Review by: Dave Mitchell
Supplier: IS Decisions
Website: www.isdecisions.com
Price: 500-999 simultaneous user sessions, €7.75 per session (euros)
Scores
Performance 5/5
Features 5/5
Value for Money 4.5/5
Ease of Use 4.5/5
Support 5/5
Overall 5/5
Verdict: UserLock teams up seamlessly with Windows Active Directory to deliver easily managed user logon controls, essential concurrent session management and a wealth of auditing information.
With the GDPR (General Data Protection Regulation) now in full force, businesses must protect confidential data from unauthorized access. Strict administration of Active Directory (AD) user accounts is essential and although Group Policy is the tool of choice, processes such as logon and access policies can be tedious to configure and particularly so for SMBs with limited on-site IT expertise.
UserLock from IS Decisions simplifies these processes by providing real-time management of user logons for multiple session types, workstation access restrictions, session monitoring and detailed auditing. An important differentiator of UserLock is it complements AD and requires no modifications to its schema.
Another standout feature is UserLock’s ability to control concurrent user account logins – something AD and Group Policy are notoriously lacking in. The elderly LoginLimit tool was updated recently to support Windows 2012 R2 AD servers but is only capable of blocking all concurrent sessions.
Installation and deployment
UserLock requires a host running Windows Server 2008 upwards and for testing, we loaded it on a Windows Server 2016 system. The process took five minutes and was helped along by the copious online documentation.
For essential redundancy, UserLock can be installed on another host as a backup server which automatically takes over if the primary server fails. You can also install UserLock in a local standalone mode for protecting terminal servers.
First contact with UserLock’s well-designed management console fires up a wizard which helped us declare the lab’s AD server and set up a service account with administrative access to all protected computers. Next up is agent deployment which can be set to automatic or you can run it manually by selecting AD computers from the Agent Distribution pane.
Some preparatory work is required as Windows computers require the remote registry service and file and print sharing enabled. We also used MacBooks running macOS High Sierra and these needed SSH enabled from their local Sharing preferences panel.
We loaded the agents manually and found each task took around 20 seconds. Select any protected computer from the agent distribution pane and a drop-down menu offers options to restart, shutdown or wake them and run direct RDP sessions.
Close protection detail
UserLock starts auditing all sessions as soon as the agent is installed so you can move straight on to creating protected accounts. Connection rules and restrictions can be applied to AD user and administrator accounts, groups and OUs and you can create temporary time-limited accounts for guests and contractors.
Rules are extremely versatile as you can set the number of initial access points to control points of entry into the network. UserLock scores highly for its concurrent session rules as we could define the number of workstations a user can simultaneously logon to and apply restrictions to terminal, interactive, wireless/VPN and IIS sessions.
There’s more as you can restrict users to specific AD computers and IP address ranges, limit access with time periods, set session lengths and apply time quotas. Rules provide granular controls as they can be applied at AD group levels for general protection of large user bases and augmented with individual user rules which take precedence.
A valuable security feature that’ll stop password sharing in the workplace is the option to warn users if their account is being used to logon to another computer. If this occurs, they’ll receive a pop-up message showing the computer in use and advising them to contact their administrator who will also have received an email alert from UserLock.
User controls
During testing, we found UserLock worked seamlessly and unlike Group Policy, rules come into effect immediately after they have been applied. We set workstation concurrent session limits on multiple users and when they tried to logon to other computers and exceed their limits, they received a popup message warning them this was not permitted.
Users also received popup warnings the instant other employees tried to logon elsewhere with their credentials. Logon activity can be graded in severity where high risk alerts can be triggered when so many logins have been denied by UserLock or AD over a certain period.
UserLock administrators can interact with selected sessions by clicking on them in the console and logging users off, locking the workstations and resetting them. We particularly liked the blocking feature as we could instantly block a user and stop them reconnecting to any system while we investigated their activities.
Controlling wireless/VPN sessions requires a bit more work as NPS and RRAS agents must be deployed to servers hosting these services. Likewise with IIS sessions as UserLock’s ISAPI filter or HTTP module need to be installed on web servers.
This wasn’t a problem for our IIS servers as they appeared as separate entities in the agent distribution screen so the modules could be installed with one click. After manually enabling them locally, we could monitor all ISS sessions and manage access.
Web consoles and reporting
The UserLock console provides a real-time view of all the action with the main page showing pie charts of session, computer and agent activity. With IIS running on the UserLock host, we also installed its web console components and viewed activity remotely from a browser.
Some configuration tasks can’t be carried out from the web interface but we found the level of detail on activity was superior to the main console. Tablet and mobile versions are included and from our iPad, we viewed all session activity, saw historical session statistics and applied blocking actions to selected users.
Reporting is easily good enough to satisfy GDPR compliance and external auditors. From the main console, you have facilities for generating reports on any or all session types for select time periods, users and groups.
Detailed reports are available for logon and logoff activities, logons denied by AD and UserLock, failed logons and concurrent session history. They can be scheduled to run at regular intervals or triggered by an event and exported to a range of formats including PDF, XLS, CSV and HTML.
Conclusion
UserLock takes the strain out of administering AD user logon access and scores highly for its granular concurrent session controls. Unlike Group Policy, changes made in UserLock are propagated immediately and all logon controls are accessible from a single interface.
Agent deployment is a breeze and with a pricing structure based on maximum simultaneous user sessions, it’s affordable for SMBs and enterprises alike. Add in the extensive session auditing and reporting features and you have the perfect access security partner for Windows Active Directory environments.