Active Directory required (for workgroups, see the Standalone Terminal Server UserLock server type).
Functional level of forest and domain: Windows Server 2003 or higher.
Choose your version :
|UserLock Server||UserLock Console||MFA feature||SSO Service||For workstation to protect||For terminal servers to protect||For NPS and IIS servers|
|Windows Client versions|
|Windows 10 Build 1803||check_circle||check_circle||check_circle|
|Mac Client versions|
|Windows Server versions|
|Windows Server 2022||check_circle||check_circle||check_circle||check_circle||check_circle||check_circle|
|Windows Server 2019||check_circle||check_circle||check_circle||check_circle||check_circle||check_circle|
|Windows Server 2016||check_circle||check_circle||check_circle||check_circle||check_circle||check_circle|
|Windows Server 2012 R2||check_circle||check_circle||check_circle||check_circle||check_circle||check_circle|
|Windows Server 2012||check_circle||check_circleerror||check_circleerror||check_circle||check_circle|
|Windows Server 2008 R2||check_circle||check_circle||check_circleerror||check_circle||check_circle|
|Windows Server 2008||check_circle||check_circle||check_circle||check_circle||check_circle|
|Windows Server 2003 R2||check_circle||check_circle||check_circle|
|Windows Server 2003||check_circle||check_circle||check_circle|
|Windows Server 2000|
|Citrix Metaframe XP||check_circle|
|Citrix Presentation Server 4||check_circle|
|Any terminal servers using RDP sessions (Microsoft) or ICA sessions (Citrix)||check_circle||check_circle|
* The following features are not available (as they require a desktop displayed during the session):
- The ability to remotely close sessions (if session limit is reached)
- Display Welcome Message
** RDWEB HTML5 is not supported for MFA.
Windows services and network protocols
- The Remote registry service must be enabled and started on machines protected by UserLock.
- The UserLock service is configured to logon by default as the 'Network Service' account. For some operations, the UserLock service needs to impersonate with an account having administrative privileges on target machines (see here).
- The ICMP (ping) protocol must be authorized both ways between the UserLock server and the machines protected by UserLock.
- The 'Microsoft File and Printer Sharing' protocol (SMB TCP 445) must be authorized both ways between the UserLock server and the machines protected by UserLock.
The Impersonation account must be able to access the administrative share of each machine "\\machinename\admin$" where the Desktop agent is installed.
This share is activated by default on a domain. If it was deactivated, to reactivate it:
- In the registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters", set "AutoShareWks" and "AutoShareServer" values (REG_DWORD) to 1.
- Restart the computer.
We highly recommend to check that the requirements are in place before deploying agents. Click on the link below for the procedure.
How to check Windows services and network protocols requirements
Configure client requirements through group policies
CPU and RAM
The required hardware for a UserLock server depends on the number of user sessions that will be protected.
A medium-sized server should be sufficient in most cases - a server with a 2 GHz dual core CPU, 2 GB of RAM available and a recent hard drive should be able to manage up to 10,000 simultaneous sessions. With such a processor, UserLock can process up to 100 logon events/s. With such a logon rate, you can authenticate 6,000 users in one minute. Please note that in an organization with a very high quantity of users (for example greater than 10000) it is unlikely to have that many connections during the same minute.
The disk space required for the installation process is 500 MB.
Additionally you have to consider the disk space consumed by the database to keep the user session history:
A logon event consumes 0.5 KB of disk space. Typically a user generates at least four connection events during a day (a logon, a lock, an unlock and a logoff) so you can calculate the disk space consumed per year as follows:
Example for 100 users:
100 x 4 x 0.5 KB = 200 KB/day = 4 MB/Month (20 business days) = 50 MB/Year
You can use this simple formula to estimate the disk space that will be consumed by the database according to the number of users and the time period your history will have to cover.
A logon event exchanges 3 KB of data through the network. The network bandwidth consumed will depend on the logon rate.
For example a logon rate of 100 logons/s will generate 300 KB/s. Therefore any 100 Mb network card (10 MB/s) will be sufficient in most cases.
For example, if 5000 users log in within 10 minutes, you will need at least 25 KB per second of bandwidth.
Please note that if you have slow network connections to some remote sites, then you should take into account the number of users behind connections.
All user session activity captured by UserLock is saved in a database to benefit from reporting and analysis features.
UserLock supports as database systems:
- MS Access mdb file.
- MS SQL Express 2005 and newer - 32/64 bit.
- Microsoft SQL Server 2008 and higher
- MySQL 5.6 and newer.
Please note that LocalDB editions are not supported.
To facilitate UserLock evaluation, the installation package integrates an MS Access database to archive all session activity. We do not recommend implementing UserLock with this database on the production environment. An MS SQL Server database system is required, with at least an 'Express' version.