Active Directory User Logon Logoff Security
So you want tocontrol Active Directory(AD)useraccessin a more granular way than native windows’ Group Policy? You want torestrict users fromaccessingthe networkbased on criteria you specify? And you want tobe alerted to any othersuspicious logon activity crucially before that activity becomes a serious problem?
Your absolutely right. This type of logon/logoff security is no longer just a concern for highly regulated industriesthat want tomeetcompliance. It is for anyorganization at risk ofa security breach that stems fromcompromisedAD user accounts.
As reviewed by Ovum On-The-Radar “UserLock blocks unauthorized users from gaining access to enterprise assets, and by improving the organization’s security posture, reduces the risk of external and internal security breaches “Extend Active Directory User Logon Logoff Security
UserLockgives network administrators a way tocontrolall authenticated user sessions:If anAD user account isstolen, access to the network from this compromised account will beautomatically denied. Careless user behavior is also protected, UserLockrenders password sharing useless andsecures logged in workstations left unattended. With UserLock helping toverifyauthenticated users claimed identity, all access can be attributed toan individual user. Thishelpsdiscourage any malicious activity and offers a comprehensive audit on all session access history and access attempts.
And what’s more,itdoes thiswith a simple and non disruptive technologythat works alongside Microsoft Active Directoryto extend logon security, not replaceor overwrite it.
UserLock is a client server application capable of auditing and controlling different type ofuser access connections. UserLock implements its authorization functionality on top of Microsoft Active Directory authentication and relies on micro-agents.
Non Disruptive Technology
With UserLock, no modifications are made to Active Directory or its schema.Fast Implementation
UserLock can be hosted on any server member of the domain and is managed remotely on workstations or through a web console anywhere on the network.Fast Agent Deployment
A micro agent is deployed automatically (orif preferredmanually) on all machines. Once installed all access connections are detected and saved in the UserLock database.Across All Session Types
UserLock offers several agent types according to the types of session it has to monitor (Workstation, terminal, Wi-Fi & VPN and IIS).How does UserLock work?
The user enters their credentials to log on or to establish a connection to the domain network. These credentials are verified and validated against Active Directory. If the authentication process fails, the connection will be refused by Windows and UserLock does not intervene. The agent will however notify the UserLock server about this logon failure (and be available for reporting).
If the authentication is successful, the UserLock agent will transmit to the UserLock server all information about the context of the connection requested. The UserLock server will then process and analyze the data transmitted by the agent to check access control rules, trigger any alerts, refresh session information and save the user connection event in the database. The server then communicates its decision to the agent regarding the acceptance or refusal of the connection requested.
Audited UserLogon LogoffData
UserLock records and reports on every session access event. On a connection event of a domain user to the network, the UserLock agent transmits to the server a set of data. This set includes information on:Connection Event Type Logon, reconnection, disconnection, logoff, lock, unlock Connection Type Requested Workstation, terminal, Wi-Fi, VPN, IIS The User Domain, username The Source Machine or device name, IP address.
This information is retrieved by the agent itself when the connection event is submitted by the user, and sent encrypted to the UserLock server, which determines the time of the connection request and saves all in its database. Thus all user connection information performed on agent hosts are collected and stored centrally.Real-Time Access Controlsto AD User Logons
All data audited at the moment of attempted connection is analyzed to verify if the user requesting the connection is subject to access control rules. Transparent to the user, these controls help verify authenticated users’ claimed identity to protect against unauthorized access and compromised credentials.
Defined for a user account, a user group and/or an organizational unit of users, the rules allow or deny a connection requested by a domain user account. UserLock then transmits this decision to the agent of the relevant system.
Access security is not a one-time activity. Restrictions should be evaluated and revised periodically so that improvements can be implemented. User access control rules can be modified at any time for a user or a group, or to create a temporary rule to define an exception for a particular user. All changes are applied in real time and are effective immediately Number of Initial Access Points
UserLock can analyze what the sequence is of an ADuser’s logon connections to determine whether a session is a new point of entry to the network or a connection performed from an existing session.
A new point of entry is considered as the initial access point for the user initiating the connection. Limiting the number of initial access points to one will ensure that the user won’t be able to open a session from a second location
Number of Concurrent AD User Sessions allowed
The limit of concurrent sessions allowed can be used in association withthe limit of initial access points to define how many and which types of session (workstation, terminal, Wi-Fi/VPN and IIS) an ADuser can open from the same initial access point.Control AD User Logon access by origin (location)
Define and manage the workstations/terminals, IP range and session type from which a user, group or organizational unit may log on. For example, to restrict a user to connect only from a specific machine.ControlAD User Logon accessby time
The ‘Hour restrictions’ section allows you to define, by session type, periods of time during which users can or cannot logon to the network. For example, to prevent access connections outside certain hours.Control AD User Logon access by time quota
A connection time quota can be assigned to determine the maximum period of time connected to the network during a recurring period (day,week, month… ) for specified session types.Automatic Logoff of Idle AD User Sessions
To manage unattended workstations, UserLock can automatically log off sessions after a specific idle time. Every session of the user account is closed after a chosen idle time period.Alertfor defined AD logon events
The user rules also include alert notifications for defined connection events. Two types of alerts can be defined: pop-up messages and email message.The data audited during the connection, whatever the decision taken (authorized, refused or failed), are analyzed and compared against the criteria of aler
本文系统（windows）相关术语:三级网络技术 计算机三级网络技术 网络技术基础 计算机网络技术