Setting up Jump Server with Multi-Factor Authentication for a Financial Institution

Setting up Jump Server with
Multi-Factor Authentication
for a Financial Institution

  • Customer

    Branch of a Multinational Banking Group

  • Industry

    Financial Services

  • Geography

    Hong Kong

We found UserLock very easy to implement and will recommend it to other branches within the bank.

IT Officer

  • Challenge: The Hong Kong branch of a leading commercial bank needed to mitigate the risk of attack from unauthorized access to a jump server via remote desktop services.

  • Solution: Hosted on-premise, UserLock adds multi-factor authentication to corporate Active Directory credentials to secure access to jump servers, direct access to other terminal servers and workstations.

  • Result: With UserLock, the bank are able to strengthen user access to critical banking applications and help meet the C-RAF risk-based requirements from the Hong Kong Monetary Authority (HKMA).

The Challenge Protecting Jump Server Connections

As with many financial institutions, this leading commercial bank based in Hong Kong uses jump servers to separate networks with different security requirements. Acting as a stepping point for administrators, it isolates critical banking applications from potentially infected workstations.

Logging in with corporate Active Directory (AD) credentials, an administrator connects to a jump server via Microsoft’s Remote Desktop Services. The AD accounts are configured to allow or deny access.

However, the theft, compromise and misuse of credentials remain cornerstones of targeted attacks and fraud. AD accounts are subject to brute force attacks, where possible passwords are tried until the password is found, or dictionary attacks, where words and word combinations are tested as possible passwords.

For this reason, many cybersecurity standards mention the need to add multi-factor authentication (MFA) to prevent unauthorized access or operations. By including an additional security credential, such as a temporary one-time password provided by a token or authentication application, AD credentials are of no value unless the other factor(s) used for authentication are acquired with it.

The Solution Adding MFA with Hardware Tokens

The IT Management Team wanted a multi-factor authentication solution to secure access to jump servers and meet local audit requirements. The technology had to be provided by a system that was hosted locally (on premise) and worked with corporate AD credentials. The Team also required MFA for direct access to other terminal servers, for some specific workstations used for privileged access, and to add MFA to better protect VPN connections.

UserLock has proven to meet all these requirements. With secure on premise hosting that needs no internet connection, it forces an additional proof of authentication to confirm user identity. It also supports several second-factor authentication options, including authenticator applications and hardware-based tokens such as YubiKey and Token2.

The Benefits Easily scale MFA to protect key bank assets

With the aim of further improving the banking sector’s cyber resilience, The Hong Kong Monetary Authority (HKMA) requires all financial intuitions to complete C-RAF, a risk-based framework for authorized institutions to assess their own risk profiles and benchmark the level of defense and resilience that would be required to accord appropriate protection against cyber-attacks.

With UserLock, the bank are able to strengthen user access to critical banking applications and help meet C-RAF requirements.

  • Increased security
    The introduction of multifactor authentication on jump servers, terminal servers and individual workstations significantly reduces the consequences of compromised credentials.
  • Easy to adopt
    Simple deployment and centralized management ensured a painless setup and on-boarding experience. Real-time monitoring gives administrators an instant overview of all user session activities, making it easy to check who is connected from where, since when.
  • Cost effective
    The bank now has a secure and cost-effective solution for control and visibility over user access. Working right alongside Active Directory it provides a robust MFA solution that can be enabled on all types of connections: Windows logon, RDP, RD Gateway, VPN and IIS, making further implementation simple.


Get your 30-day free trial now and secure your Windows network with UserLock

Download Free Trial Discover UserLock

More Case studies?

Read more reviews from our UserLock customers.