conducting themselves throughout various login sessions. As you can see, you can even see when a user simply cancels the MFA prompt during a roll-out of MFA. Notice that a user can only cancel the MFA prompt if allowed by the administrator during, for example, a roll-out time. The visibility allows user sessions to be monitored effectively and any security events found quickly.

UserLock includes full reporting showing user activity across the board for forensics and auditing

UserLock includes full reporting showing user activity across the board for forensics and auditing

Blocking users ^

What if there is malicious activity on a specific account and you want to block the user from accessing those accounts, including closing existing sessions? UserLock allows you to do this easily. You can simply choose to block the user.

Blocking a user in UserLock

Blocking a user in UserLock

When you block the user, you can customize the block message as well as choose how to handle the user's existing sessions to protected resources. You can:

Close existing sessions and block the user

Leave existing sessions open but block the user from opening new sessions

Customizing the block message and existing session behavior

Customizing the block message and existing session behavior

Wrapping up and impressions of UserLock ^

All in all, the UserLock solution allows you to do what it says it will do—control all aspects of user login activity. The beauty of the solution is that you can do this in a granular way, and it is highly customizable. The auditing and reporting are very detailed and provide great visibility into activities around user login activity.

When you see suspicious activity happening in your environment related to a specific user, you can easily block access to a specific user account and close all the connections that user may currently have. This essentially closes out a malicious connection from an attacker who may be using a compromised account.

The features as shown only scratch the surface of what it is capable of. I really like the features and protection the solution offers to bolster user login security. It does use an agent to manage endpoints, which means there will be agents to manage across your environment. However, the console seems to make this fairly painless and automated if you so choose. The solution allows easily configuring security mechanisms like multi-factor authentication. It does this with a wizardized approach that makes the setup painless.

Check out IS Decisions UserLock for a fully featured trial version of the product here.

1+
avatar

Poll: Does your organization plan to introduce Artifical Intelligence?

Read 4sysops without ads and for free by becoming a member!

0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account