Desktop agent technology
The UserLock 'Desktop' agent is designed to audit, control and protect workstations, servers and terminal servers. This agent audits all interactive sessions activity on these machines and protects them by applying a user access control policy defined through protected account rules.
The 'Desktop' agent is based on two technologies, depending upon the operating system on which it is installed.
From Windows 10 version 1809 and Server 2019
From version 12.2, UserLock has integrated a credential provider that allows the service to interact with the Windows login before the session is open. The credential provider is a DLL that deactivates the 'PasswordCredentialProvider' Microsoft credential provider so that it is not displayed to the user.
- When the user logs in with their Windows credentials, the UserLock credential provider checks Active Directory to verify if the user is authorized to log in.
- If user is refused by Active Directory, the event is logged in UserLock.
- If the connection is allowed, the credential provider contacts the UserLock server to verify if UserLock policies allow the user to log in.
- If the user is refused by UserLock, the event is logged in UserLock, and the connection is refused.
- If the user needs to be enrolled in MFA, the enrollment dialogs are not displayed by the credential provider (this technology allows very few GUI possibilities) but by the login process part of the agent that takes over to manage the enrollment.
- If the UserLock server is not reachable, the credential provider manages the offline MFA according to the settings in "Logons without network connection".
When a user's password expires, the following process is required if MFA is configured:
- Password Expiry Detection: Upon login, the system detects an expired password and prompts for a change.
- MFA Validation: If MFA is enabled, the user must successfully validate their MFA (e.g. OTP, authenticator app) before they can change their password.
- Failure to Validate: If MFA validation fails, the user cannot proceed with the password change.
- Password Change: After successful MFA, the user can change their password following defined complexity rules.
This ensures secure password updates when MFA is in place.
From Windows Vista / Windows Server 2008
The 'Desktop' agent is a Windows service defined to run as 'Local system'.
When a session is authorized by Windows authentication, the system usually starts the 'UserInit' process in order to initialize the session. UserLock configures the system to start the ULAgentExe process instead. The ULAgentExe process asks the UserLock server if the session is allowed, and then only if the session is allowed with regards to the defined user access control rules (UserLock protected accounts), the 'UserInit' process is started to initialize the session. Otherwise the session is closed.
For Windows XP/2003/2003R2 machines
The 'Desktop' agent is a GINA DLL (Graphical Identification and Authentication Dynamic-Link Library).
Every time a user initiates a logon or a logoff, the 'Winlogon' process calls the UserLock GINA to authenticate the user. As a first step, the UserLock GINA forwards the call to the standard Microsoft GINA. If the user is successfully authenticated by Windows security, the agent notifies the UserLock server and UserLock applies its own user access control rules (protected accounts) in order to accept or reject the logon.
There are other products that need to replace the original Microsoft GINA DLL. For example, the Novell client, Smart Card authentication systems or old versions of PCAnywhere. If you are using such products, you should first check that the UserLock agent works correctly with your software on a single test workstation before deploying it.
The GINA technology was removed from Windows Vista, so the UserLock 'Desktop' agent is based on a Windows service technology for higher operating systems.