IS Decisions logo

IS Decisions Blog

Remote work: Secure off-network, off-domain connections

Remote users don’t always connect to the corporate network, or even the internet. Here’s how UserLock’s multi-factor authentication (MFA) and access controls safeguard off-network, off-domain access.

Published Oct 19, 2021
Remote work: How to secure off-network, off-domain access

Regardless of whether employees are working on-site or remotely, UserLock offers admins a security platform to manage multi-factor authentication (MFA) and control system access. Several remote access methods can be protected, including remote desktop protocol, virtual private network, virtual desktop, and internet information services (IIS).

With UserLock, admins can go one step further to protect remote connections, even when a user doesn't connect to the domain with a secure VPN. A micro agent on the remote machine communicates with the on-premise UserLock service via the internet to enforce MFA and access security policies.

Video thumbnail

The need to secure remote work

Organizations with a full or partial remote work environment are going strong. While some are back to the office, it's unlikely to see a full reversal of remote working anytime soon.

But from a security perspective, remote work leaves organizations of all sizes more vulnerable to security threats. There are a few (mostly) common sense reasons for that.

First, it's harder for end-users’ to quickly communicate with IT security staff. Then there's also the challenges for IT of remotely enforcing company access-security policies and managing (or monitoring) system access controls.

These kinds of changes are also why it’s more important than ever to have the technology resources you need to maintain secure remote working environments.

Securing VPN-less connections

And there's one key remote work vulnerability that can sometimes slip under the radar: how do you secure remote access, even when users don't use a VPN (a "VPN-less connection") and don't connect to the corporate network?

To solve this problem, UserLock offers subscribers a web app, UserLock Anywhere, to help IT admins manage their remote workforce. When your team enables UserLock Anywhere, you can ensure UserLock still prompts your off-domain for multifactor authentication (MFA). You can also maintain enforcement of employee access controls, continue to monitor user activity, and continue to ensure organizational security policies are upheld.

Multi factor authentication to secure remote working

The primary reason organizations need to use MFA is that it can help avoid breaches to a network and data system through an extra layer of requirements for a user to gain access to a system. These security layers, by default, make it difficult for a malicious attacker or unauthorized user to access the system as they won’t have the tokens or authenticators that are required to do so.

Some common challenges associated with MFA enforcement, or the implementation of any technology for that matter, is trusting that users will actually use the technology required, and not attempt to bypass as it’s impeding on their time. There’s also issues where the security culture of an organization prioritizes privileged users as opposed to all users.

For instance, a large firm may only require MFA for personnel managing security systems and not for its end-users. This philosophy of ignoring the security of end-users is dangerous because these non-privileged users are generally less equipped with the knowledge and tools to protect the organization from cyber-related incidents.

How UserLock secures remote access

UserLock has the capability to alleviate some of these challenges of MFA enforcement by requiring MFA to be prompted and monitored with the on-premise Active Directory (AD).

  • Control MFA requirements for all users, not just privileged users, based on a plethora of contextual filters and technical attributes. Supported by the UserLock Push application, authenticator applications such as Google Authenticator, Microsoft Authenticator and LastPass Authenticator, as well as configurable hardware tokens like YubiKey and Token2, UserLock makes it easy for administrators.

  • Enable MFA and adjust prompt authentication requirements determined by connection type, device, and session, and IT administrators can also choose to set interval stipulations for the frequency that MFA is activated for a user. System administrators can then view the log of MFA events to evaluate successful logins, failed authentications, cancelled attempts, or MFA events where help is needed.

  • Enforce MFA authentication to secure users without domain access.
    When users work remotely, they may not always be connected to the corporate network. This "off domain" or "VPN-Less" access can still be protected with UserLock Anywhere, which can enforce MFA requests. In the absence of a secure network connection, the agent on the remote machine communicates over the Internet with the UserLock service (running on-premise). This way, access to the remote computer is still protected with MFA, even if there's no VPN connection.

Combine MFA with access controls to secure remote working

Access controls act as a gatekeeper for determining who can and cannot access a system based on detailed contextual factors. This can help with both labor compliance requirements and with the security needs of securing a remote working environment.

UserLock can enforce access management control from Windows AD with contextual restrictions based on the origin (location, IP address, or department), time of access, and session type (RDP, VPN, IIS). UserLock can also enforce concurrent session restrictions to limit the number of multiple sessions you want to accept.

A few common scenarios for using UserLock to control system access

  • Control employee working hours
    If an organization resides in an area where labor compliance requirements limit the hours worked by an employee, UserLock can be used to control login times and session durations as well as document the hours worked.

  • Secure access after a device is stolen or lost
    If it is confirmed that a company-issued device (phone or laptop) was stolen, UserLock can deny access to that device by restricting its IP address to any remote system.

  • Manage access based on operational shifts
    If an organization has clear and defined working shifts, UserLock can be configured to automatically restrict employee access once their shift has ended and allow access to employees just starting their shift.

  • Deny access to compromised credentials
    If it was established that an employee negligently submitted their login credentials to a credentials-harvesting phishing scam, UserLock can deny that users’ access until the credentials compromise has been alleviated.

Aside from situational-based system control, UserLock can manage the number of remote, concurrent sessions allowed at a given time. System administrators can limit initial access points, total workstation sessions, and the number of terminal sessions that can be used simultaneously.

These controls assist in denying external threats and employees from unnecessary system access. For example, if you set the maximum number of workstation sessions for an employee to one, UserLock will deny any additional sessions after the currently used one. So if an employee is in the middle of a workstation session for their shift and there’s another attempt to enter that specific user session by a hacker, the hacker will be denied access because of the preset rules on concurrent sessions allowed at once.

  • Enforce contextual access controls to secure users without domain access
    Once again in the absence of a secure network connection, you can still manage "off-domain" access for remote users with these contextual restrictions. UserLock Anywhere will enforce login restrictions to refuse connections and can also force remote sessions to lock or log off, ensuring that policies relating to working hours, time quotas, or operational shifts are still respected.

Monitor user activity to secure remote working

In addition to managing employee access to secure remote working, user activity should be monitored for the purpose of tracking logins/logouts, alerting administrators and employees of suspicious activity, and responding to potential security breaches by blocking access to an unauthorized user.

Taking initiative to monitor user, device and session activity is crucial to securing both remote and on-premise systems as it allows an organization to be proactive when responding to a potential breach. Therefore, the monitoring technology should be easy-to-use and work in cohesion with security software (like MFA) and the access control system.

UserLock centralizes user-monitoring with displays of activity information about session status, type, and quantity of sessions. System administrators can also view user information from AD such as their display name, department/organizational unit, and their device information.

Enforce organizational remote policies to secure remote working

Arguably, the biggest challenge of securing a remote environment, or even a mobile workforce for that matter, is ensuring that employees are following administrative policies and procedures regarding information-security and the use of company technology. This tends to be difficult because an organization is putting their trust in employees who generally don’t commit a high degree of care into their firm’s policies. At the same time, that organization is trying to enforce guidelines to users that could be scattered across the country or globe.

With some of the access control and monitoring features of UserLock, system administrators can guide end-users, both employees and contractors, to make sure that organizational policies are being followed through activity restrictions and notifications.

Examples of how UserLock can help enforce organizational policies

  • Offline access controls and MFA

    UserLock's offline MFA and access controls

    work without internet access, straight out of the box. So you can still enforce MFA, even if your user doesn't connect to the internet. This is helpful to demonstrate MFA in all circumstances to meet compliance standards, and also fills a common security gap for MFA solutions. This ability to work without an internet connection also allows you to deploy UserLock to secure access to an airgapped environment.

  • Least privileged policy
    If an organization follows the principle of least privilege where employees should only have access to data and systems pertinent to their job function, UserLock can utilize its reporting and audit features to evaluate the permission rights along with authorized privileges for each user.

  • Bring your own device (BYOD) policy
    If an organization has BYOD policy about sessions or applications that can be accessed through a personal device, UserLock’s access control management features can restrict certain access based on ranges in an IP address.

  • Incident response procedures
    If an organization has a formal incident response plan for handling cyber incidents that includes notification of proper personnel and isolating a potential incident as much as possible, UserLock can help streamline these steps by automatically alerting system administrators of suspicious activity and allowing them to immediately block that suspicious user.

Close remote access security gaps with UserLock

UserLock is a straightforward MFA and access management solution that offers high-level security features that anyone can manage. UserLock makes it easy to manage multi-factor authentication requirements, control remote system access, monitor user activity, and enforce your organization's security policies. With UserLock Anywhere, system administrators can even manage MFA and restrict system access for remote users who have no VPN connection to the corporate network.

Try UserLock for free

3400+ organizations like yours choose UserLock to secure access for Active Directory identities and meet compliance requirements.

Download a free trial