What is UserLock?
UserLock has the capability to customise user login rules (how the users log in) and real-time login monitoring so you know when and who has logged in where. All session events are saved into a database to provide a central audit across the whole network.
UserLock reduces the attack service area internally and externally and helps address regulatory compliance like GDPR, PCI-DSS, ISO 27001 and NIST 800 and -53 requirements.
UserLock is an additional layer to your AD authentication and especially authorisation.
This review will highlight my experiences with the product in our lab and what we discovered when evaluating the UserLock product by IS Decisions performed in January 2017.
The product installed very quickly and in under 2 minutes and found we could install the software on any windows server on the network.
It is recommended that you do not install the UserLock service on a workstation for several reasons, the first is that the agent needs to talk to the server so that it can apply policy and log to the central server, the second is that workstations get shutdown and from an audit and tracking perspective will not give you the best results. So in short install UserLock on a server that is always on the network, which is protected from the users or any unauthorised access for best results.
A very simple and helpful configuration wizard pops up during the install to guide you to the next step.
The configuration was seamless, quick, self-explanatory and easy. No configuration changes are made to the AD Schema which is a bonus as most admins dread this. You have three options during install, Primary server which typically is the first server that you install in your UserLock estate, the backup UserLock server that maintains a copy of the primary server which you have to supply the primary server address during installation, so in the event of the primary server being unavailable the logs and policies are maintained.
We played around in the lab with this feature and its recommended that you choose two servers from the start and install the primary first and straight after the backup server to ensure you don’t forget and so that your documentation is complete and so that you have a resilient solution. Keep a backup of the files in any event just to make sure you can restore in the event you lose the entire site. This approach also helps maintain availability and integrity if something were to affect the live environment.
The above diagram depicts the installation options.
The third option which I like especially for environments with jump boxes is Standalone terminal server, this is useful when you have isolated terminal servers that are used to jump onto other environments from an air gapped environment. For instance when you need to manage a remote platform you can terminal into a TS box and then use an account that can only log into this TS box and you can use UserLock to secure your accounts.
You then select the AD that you want UserLock to interact with, something interesting I found if the machine has been connected to an AD before and you are not connected during the install UserLock still knows about the AD meaning that it uses whatever AD your computer and logged in account are members of, so my recommendation is you should be logged in with an account that has the required privileges during the install.
Above we the diagram above depicts choosing the local connected AD.
The above diagram depicts the configuration options, for the servers, and extensive reporting and session statistics which we found quite useful.
The above diagram depicts the deployment system that is included with the UserLock platform, you are able to quickly deploy the agent to a whole network in a number of minutes.
Supported and upcoming platforms
Windows is the currently supported platform but the development team have confirmed that other platforms like Linux and apple MacOS will be supported in the next few releases.
Top ten things you can do with UserLock
- Manage the Access Control to your Active directory domain and control who can logon to what systems, with certain account.
- Manage and limit concurrent logins on windows platforms, not only is this good practice but it also helps you manage administrative privilege and where users and admins are logging in from. Moreover you are also able to manage subject, object access using this method so that malware cannot logon and make changes to platforms if a user is already logged into their machine. Limiting concurrent logins also means users are far less likely to share their own credentials as it impacts their own ability to access the network. It provides the motivation to adhere to password sharing policy. Clients will find this an easy way to get their users to stop sharing their passwords, which is a real problem in the industry. UserLock helps police and manage this practice.
- Login restrictions, workstation and device enforcement by geo-location or IP address range, this feature allows for more granular control of where the user can login from and onto which ranges the users can access. For instance if the users are only able to login to workstations, and their account get compromised, the attacker will not be able to use the compromised account to log into the servers which are on a different subnet but on the same network.
- Logon schedule management, this is the ability to control and manage the time windows that a user or admin can logon to a system. For instance if users are at the office from 9:00 am to 17:00 and have no requirement to logon after hours, it is possible to set the schedule to restrict the access to a specific time. You might be thinking well I can do that in AD anyway, well you can however when an attacker gains access, typically the pattern is that they start changing AD and its trivial as the security is basic and this could be done in seconds. UserLock is an extra layer and builds on the concept of defence in-depth.
- Monitor user and admin logins, another feature you may be thinking you can do with AD, however wiping the logs in AD is trivial in some cases and therefore this feature is a great way to help correlate logon and logoff activity on a network, bundled with SIEM you will be able to set thresholds alerts and rules that can react to certain events or incidents that help reinforce your security posture.
- Improve and demonstrate auditability and reporting on AD user login events, over the past three years I can remember at least 10 different instances where when performing on audit or the other way round, the auditor asking who logged in when and from where and the staff having to clamber around for the information, in some cases only to find that the access logs have been over written. If we are honest, the current state of logging in the default products we use leaves allot to be desired, and when evaluating UserLock we found the logging to be refreshingly clear, easy to understand and complete, which helps in these instances.
- Privileged user monitoring and management, the common question I get asked is who is watching the watchers, and how do I know if my IT guy is reading my email or logging into servers and accessing data when they shouldn’t be. The response is almost always the same and relates to, do you monitor the systems and admin logins, the answer is almost always the same, no. Well with UserLock you can monitor access, it protects both the organisations and the admin so that if ever there were an incident the admin could easily demonstrate that it was not him/her that used the admin account, or service account to access data or systems that should have not been accessed. You can also set alerts so that if certain accounts are used, notifications are sent to the respective responsible people, this feature can also help identify potential attacks on your systems.
- Quick and easy deployment to a corporate network, you are able to deploy the agent to windows machines connected to your AD network. This process is quick and easy.
- Provide reporting and statistics on logons, it is possible to pull reports and login session statistics on how, where and when a user logs in, a word of caution when using this product in the EU it is recommended that users sign an HR policy notifying them that you will be monitoring this activity for security reasons, especially in the future and after 25th May 2018 in relation to GDPR.
- Manage protected accounts, with UserLock you can define and better manage protected accounts, where they logon, how and when, this is useful in keeping the accounts from being used against an organisations or on a system that they should not be used on.
Currently there are many threats and vulnerabilities and the security professionals globally are in consensus that it’s going to get worse before it get better, especially because the large vendors that write our operating systems and platforms have not built-in security by design. This opens up gaps in the market for niche products like UserLock, my team and I feel that discrete products like these elevate the security level of an organisation and can even reduce the attack surface area to threat vectors like ransomware. The product is simple to install easy to configure and offer a level of protection that all small medium and large business should be implementing as part of their security roadmap. There are so many security vendors in the marketplace that we are challenged in choosing one that significantly makes a difference to our security posture. Moreover we are all very busy with every day actions that we often prefer the set and forget option when it comes to security platforms. UserLock lends itself to this model but integrates with other more correlation type platforms and really does deliver value to organisations. It’s worth a look and I am sure you will see a lot more from this vendor.
WindowSecurity.com Rating: 4.5/5