Combining SSO With MFA
and Contextual Restrictions
Protects Active Directory Identities

SYMTA Pièces is a French family enterprise that specializes in adaptable parts for Fiat, Ford, New Holland and Laverda tractors and harvesters.

The Challenge Secure On-Premises AD Credentials for
On-Site and Cloud Access, From Anywhere

Over the past several years, SYMTA’s CIO, Vincent Dousset, has progressively added additional security layers to network access, with the strategy to prevent an attack before it happens. He and his team have worked on employee education, run external security audits, and put in place solutions to protect passwords. They were ready for the next step: to further secure login access and improve visibility of user activity on the network.

As to the first, some of SYMTA’s third-party consultants use VPN to access the company network. A few of these had recently been pirated, so Dousset’s goal was to prevent external attackers from exploiting the VPN. He needed to protect access to SYMTA’s AD accounts, and to have ready visibility of all activity via VPN.

Second, Dousset was looking for an additional layer of protection for employee access to Office 365. He wanted an MFA solution that went beyond what native AD offered, both for on-site and remote access.

If someone happened to compromise employee credentials, he wanted to know they would be blocked by the second authentication step. He also wanted to improve IT’s visibility of user logins and behavior, while increasing management capabilities with more granular contextual restrictions.

Lastly, he wanted to find a solution that didn’t depend only on a cell phone as a method of MFA, since not all SYMTA employees have a professional telephone.

The Solution An Intuitive, Effective Solution Building on Existing AD Infrastructure

The IT team’s requirements quickly led them to UserLock after an online search.

His team quickly started the free trail. They liked user-friendly, intuitive interface, and found the installation and onboarding process very easy. It not only responded to their needs, but was affordable.

After two to three weeks with the free trial, SYMTA was ready to move forward.

The Benefits Internal and External Access Secured with Effective SSO, MFA and Contextual Restrictions

Dousset quickly noticed and appreciated the flexibility to choose between different authentication methods. After testing out a few options, he settled on Token2 classic tokens for all employees to use at the office (chosen because easy to use and durable in the warehouse). For remote employees, he opted for an authentication app to use with a cell phone.

SSO now streamlines login to various Office 365 apps, and reduces the burden on employees of entering complex passwords multiple times a day. Dousset likes that IT can choose how often to prompt for MFA at a granular level – setting a lower frequency for on-site access, but asking for MFA at each connection for remote access. This granularity falls in line with Dousset’s long-term initiatives to balance access security with employee productivity.

UserLock also allows Dousset to add an additional layer of security to third-party consultants’ VPN access. He now receives email alerts when a third-party consultant connects to the network via VPN, and he’s set up contextual restrictions by machine, IP address and more for all third-party consultants. If anyone tries to connect via VPN outside of the approved machines and IP addresses, for example, that access is now automatically blocked and the IT team receives an alert of suspicious activity from a specific third-party consultant’s AD account.

Dousset is satisfied that SYMTA now has a resilient, non-disruptive additional layer of protection that builds on existing AD infrastructure.