UserLock Documentation
UserLock Documentation
You are here: Getting started > Requirements

Requirements

Domain

Active Directory required (for workgroups, see the Standalone Terminal Server UserLock server type).
Functional level of forest and domain: Windows Server 2008 or higher.

Operating system

Choose your version :

expand_more
UserLock Server UserLock Console MFA feature SSO Service For workstation to protect For terminal servers to protect For NPS and IIS servers
Windows Client versions
Windows 11 check_circle check_circle check_circle
Windows 10 since version 1809 check_circle check_circle check_circle
Windows 10 before version 1809 check_circle check_circle errorcheck_circle
Windows 8 & Windows 8.1 check_circle check_circle errorcheck_circle
Windows 7 check_circle check_circleerror errorcheck_circle
Windows Vista check_circle check_circle
Windows XP check_circle
Mac Client versions
Catalina check_circle
Mojave check_circle
High Sierra check_circle
Sierra check_circle
El Capitan check_circle
Older version
Windows Server versions
Windows Server 2022 check_circle check_circle check_circle check_circle check_circle check_circle
Windows Server 2019 check_circle check_circle check_circle check_circle check_circle check_circle
Windows Server 2016 check_circle check_circle check_circle check_circle errorcheck_circle check_circle
Windows Server 2012 R2 check_circle check_circle check_circle check_circle errorcheck_circle check_circle
Windows Server 2012 check_circle check_circleerror check_circleerror errorcheck_circle check_circle
Windows Server 2008 R2 check_circle check_circle check_circleerror errorcheck_circle check_circle
Windows Server 2008 check_circle check_circle check_circle check_circle check_circle
Windows Server 2003 R2 check_circle check_circle check_circle
Windows Server 2003 check_circle check_circle check_circle
Windows Server 2000
Terminal Servers
Citrix Metaframe XP check_circle
Citrix Presentation Server 4 check_circle
Citrix XenApp check_circle
Any terminal servers using RDP sessions (Microsoft) or ICA sessions (Citrix) check_circle check_circle
RemoteApp* check_circle check_circle
RD Web** check_circle check_circle

For Windows Server Core, consult this page.

* Enrollment in MFA is not possible via RemoteApp. It is not possible to use MFA for RemoteApp sessions that require privilege escalation (UAC).

** RDWEB HTML5 is not supported for MFA.

Windows services and network protocols

  • The Remote registry service must be enabled and started on machines protected by UserLock.
  • The UserLock service is configured to logon by default as the 'Network Service' account. For some operations, the UserLock service needs to impersonate with an account having administrative privileges on target machines (see here).
  • The ICMP (ping) protocol must be authorized both ways between the UserLock server and the machines protected by UserLock.
  • The 'Microsoft File and Printer Sharing' protocol (SMB TCP 445) must be authorized both ways between the UserLock server and the machines protected by UserLock.
  • The Impersonation account must be able to access the administrative share of each machine "\\machinename\admin$" where the Desktop agent is installed.
    This share is activated by default on a domain. If it was deactivated, to reactivate it:
    • In the registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters", set "AutoShareWks" and "AutoShareServer" values ​​(REG_DWORD) to 1.
    • Restart the computer.

We highly recommend to check that the requirements are in place before deploying agents. Click on the link below for the procedure.
How to check Windows services and network protocols requirements
Configure client requirements through group policies

Hardware

CPU and RAM

The required hardware for a UserLock server depends on the number of user sessions that  will be protected.

A medium-sized server should be sufficient in most cases - a server with a 2 GHz dual core CPU,  2 GB of RAM available and a recent hard drive should be able to manage up to 10,000 simultaneous sessions. With such a processor, UserLock can process up to 100 logon events/s. With such a logon rate, you can authenticate 6,000 users in one minute. Please note that in an organization with a very high quantity of users (for example greater than 10000) it is unlikely to have that many connections during the same minute.

Disk space

The disk space required for the installation process is 500 MB.

Additionally you have to consider the disk space consumed by the database to keep the user session history:

A logon event consumes 0.5 KB of disk space. Typically a user generates at least four connection events during a day (a logon, a lock, an unlock and a logoff) so you can calculate the disk space consumed per year as follows:

Example for 100 users:
100 x 4 x 0.5 KB = 200 KB/day = 4 MB/Month (20 business days) = 50 MB/Year

You can use this simple formula to estimate the disk space that will be consumed by the database according to the number of users and the time period your history will have to cover.

Network connection

A logon event exchanges 3 KB of data through the network. The network bandwidth consumed will depend on the logon rate.

For example a logon rate of 100 logons/s will generate 300 KB/s. Therefore any 100 Mb network card (10 MB/s) will be sufficient in most cases.

For example, if 5000 users log in within 10 minutes, you will need at least 25 KB per second of bandwidth.

Please note that if you have slow network connections to some remote sites, then you should take into account the number of users behind connections.

Database

All user session activity captured by UserLock is saved in a database to benefit from reporting and analysis features.

UserLock supports as database systems:

  • MS Access mdb file.
  • MS SQL Express 2005 and newer - 32/64 bit.
  • Microsoft SQL Server 2008 and higher
  • MySQL 5.6 and newer.

Please note that LocalDB editions are not supported.

To facilitate UserLock evaluation, the installation package integrates an MS Access database to archive all session activity. We do not recommend implementing UserLock with this database on the production environment. An MS SQL Server database system is required, with at least an 'Express' version.