Whenever users work remotely from outside the domain, UserLock can continue to protect access to machines, on connections back to the network and with direct connectivity to cloud-based resources.
Add multi-factor authentication (MFA), access management and single sign-on (SSO) for all Active Directory (AD) user identities, wherever they are used.
MFA on remote machine login – without the need to connect to VPN
If remote employee laptops are not secured properly, they can provide entry points for malicious threats. UserLock continues to secure computer logins on remote machines, even when there is no secure VPN connection to the corporate network.
1. Using UserLock Anywhere
With remote working, users do not always connect to a VPN. Implementing UserLock Anywhere allows the UserLock agent installed on a machine to remain in contact with the UserLock service through the internet. This allows MFA and access management policies to continue to be enforced on login for any user, regardless of what (managed) machine the user is remotely working on.
How to set-up UserLock Anywhere
2. Configuring the UserLock Agent
When UserLock Anywhere is not deployed, an offline access attempt on the machine can still be managed by the UserLock agent installed on the computer. Administrators can configure UserLock to always allow, always deny, or request MFA for all offline connections. An option to ‘Force MFA’ will deny access for users who are not yet enrolled in MFA.
How to manage logons without network connection
Secure corporate network access from outside the domain
Having a large number of users working outside the corporate network has increased security risks. Cybercriminals, especially ransomware creators, are keenly attuned to remote access vulnerabilities. UserLock is compatible with different types of remote connections.
1. Apply MFA to VPN connections
A VPN works by establishing encrypted connections between devices that remain private even if they stretch across public internet infrastructure.
UserLock’s MFA for VPN sessions supports the Remote Authentication Dial-In User Service (RADIUS) Challenge. The RADIUS Challenge can prompt for the one time password in a separate second step, after the user has successfully entered their login credentials.
- VPN solutions that support “RADIUS Challenge” include Open VPN, Palo Alto, Fortinet, Pulse Secure Connect SSL...
How to apply MFA for VPN
2. Apply MFA to Windows RDP connections and Remote Desktop Services (RD Gateway)
The Microsoft Remote Desktop Protocol (also known as RDP) is used to allow remote desktop to a computer. Remote Desktop Gateway (RDG or RD Gateway) is a Windows server role that enhances control by providing a secure encrypted connection to the server via RDP.
With UserLock MFA, administrators can define under what circumstances MFA is asked for these different RDP connections.
- Administrators can first customize MFA on RDP logins based on whether an end-user is connecting to another machine from inside the network or from logons that originate from outside the corporate network.
- Administrators can then choose to consider RDG connections as coming from inside or outside the network and define the circumstances for MFA.
How to apply MFA to RD Gateway
Remote MFA Enrollment
UserLock allows for several possible ways to enroll MFA on users who are working remotely outside of the corporate network.
Learn more
3. Apply MFA to Remote Desktop Web Access (RD Web Access)
RD Web Access is a way to connect to a remote desktop server – and access Remote Desktop Services - over the Internet without a VPN connection.
The RD Web connection component installs the necessary web pages and scripts to the Internet Information Services (IIS) server directory, giving users the Web page interface for their remote desktop. Users need just their AD credentials, a URL and a supported web browser to access desktops and applications.
With UserLock MFA for IIS, administrators can target any one or several web applications that need a second factor of authentication.
- UserLock detects the servers where IIS is installed and can automatically deploy the UserLock IIS agent. The UserLock MFA feature must then be installed on the IIS Server and the UserLock MFA application added.
- The website settings are then configured to redirect the user to enroll for MFA if not already done, and challenge for MFA before access to the IIS application is granted.
How to apply MFA for IIS
4. Apply MFA on Outlook Web Access for Microsoft Exchange Server
Outlook Web Access (OWA) allows users to access their own corporate mailbox over the internet- from outside the corporate domain - without having to log into a VPN.
With UserLock MFA for IIS, a second factor of authentication can be added to OWA connections as Exchange applications are supported by an IIS server.
- UserLock detects the servers where IIS is installed and can automatically deploy the UserLock IIS agent. The UserLock MFA feature must then be installed on the IIS Server and the UserLock MFA application added.
- The website settings are then configured to redirect the user to enroll for MFA if not already done, and challenge for MFA on all access to users email.
How to apply MFA for IIS
Note: UserLock can also protect Exchange Online (available as a standalone service or part of Office365) with MFA. See cloud-based resources.
5. MFA on Microsoft DirectAccess and AlwaysOn VPN
DirectAccess allows connectivity for remote users to organization network resources without the need for VPN connections. With DirectAccess connections, remote client computers are always connected to your organization - there is no need for remote users to start and stop connections, as is required with VPN connections.
AlwaysOn VPN – the replacement for DirectAccess – automatically establishes a VPN connection any time an authorized client has an active Internet connection.
Both of these methods help secure the machine’s remote connection. Unlike a traditional VPN there is no prompt for user credentials.
Therefore with UserLock, MFA can continue to be prompted when the remote user is asked to identify themselves.
Secure and direct access to cloud-based resources
Organizations want remote users to have stronger security on their direct connectivity to cloud resources. Direct access can reduce the load on the network and improve user experience, but often at the expense of security.
Rather than backhauling these applications through the core network UserLock enables MFA combined with single sign-on (SSO) for secure and direct connectivity to cloud based applications.
By retaining Active Directory (AD) as the Identity Provider, UserLock SSO allows each user to log in only once - with their existing AD credentials. Combined with granular MFA, this ensures a second factor of authentication can be added to verify the identity of users, before they access the cloud.
1. Access via a browser for users already authenticated to the Windows network
Access is immediately granted. UserLock SSO asserts the user’s identity to the cloud application and is authenticated without the user having to log in to the application. There is no difference whether inside the corporate network or working remotely.
(MFA can be requested again if required in the admin settings).
2. Access via a browser for users who are not authenticated to the Windows network
The user enters their corporate email address in the cloud application to login. UserLock SSO will then prompt the user for Windows domain login credentials (and a second authentication factor if enabled). The user is logged in successfully and redirected back to the application. There is no difference between a smartphone browser, a computer browser or a mobile app.
(MFA can be requested again if required in the admin settings).
3. Any attempt to then access a second, different cloud application
Access is immediately granted. Multi-factor authentication can however be requested at each logon if required in the administrative settings.
Further Security with Access Management
Once authenticated, contextual login restrictions and remote session management help further secure AD identity and secure remote access to all resources.
Examples include:
1. Restrict remote access to authorized machines
UserLock can restrict VPN access to just authorized company machines. Any other access attempt from any other machine is then denied.
2. Restrict remote access to certain countries
The geolocation restriction allows an administrator to restrict remote logons based on country (geolocation). The restriction will disallow/allow logons from a list of selectable countries.
3. Enforce logoff times and working hours
The rapid adoption of home working has meant many organizations can no longer apply time policies for network logons to reduce security risks or reduce unauthorized overtime.
UserLock Anywhere can continue to apply these restrictions even if the machine is outside the corporate network. The UserLock agent remains in contact with the service and can force the user to logoff if they have exceeded the working hours allowed.
With remote access quickly becoming the rule rather than the exception, UserLock helps administrators alleviate the increased risk to security by protecting against inappropriate or suspicious access.
François Amigorena - CEO of IS Decisions
