UserLock Documentation
UserLock Documentation
You are here: Reference > Protected sessions > IIS sessions

IIS sessions

UserLock can monitor, control and apply a user access control policy on 'Internet Information Services' (IIS) sessions. Using 'Protected account' rules, you can enable MFA and contextual access restrictions on a specific IIS application such as 'Outlook Web Access' (see this advanced use case for details), RDWeb, SharePoint, CRM etc., or an Intranet website. As UserLock audits and stores in its database all IIS session access events, you can benefit from the database logs' reporting features.

To monitor IIS sessions, you need to deploy the UserLock 'IIS agent' on the server hosting the Web application you want to protect, and then configure the options of the relevant website folder to load the UserLock 'IIS agent'. You can find the 'IIS agent' configuration procedure here.


The IIS Agent is compatible with all IIS applications configured with the following authentication modes: "Windows Authentication" or "Basic Authentication".

Known limitations and additional settings

See here.