UserLock Documentation
UserLock Documentation
You are here: Getting started > Best Practices for using UserLock

Best Practices for using UserLock

UserLock uniquely empowers IT to leverage the active directory logon as a critical security checkpoint. As you’re getting started with the software, take a look at these best practice tips to ensure you get the most out of UserLock.

  1. Apply MFA policies for the most privileged users

    There is no one size fits all policy for privileged users, so your settings will depend on your environment and how your users connect. However, as a best practice, these high privileged users should require MFA at every login.

    Create a protected account for the Group, OU or individual user that you consider to be “privileged”.

    Protect a new account

    An administrator’s tasks might require that they have several types of sessions open throughout the day including their local desktop session and RDP sessions for internal IT tasks on workstations and servers. Enable MFA on all types of connections for these users for every login.

    MFA - Workstation Restrictions

    MFA - Server Restrictions

    NB: To avoid locking out all admins if someone makes a mistake in a protected account, the following is recommended. Create a user account that always has full access to a machine where the UserLock console is installed. This account can then make changes to the console and unblock users when necessary.

    Make sure the user is added to the security section of UserLock:

    Server Properties

    Create a protected account for this user that will override any other protected account:

    Protect a new account

    Initial access points

    MFA not configured

  2. Require MFA for all users connecting remotely from outside your network

    Attacks to your network can often come from a user connecting to the network with legitimate, but stolen credentials. MFA can significantly reduce your attack surface and stop hackers trying to penetrate the network.

    Create a protected account for “everyone”.

    Protect a new account

    Enable Workstation and Server connections for “From outside” and “All logons” or “first logon of the day” depending on how your users connect throughout the day, and how strict you’d like to be.

    MFA - Workstation Restrictions

    MFA - Server Restrictions

  3. Require MFA for logons without network connection

    Today’s working environment is as mobile as its users. Whether users are working from home, or traveling, they still have access to company data, and the risk of material getting misplaced or stolen is higher. What happens when a sales rep leaves a laptop on the train with sensitive company and client data? Use the MFA for connections outside of the corporate network to secure your most vulnerable devices.

    Go to Server Properties => Connections from machines without network connection.
    Select “Ask for MFA”.

    Connections from offline machines

    Once this feature is enabled, the user must already be enrolled in MFA and have connected once to that machine while connected to the corporate network. After that, all logons without network connection will be prompted with MFA. For more information about this setting, see this use case.

  4. Restrict users to initial access points, with the control to remotely logoff previously opened sessions

    Balancing security and user productivity is a constant battle for IT admins. You need to limit access to your network without impeding users. You can do this in UserLock by limiting the points of entry into the network, but also allowing users the option to remotely logoff existing sessions, if they exceed their limit, without having to contact the Help Desk.

    The setting is part of the protected account, so it can be enforced for a specific user, group or OU.

    Define a number of initial access points allowed.

    Initial access points

    And enable users to logoff existing sessions remotely to stay within their limit:

    Allow to logoff an existing session

  5. Enable workstation restrictions for device management

    Educating users is an important step in any security policy. But users need to be protected from themselves as much as outside attackers. For example:

    • Karen from finance has no good reason to connect to a machine in the sales department.
    • Remote workers should only connect via VPN from a known device.
    • Admins should not use their Domain Admin accounts to troubleshoot users’ workstations.

    Use workstation restrictions to enforce company security policy while reducing your attack surface.

    • Limit users to specific machines or Computer OU’s.
    • Allow VPN or RDP connections from trusted devices.
    • Limit by IP address.

    For example create a protected account for your Domain admins:

    New account to protect

    Authorize these accounts to only access domain controllers or machines that are heavily safeguarded (behind your fortress!)

    Add Organizational Unit

  6. Schedule a working hours report to monitor user activity

    Whether you need to fulfill a manager’s request for user’s working hours or just to keep an eye on when users connect to the network, the Working Hours reports gives you an easy way to check each users’ first connection and last logoff of the day. Schedule the report by AD group to be sent to each respective manager to allow them visibility of their teams’ daily login and logoff times.

    Users report

    You can choose from 4 predefined reports:

    Working hours

    Filter by AD Group:

    Group filter

    Schedule the report in the Quick Access Panel:


    And email to department manager:

    Schedule report

    For more info on scheduling reports, go here.

  7. Use Geolocation Restrictions to block any access from non-authorized countries

    The simplest way to reduce your global attack surface is to reduce your access around the globe. In protected accounts for OU’s, groups or users, allow users to login from authorized countries only. You can even choose to refuse connections from proxy servers and when the Geolocation cannot be determined.

    Geolocation Restrictions

  8. Set up alerts for all logins denied by UserLock

    Now that you’ve put in place your access policies to require MFA or restrict unwanted access, wouldn’t you like to know when someone tries to connect outside of their allowed policies?
    Set up email or popup notifications for all users whose connections are refused due to a UserLock restriction.

    You can do this for each protected account, or just create one for the group “Everyone” to make it easier.

    In the protected account, under “Notifications”, enable email notifications for “Logons denied by UserLock” for the three session types:

    Logon denied by UserLock

  9. Set Agent distribution settings for an optimal deployment

    UserLock needs to deploy agents to machines that you wish to protect. To optimize onboarding new machines, enable the following settings:

    Enable the “Automatic Mode” in agent distribution to automatically deploy agents when new machines are added to the network.

    Agent distribution - Automatic mode

    To ensure that agents can be installed successfully, the Remote Registry service needs to be enabled on end points. Allow Userlock to enable this service when trying to deploy agents. To do this, right click on Agent distribution and select “Properties”.

    Agent distribution

    Check the box to authorize this setting:

    Authorize setting

  10. Enable Remote Assistance for easy troubleshooting

    With UserLock you can see where users are connected in real time. For help desk tickets where the admin needs to troubleshoot the machine in question, you can use the Remote Assistance shortcut in the console to connect to users open sessions (it is available in the "Quick access panel" of User sessions and Agent distribution views).

    To be able to use it, the "Remote Assistance" feature must be activated on the computer on which the console is installed (by default, this feature is activated on workstations and deactivated on servers) and "Offer remote Assistance" must be configured in domain policy and allowed in firewalls. FYI this link explains very well the prerequisites for Remote Assistance.

    To add the shortcut to the console to Tools => options => Computer commands

    Tools Options

    Click on “Add” and select “Remote Assistance” from the Drop-down menu:

    Remote assistance

    Back in the UserLock console, select an open session, and see the Remote Assistance from the menu on the right panel, or right click on the open session to select from the dropdown menu:

    Remote assistance