Access Management: How to Restrict & Monitor Terminal Sessions

UserLock protects and supports all terminal sessions. You just need to install the agent on Terminal Servers. There is nothing to install on thin clients (terminals) themselves.

To monitor terminal sessions you first need to deploy the UserLock desktop agent on the Terminal Server. This is the same micro agent that is used for workstation protection and with the same requirements (see previous tutorial).

Once installed all local sessions and terminal sessions open on this server will be detected, monitored and audited. The session label is made up of the name of the target server and the workstation from which the terminal session is open.

Setting User Restrictions and defining the limits on Terminal Sessions

Within UserLock you can create or modify protected account rules to define limits to Terminal sessions.

As done for workstation sessions, check the corresponding box to define a limit of concurrent terminal sessions authorized for users. Once the limit is reached further terminal sessions will be refused.

UserLock can also define a total number of allowed concurrent sessions for both workstation and terminal sessions combined. This is called ‘Interactive sessions’ in UserLock.

Restrictions can also be defined and enforced with regards to workstations from which users can open a terminal sessions. Set by typing an IP range, a name or Organizational Unit, not forgetting to specify the terminal session type.

In the same way you can also authorize or deny hours during which a user can open a terminal session. The same restrictions as the workstation sessions can be applied. Take a look at the previous tutorial for more details.

Managing Terminal Sessions with UserLock

Additional settings are available for the Terminal Session’s management. Right click on the ‘Agent distribution’ to display the agent properties. On the right of the Agent configuration section you will find options to manage the behavior of the terminal sessions through UserLock.

By default the option ‘Try to join any existing session on server’ is set to ‘always’. Choose to adapt this as desired according to an organization’s session policy.

In addition, the terminal console session can also be excluded from the restrictions if wished.