Access Management: How to Restrict & Monitor Windows User Access

Improved Access Management & Logon Control

Knowing who your users are and managing their access is central to effective IT security. UserLock extends Windows Active Directory security by applying further restrictions to authorized users based on a range of criteria. UserLock gives an important extra layer of control.

Once restrictions are set, UserLock monitors all Active Directory login and session events in real time, so organizations can control and record what users can do.

How to start Monitoring User Access and protect Windows User Sessions

Once installed on any server member of the domain (see previous tutorial), UserLock must deploy a micro agent onto each workstation that are members of the selected network zone. This can be done through the UserLock console which contains an agent deployer with manual or automatic modes.

The automatic mode will deploy the agent on all workstations that are members of the protected zone. If a new machine is added to the network zone UserLock protects, it will be automatically protected without having to do anything.

Once deployed all Windows session events on your protected zone will be detected and logged in the UserLock database.

Setting User Logon Restrictions and defining the User Session Policy

With UserLock, organizations can set restrictions according to user, user group and organizational unit. Allowing restrictions to be centrally set for an entire group goes beyond native functionality; saving time and helping IT teams implement effective and manageable login controls.

The UserLock restrictions (rules) for user sessions are displayed by clicking on ‘protected accounts’.

Define the number of concurrent sessions

Preventing concurrent logins via a single identity makes it hard for users to share their credentials or use two different devices concurrently. This averts one of the most potentially dangerous situations for a Windows Active Directory network.

Define the limit by checking the ‘Allowed workstation session box’ and entering the limit.

The rules are applied in real-time. Every user that is a member of the defined Group will now be limited to one simultaneous session on protected workstations. If a user tries to logon a second time on a different workstation, it will be denied.

The message that is displayed to users at this point can be personalized. If needed, the user can be allowed to logoff an existing session if the number of allowed sessions has already been reached. This authorizes a user to do a remote log-off instead of being denied.

Define from which workstation a user can open a session

For each defined user, group or organizational unit, UserLock can control and restrict the workstation from which a member can open their sessions. This will ensure for example, that a user opens a session from their department, and not on a workstation their not supposed to.

The definition of these rules consists of a machines list which can be authorized or denied. You can complete this machine list in different ways: one by one, using the name or the IP address of machines thanks to an IP range, or by Organizational Units.

Once validated, a user trying to logon to a machine that is not listed will be denied.

Choosing the Time Range during which users can connect

The time restrictions offer several options: Hours frame, quota and actions to take in case of session inactivity. The video tutorial focuses on the Hours rules.

In the same way as the workstation rules, you can state an authorized or a denied time frame. Define the day and the hours during which users can open a session on the protected workstation.

Also specify the concerned session type. If necessary, you can enter several hour sets, if you have different hours range for specific days.

Users from this group will be denied if trying to logon during a non-authorized time frame.

Users will be notified when the end of the authorized time frame is approaching and will be closed as defined.

Managing all User Restrictions

You can manage UserLock behavior when a user is detected as a member of several rules.

The server Properties give you the option to apply the less or the most restrictive policy. Choose the one which is adapted to the Policy you have defined.

For example, in the video tutorial we choose ‘least restrictive’. As we have defined a rule for the ‘Everyone group’, we are sure that if a user opens a session on the network, it will be limited to one concurrent session, except if they are a member of another group for which we have defined a higher limit.

If for any reason you have to define an exception for a specific user, then you can create a rule targeting their user account. A Protected account set for a user account will always override the Group/OU Protected accounts policies.

For example, giving an unlimited access for the built-in administrator account will consist of creating a user rule and leaving it with undefined rules.

Required for any information system to comply with major regulatory constraints, UserLock applies these access rules to secure user access to the Windows Active Directory domain and help organizations get compliant.

The different reports available in UserLock can help you in your Workstation user session Policy. Take a look at the specific tutorial designed for this purpose.

The next step is to complete your access policy with the other session types than UserLock can monitor and protect: Terminal sessions, Wi-Fi & VPN session, and Web application sessions.