UserLock Documentation
UserLock Documentation
You are here: Reference > Console > Server administration > User status

User status

UserLock real-time monitoring incorporates a risk indicator named 'User status' to better identify suspicious or inappropriate access behavior and potential threats to network security. By correlating each user’s access events with their customized authentication controls, the 'User Status' helps deliver a more complete view of the organization’s network activity and security risks.

The status assigned to each user evolves according to the user's actions when accessing or attempting to access the network. Activity deemed as a risk or high risk is clearly flagged in the 'User sessions' view, alerting administrators in real time about suspicious, disruptive or unusual logon connections.

This section allows you to customize the different triggers, and to switch this risk indicator from one status to another one according to your user access control policy.

High risk status

A user is considered to have a potentially high risk behavior when:

  • The frequency of denied logon by UserLock or/and Active Directory is over the frequency tolerated.
  • Two simultaneous initial access points are detected both from inside and outside the local network (i.e. the user is connected from inside and outside the network at the same time). This option is disabled by default.
  • Disallowed sessions are detected after a modification of UserLock rules or a network failure.

By default, the tolerated frequency for logon denied by UserLock and Active Directory is five failed attempts occurring in a period of 30 minutes.
You can adjust the number of denied logons in a period of time according to your policy.

All IP addresses outside of the following ranges will be considered as outside connections:

  • 10.0.0.0 - 10.255.255.255
  • 172.16.0.0 - 172.31.255.255
  • 192.168.0.0 - 192.168.255.255
  • fc00::/7
  • fe80::/10

Risk status

A user is considered to have a potentially risky behavior when:

  • The number of sessions open is over the customizable figure on each type of session controlled by UserLock.
  • The number of initial access points open is over the customizable figure.
  • The user tries to open a session although the account is locked in Active Directory.
  • The user tries to open a session although the account is disabled in Active Directory.
  • The user tries to open a new session from an existing session with different credentials. This option is disabled by default.

By default there are no personalized figures defined for this status.

You can define your own session limit triggering this status change by clicking on 'Add'.

 Then just enter the maximum number of sessions and the different session types.

You can define different limits according to the different session types by adding a new entry as previously described.

In the same way, you can define your own initial access point limit triggering this status change by switching the option to 'Limited to' and entering the value.

Note: This status can be used to simulate restriction if you don't want to define blocking restrictions through protected account rules. The status will be displayed in real time in the 'User sessions' view, and notifications can be defined at the end of this help section to alert you. Reports will also be available.

Unprotected status

This status is assigned to:

  • user accounts which are not members of any 'protected account' rules and are not eligible for another status.
  • local user accounts of workstations/servers.

This is an automatic status which can not be customized.

Protected status

This status is assigned to user accounts which are at least members of one 'protected account' rule (with or without limit) and are not eligible for another status.
This is an automatic status which can not be customized.

New user status

A new user is a user opening a session on the monitored network for the first time.

UserLock consider a user as new when:

  • Their account doesn't have any session activity history before their logon.
  • No session activity has been detected during a period of time before their logon.

The period of time without any activity after which a user connecting to the network will be considered as new is defined as 15 days by default and can be personalized.

Inactive status

A user without any open session, known by UserLock and recorded in UserLock logs is considered as inactive after a time period defined in days of inactivity on the network. This time period is defined by default as 15 days and can be customized.

Notifications

Pop-up and E-mail alerts can also be defined to warn UserLock administrators and operators on 'User status' changes.

Check the box corresponding to the notification alerts you want to trigger at user status changes and fill in recipient E-mail addresses or machine names for pop-ups.