Windows Group Policy for login security
Windows Group Policies can be tedious to configure for logon and access policies. Here's how UserLock takes the strain out of administering and securing login access.
Published August 23, 2019The use of Windows Group Policy is often the tool of choice for the strict administration of Active Directory (AD) user accounts. But for logon and access policies, Group Policies can be tedious to configure, particularly so for small and medium-sized business (SMBs) with limited on-site IT expertise.
All business, including SMB’s, must be looking to protect confidential data from unauthorized access, particularly with the GDPR (General Data Protection Regulation) now in full force. According to cybersecurity expert Graham Cluley, many businesses could see their reputations left in tatters if they fail to shore up their defenses and are hit with GDPR fines.
UserLock takes the strain out of administering AD user login access
It simplifies these processes by providing real-time management of user logins for multiple session types, workstation access restrictions, session monitoring, and detailed auditing. Agent deployment is a breeze and with a pricing structure based on maximum simultaneous user sessions, it’s affordable for SMBs and enterprises alike.
With UserLock, connection rules and restrictions can be applied to AD user and administrator accounts, groups, and OUs and you can create temporary time-limited accounts for guests and contractors.
Rules are extremely versatile as you can set the number of initial access points to control points of entry into the network and concurrent user account logins. This is something AD and Group Policy are notoriously lacking in. The elderly LoginLimit tool was updated recently to support Windows 2012 R2 AD servers but is only capable of blocking all concurrent sessions.
Users can be restricted to specific AD computers and IP address ranges, limit access with time periods, set session lengths and apply time quotas.
Rules provide granular controls as they can be applied at AD group levels for general protection of large user bases and augmented with individual user rules which take precedence.
To further help improve user security behavior, awareness and stop password sharing in the workplace, is the option to warn users if their account is being used to logon to another computer. If this occurs, they’ll receive a pop-up message showing the computer in use and advising them to contact their administrator who will also have received an email alert from UserLock.
UserLock administrators can also interact with selected sessions by clicking on them in the console and logging users off, locking the workstations and resetting them. The blocking feature means you can instantly block a user and stop them reconnecting to any system while we investigated their activities.
Detailed reports are available for logon and logoff activities, logons denied by AD and UserLock, failed logins and concurrent session history. They can be scheduled to run at regular intervals or triggered by an event and exported to a range of formats including PDF, XLS, CSV, and HTML. Reporting is easily good enough to satisfy GDPR compliance and external auditors.
"UserLock takes the strain out of administering AD user login access. An important differentiator of UserLock is it complements AD and requires no modifications to its schema. It is the perfect access security partner for Windows Active Directory environments."
- Excerpt from IT Security Guru's technical review of UserLock
When it comes to managing access, group policy settings are not only tedious to configure but in fact, fail to ensure a user really is who they say they are. Each Windows securiyt gap represents a hole that puts your organization at risk. To ensure a user really is who they say they are, turn to more effective controls.