Requirements
Domain
Active Directory required (for workgroups, see the Standalone Terminal Server UserLock server type).
Functional level of forest and domain: Windows Server 2008 or higher.
Operating system
Choose your version :
UserLock Server | UserLock Console | MFA feature | SSO Service | For workstation to protect | For terminal servers to protect | For NPS and IIS servers | |
Windows Client versions | |||||||
Windows 11 | check_circle | check_circle | check_circle | ||||
Windows 10 since version 1809 | check_circle | check_circle | check_circle | ||||
Windows 10 before version 1809 | check_circle | check_circle | errorcheck_circle | ||||
Windows 8 & Windows 8.1 | check_circle | check_circle | errorcheck_circle | ||||
Windows 7 | check_circle | check_circleerror | errorcheck_circle | ||||
Windows Vista | check_circle | check_circle | |||||
Windows XP | check_circle | ||||||
Mac Client versions | |||||||
Catalina | check_circle | ||||||
Mojave | check_circle | ||||||
High Sierra | check_circle | ||||||
Sierra | check_circle | ||||||
El Capitan | check_circle | ||||||
Older version | |||||||
Windows Server versions | |||||||
Windows Server 2022 | check_circle | check_circle | check_circle | check_circle | check_circle | check_circle | |
Windows Server 2019 | check_circle | check_circle | check_circle | check_circle | check_circle | check_circle | |
Windows Server 2016 | check_circle | check_circle | check_circle | check_circle | errorcheck_circle | check_circle | |
Windows Server 2012 R2 | check_circle | check_circle | check_circle | check_circle | errorcheck_circle | check_circle | |
Windows Server 2012 | check_circle | check_circleerror | check_circleerror | errorcheck_circle | check_circle | ||
Windows Server 2008 R2 | check_circle | check_circle | check_circleerror | errorcheck_circle | check_circle | ||
Windows Server 2008 | check_circle | check_circle | check_circle | check_circle | check_circle | ||
Windows Server 2003 R2 | check_circle | check_circle | check_circle | ||||
Windows Server 2003 | check_circle | check_circle | check_circle | ||||
Windows Server 2000 | |||||||
Terminal Servers | |||||||
Citrix Metaframe XP | check_circle | ||||||
Citrix Presentation Server 4 | check_circle | ||||||
Citrix XenApp | check_circle | ||||||
Any terminal servers using RDP sessions (Microsoft) or ICA sessions (Citrix) | check_circle | check_circle | |||||
RemoteApp* | check_circle | check_circle | |||||
RD Web** | check_circle | check_circle |
For Windows Server Core, consult this page.
* Enrollment in MFA is not possible via RemoteApp. It is not possible to use MFA for RemoteApp sessions that require privilege escalation (UAC).
** RDWEB HTML5 is not supported for MFA.
Windows services and network protocols
- The Remote registry service must be enabled and started on machines protected by UserLock.
- The UserLock service is configured to logon by default as the 'Network Service' account. For some operations, the UserLock service needs to impersonate with an account having administrative privileges on target machines (see here).
- The ICMP (ping) protocol must be authorized both ways between the UserLock server and the machines protected by UserLock.
- The 'Microsoft File and Printer Sharing' protocol (SMB TCP 445) must be authorized both ways between the UserLock server and the machines protected by UserLock.
-
The Impersonation account must be able to access the administrative share of each machine "\\machinename\admin$" where the Desktop agent is installed.
This share is activated by default on a domain. If it was deactivated, to reactivate it:- In the registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters", set "AutoShareWks" and "AutoShareServer" values (REG_DWORD) to 1.
- Restart the computer.
We highly recommend to check that the requirements are in place before deploying agents. Click on the link below for the procedure.
How to check Windows services and network protocols requirements
Configure client requirements through group policies
Hardware
CPU and RAM
The required hardware for a UserLock server depends on the number of user sessions that will be protected.
A medium-sized server should be sufficient in most cases - a server with a 2 GHz dual core CPU, 2 GB of RAM available and a recent hard drive should be able to manage up to 10,000 simultaneous sessions. With such a processor, UserLock can process up to 100 logon events/s. With such a logon rate, you can authenticate 6,000 users in one minute. Please note that in an organization with a very high quantity of users (for example greater than 10000) it is unlikely to have that many connections during the same minute.
Disk space
The disk space required for the installation process is 500 MB.
Additionally you have to consider the disk space consumed by the database to keep the user session history:
A logon event consumes 0.5 KB of disk space. Typically a user generates at least four connection events during a day (a logon, a lock, an unlock and a logoff) so you can calculate the disk space consumed per year as follows:
Example for 100 users:
100 x 4 x 0.5 KB = 200 KB/day = 4 MB/Month (20 business days) = 50 MB/Year
You can use this simple formula to estimate the disk space that will be consumed by the database according to the number of users and the time period your history will have to cover.
Network connection
A logon event exchanges 3 KB of data through the network. The network bandwidth consumed will depend on the logon rate.
For example a logon rate of 100 logons/s will generate 300 KB/s. Therefore any 100 Mb network card (10 MB/s) will be sufficient in most cases.
For example, if 5000 users log in within 10 minutes, you will need at least 25 KB per second of bandwidth.
Please note that if you have slow network connections to some remote sites, then you should take into account the number of users behind connections.
Database
All user session activity captured by UserLock is saved in a database to benefit from reporting and analysis features.
UserLock supports as database systems:
- MS Access mdb file.
- MS SQL Express 2005 and newer - 32/64 bit.
- Microsoft SQL Server 2008 and higher
- MySQL 5.6 and newer.
Please note that LocalDB editions are not supported.
To facilitate UserLock evaluation, the installation package integrates an MS Access database to archive all session activity. We do not recommend implementing UserLock with this database on the production environment. An MS SQL Server database system is required, with at least an 'Express' version.