IS Decisions logo

IS Decisions Blog

Remote work: How to secure off-network, off-domain access

Remote users don’t always connect to the corporate network, or even the internet. Here’s how UserLock’s multi-factor authentication (MFA) and access controls safeguard offline, off-domain access.

Published October 19, 2021
Remote work: How to secure off-network, off-domain access

Regardless of whether employees are working on-site or remotely, UserLock offers admins a security platform to manage multi-factor authentication (MFA) and control system access. Several remote access methods can be protected, including remote desktop protocol, virtual private network, virtual desktop, and internet information services (IIS).

With UserLock, admins can go one step further to protect remote connections without a secure VPN. A micro agent on the remote machine communicates with the on-premise UserLock service via the internet to enforce MFA and access security policies.

Video thumbnail

The acceleration of remote work

As a result of a company culture change or a large-scale global pandemic, the remote work environment has increasingly gained a stronghold and doesn't seem to be leaving anytime soon. Adjustments of this magnitude can leave organizations of all sizes more vulnerable to security threats because of end-users’ inability to quickly communicate with IT security staff, as well as challenges of remotely enforcing company access-security policies and managing (or monitoring) system access controls.

These kinds of changes are also why it’s more important than ever to be equipped with the technology resources to enforce secure remote working environments, even when users are “offline” and not connected to the corporate network.

To solve this problem, UserLock offers subscribers a web app, UserLock Anywhere, to help IT admins manage a remote workforce. When UserLock Anywhere is enabled, IT ensures offline security enforcement so that off-domain users are prompted for multifactor authentication (MFA), employee access controls are enforced, user activity is monitored, and organizational security policies are followed.

Multi factor authentication to secure remote working

The primary reason organizations need to use MFA is that it can help avoid breaches to a network and data system through an extra layer of requirements for a user to gain access to a system. These security layers, by default, make it difficult for a malicious attacker or unauthorized user to access the system as they won’t have the tokens or authenticators that are required to do so.

Some common challenges associated with MFA enforcement, or the implementation of any technology for that matter, is trusting that users will actually use the technology required, and not attempt to bypass as it’s impeding on their time. There’s also issues where the security culture of an organization prioritizes privileged users as opposed to all users.

For instance, a large firm may only require MFA for personnel managing security systems and not for its end-users. This philosophy of ignoring the security of end-users is dangerous because these non-privileged users are generally less equipped with the knowledge and tools to protect the organization from cyber-related incidents.

How UserLock secures remote access

UserLock has the capability to alleviate some of these challenges of MFA enforcement by requiring MFA to be prompted and monitored with the on-premise Active Directory (AD).

  • Control MFA requirements for all users, not just privileged users, based on a plethora of contextual filters and technical attributes. Supported by the UserLock Push application, authenticator applications such as Google Authenticator, Microsoft Authenticator and LastPass Authenticator, as well as configurable hardware tokens like YubiKey and Token2, UserLock makes it easy for administrators.

  • Enable MFA and adjust prompt authentication requirements determined by connection type, device, and session, and IT administrators can also choose to set interval stipulations for the frequency that MFA is activated for a user. System administrators can then view the log of MFA events to evaluate successful logins, failed authentications, cancelled attempts, or MFA events where help is needed.

  • Enforce MFA authentication to secure users without domain access.
    When users work remotely, they may not always be connected to the corporate network. This "offline domain" access can still be protected with UserLock Anywhere which can enforce MFA requests. In the absence of a secure network connection, the agent on the remote machine communicates over the Internet with the UserLock service (running on-premise). This way access to the remote computer is still protected with MFA without first requiring a VPN connection.

Management of access controls to secure remote working

Acting as a gatekeeper for determining who can and cannot access a system based on detailed contextual factors can help with both labor compliance requirements and securing a remote working environment. UserLock can perform access management control from Windows AD with contextual restrictions based on the origin (location, IP address, or department), time of access, session type (RDP, VPN, IIS), as well as whether multiple sessions are being attempted at once.

A few common scenarios for using UserLock to control system access

  • Controlling employee working hours
    If an organization resides in an area where labor compliance requirements limit the hours worked by an employee, UserLock can be used to control login times and session durations as well as document the hours worked.

  • Securing access after a device is stolen or lost
    If it is confirmed that a company-issued device (phone or laptop) was stolen, UserLock can deny access to that device by restricting its IP address to any remote system.

  • Managing access based on operational shifts
    If an organization has clear and defined working shifts, UserLock can be configured to automatically restrict employee access once their shift has ended and allow access to employees just starting their shift.

  • Denying access to compromised credentials
    If it was established that an employee negligently submitted their login credentials to a credentials-harvesting phishing scam, UserLock can deny that users’ access until the credentials compromise has been alleviated.

Aside from situational-based system control, UserLock can manage the number of remote, concurrent sessions allowed at a given time. System administrators can limit initial access points, total workstation sessions, and the number of terminal sessions that can be used simultaneously.

These controls assist in denying external threats and employees from unnecessary system access. For example, if you set the maximum number of workstation sessions for an employee to one, UserLock will deny any additional sessions after the currently used one. So if an employee is in the middle of a workstation session for their shift and there’s another attempt to enter that specific user session by a hacker, the hacker will be denied access because of the preset rules on concurrent sessions allowed at once.

  • Enforce contextual access controls to secure users without domain access
    Once again in the absence of a secure network connection, "offline domain" access for remote users can still be managed with these contextual restrictions. UserLock Anywhere will enforce login restrictions to refuse connections and in addition force remote sessions to lock or log off, ensuring that policies relating to working hours, time quotas or operational shifts are still respected.

Monitor user activity to secure remote working

In addition to managing employee access to secure remote working, user activity should be monitored for the purpose of tracking logins/logouts, alerting administrators and employees of suspicious activity, and responding to potential security breaches by blocking access to an unauthorized user.

Taking initiative to monitor user, device and session activity is crucial to securing both remote and on-premise systems as it allows an organization to be proactive when responding to a potential breach. Therefore, the monitoring technology should be easy-to-use and work in cohesion with security software (like MFA) and the access control system.

UserLock centralizes user-monitoring with displays of activity information about session status, type, and quantity of sessions. System administrators can also view user information from AD such as their display name, department/organizational unit, and their device information.

Enforce organizational remote policies to secure remote working

Arguably, the biggest challenge of securing a remote environment, or even a mobile workforce for that matter, is ensuring that employees are following administrative policies and procedures regarding information-security and the use of company technology. This tends to be difficult because an organization is putting their trust in employees who generally don’t commit a high degree of care into their firm’s policies. At the same time, that organization is trying to enforce guidelines to users that could be scattered across the country or globe.

With some of the access control and monitoring features of UserLock, system administrators can guide end-users, both employees and contractors, to make sure that organizational policies are being followed through activity restrictions and notifications.

Examples of how UserLock technology can help enforce certain organizational policies

  • Least privileged policy
    If an organization follows the principle of least privilege where employees should only have access to data and systems pertinent to their job function, UserLock can utilize its reporting and audit features to evaluate the permission rights along with authorized privileges for each user.

  • Bring your own device (BYOD) policy
    If an organization has BYOD policy about sessions or applications that can be accessed through a personal device, UserLock’s access control management features can restrict certain access based on ranges in an IP address.

  • Incident response procedures
    If an organization has a formal incident response plan for handling cyber incidents that includes notification of proper personnel and isolating a potential incident as much as possible, UserLock can help streamline these steps by automatically alerting system administrators of suspicious activity and allowing them to immediately block that suspicious user.

Close remote access security gaps with UserLock

UserLock is an easy-to-use security platform that offers high-level security features for managing multi-factor authentication requirements, controlling remote system access, monitoring user activity, and enforcing your company security policies. With UserLock Anywhere, system administrators can even manage MFA authentication and restrict system access for remote users who have no VPN connection to the corporate network.

Try UserLock for free

3400+ organizations like yours choose UserLock to secure access for Active Directory identities and meet compliance requirements.

Download a free trial