Initial access points

• Prevent a user from opening sessions from multiple machines at the same time.

• Force all access for a user to go through a single workstation.

• Reduce the attack surface by limiting the number of possible entry points.

• An initial access point is the first session opened on the network.

  • Example: opening a session on a workstation = initial access point.

  • If from that workstation the user opens a terminal session, it is a child session, and does not count as a new access point.

  • If the same user opens a session from another machine, this creates a new initial access point.

• Available options:

  • Not configured → no limit, unless inherited from another policy.

  • Unlimited → no restriction.

  • Limited to → maximum number of allowed initial access points.

• Limiting to 1 initial access point ensures the user can only enter the network from one machine.

A list of all initial access point restriction policies is available in the Access Policies section, under the Initial access points page.

Balancing security and productivity often means restricting network entry points without locking users out. UserLock lets you limit how many initial access points a user can open, while still allowing flexibility.

To maintain control and reduce help desk requests, combine initial access point limits with the option for users to close one of their active sessions themselves, without contacting an administrator, before opening a new one.

1. Create an Initial access points policy for the desired target (user, group, OU).

2. Define the maximum number of allowed entry points.

3. Create a Session limits policy on the same target.

4. Enable Close previous session.

This approach keeps network access secure while ensuring users remain autonomous.