Guangdong Province Qingyuan Prison is a correctional facility with 1000 employees situated in Qingyuan, a city in north-western Guangdong province in the Peoples Republic of China.
Like in most correctional facilities, the prison records are considered the most sensitive information on Guangdong Qingyuan Prison’s network. These files include the inmates’ personal information such as details of transfers, parole records and activities recorded in the prison itself. So it is of paramount importance that access to this data is regulated and monitored.
Uncontrolled user access was becoming a security issue and so the IT administrators made it a priority to implement a system that would restrict concurrent logins and control and monitor access across the prison’s network.
Native Active Directory logon security was unable to verify users’ network access
The IT administrators oversee 600 PCs that run on Windows XP and Windows 7 operating systems and that are connected to Windows Server 2008 R2.
Initially, the prison used standard controls in Microsoft’s Active Directory to manage logins across the network. However, these controls are limited, and within Active Directory management it is not possible to restrict concurrent logins. This meant that an employee could login to one computer in one department and then move to another computer on the other side of the prison and login there, making it difficult to monitor which computer the employee was actually working from. This represented a significant security risk, negating the prison’s capability to identify users.
The prison also constantly encountered network security risks. For example, an employee would have unknowingly transferred a virus to the network using a corrupted USB drive and by the time the virus was detected on the network, it was too late to locate the point of origin or even try to identify who was using the computer at that time. Not having complete access control or monitoring capabilities made these incidences difficult to investigate.
Extend Active Directory Security to ensure a user really is who they say they are
In an attempt to better manage and monitor user access across the network, the prison’s IT administrators tried using their own scripts within Active Directory, however, this was not enough to meet the granular access management requirements.
After much research and comparing available solutions, the IT administrators identified two options that they could go for – the first was to invest heavily in a customized script solution and the second was to purchase an affordable access management software solution. The IT administrators went for option two and purchased IS Decisions’ UserLock.
With UserLock they were able to implement a user access control policy whereby an employee can login to only one computer with Active Directory at any one time. This capability, alongside UserLock’s monitoring and audit functionality, allowed IT administrators to audit login behavior across the network.
Non disruptive technology working alongside Active Directory to secure network access
Guangdong Qingyuan Prison installed UserLock in April 2015. Zhiwen TANG found the installation simple and was quickly able to brief the IT team who in turn briefed all employees with little to no training on how to use the software. Zhiwen said: “It was the perfect solution to what we needed in terms of just managing and monitoring access and prohibiting concurrent logins. We have been using UserLock for a few months now and it meets all our network access security policies.”
The implementation was easy and took two months to deploy UserLock across all 600 PCs. The IS Decision’s team was helpful throughout the installation and the IT administrators were able to find everything they needed from supporting online once it was up and running.
The UserLock reports simplify the documenting process and can easily sort information and output to PDF for reporting purposes.