IS Decisions UserLock

Overview

UserLock is an authentication and access management solution for Active Directory (AD) environments. UserLock secures user access to on-premises and hybrid corporate systems and applications by combining multi-factor authentication, single sign-on, and granular session management.

As a result of its security and management features, UserLock supports compliance with a range of regulations worldwide, including GDPR, PCI-DSS, HIPAA, ISO 27001, SOX, and NIST 800-53. This makes it a strong solution for mid-size and larger organizations operating within highly regulated sectors that are looking for a scalable, secure way to manage user access and prove compliance with data protection and insurance requirements.

Key Features

Multi-Factor Authentication

With UserLock, admins can enforce two-factor authentication across all AD identities for secure Windows logon, Remote Desktop (RDP and RD Gateway), IIS, VPNs, and cloud application access. Note that UserLock doesn’t support MFA for all VPNs, but is compatible with VPNs using the RADIUS challenge method and RRAS method. Additionally, MFA on access to cloud apps is only available via single sign-on (see below).

Admins can control the circumstances and frequency under which users are prompted to authenticate, minimizing friction to the end user login process. End users can authenticate via push notification, authenticator apps, or hardware tokens such as YubiKey and Token2. This makes the platform particularly well-suited to industries such as manufacturing, where it may not be possible for users to authenticate via a method that requires access to a cellular network or internet connection.

In the event a user is unable to authenticate, UserLock supports the use of recovery codes, and admins can define how many recovery codes users can have. Admins can also enable an “Ask For Help” button that allows users to request help if they’re unable to log in. If a user requests help, admins can remotely reset their MFA key or temporarily disable MFA for that user.

When creating a new rule, admins can choose to apply it to all logins, remote logins only, or external logins only. This has some limitations; conditional access policies (“if/then”) would be more intuitive.

Additionally, admins can allow, request, or enforce MFA for logins without a network connection. This is particularly useful for organizations where users may not be logging in from the office, e.g., law enforcement.

The desktop interface for configuring MFA rules is straightforward to use but the UI is dated. However, IS Decisions plans to update this by mid-2024 so that the interface aligns with that of their much more intuitive web app.

Contextual Access Management

From the “Protected Accounts” dashboard, admins can configure rules to grant, deny, or limit logins based on contextual factors. These include machine/device type, time of login, session type, and concurrent login limits. All rules can be created at a user, group, or organizational unit level. These contextual access management features can be used in conjunction with MFA to deliver granular, customized—though not completely adaptive—MFA.

Note that while admins can create conditional access rules based on time of login, they cannot enforce MFA for only certain hours, e.g., only outside of normal working hours. They can restrict access, but this is separate to the platform’s MFA functionality.

Single Sign-On

Admins can enable single sign-on (SSO) using SAML 2.0 for frictionless user access to cloud applications. The SAML protocol can be used to provide federated authentication for cloud applications using on-premises Active Directory identities. This allows organizations to retain on-premises AD as the primary identity provider by using a SAML request to extend authentication to the cloud.

Once synced, admins can also apply MFA, geolocation, and IP address access restrictions to cloud apps.

Reporting And Auditing

The reporting pages within the management console provide admins with a centralized audit of user access activity across their network, as well as any potential threats, with real-time insights.

Reports available include:

• MFA login attempts, including how many attempts are granted or denied
• Compliance reports
• Real-time session monitoring
• A user activity audit trail
• A “Working Hours” report that shows how long users spend logged in and active, including login and logoff time

The Working Hours report is particularly useful for organizations that want to monitor the number of hours remote users spend active or with their screen locked.

Reporting is currently much more intuitive within the web app than the desktop app.

“One Click” Incident Response

If a login attempt doesn’t align with pre-configured contextual rules (e.g., a user is trying to login outside of their allowed hours), that login is automatically blocked. Admins can configure alerts to notify themselves and end users of inappropriate, unusual, or suspicious login activity and failed login attempts.

Additionally, if an admin notices any suspicious behavior within a user’s session in real-time, they can block that session remotely, with the choice of ending the current session and forcing logoff, or blocking the user from starting future sessions.

Ease Of Use

Deployment

UserLock was designed to integrate seamlessly with on-premises Windows environments without changing any existing schema. From download, it takes approximately 20 minutes to deploy and configure a trial version for a few users. A full deployment takes a little longer, but is still straightforward, and the platform offers API-based integrations with other IT management and security tools (e.g., SIEMs) for ease of deployment and ongoing management.

UserLock is agent-based; as soon as you install the Windows desktop agent, NPS (WiFi and VPN) agent, or IIS agent, you can start monitoring user logins and sessions.

Management

UserLock offers high levels of functionality via its desktop management app, but the interface is dated. Configuring MFA rules does require some technical understanding. The platform also offers a web app, which is much more modern and intuitive, and enables remote access to UserLock from any device. However, the web app is not yet fully-featured. IS Decisions plans to update the interface of the desktop app to match the web app by mid-2024.

Support

IS Decisions offers full technical support via their France-based support team, as well as extensive product documentation and an FAQ section on their website. Support is offered during product trials as well as with a full subscription, and is available Monday-Friday 9am-6pm CET. Requests for POC and integration support are evaluated on a case-by-case basis.

Best Suited For

UserLock is a strong user authentication tool for mid-sized organizations and larger enterprises with an on-premises Windows environment. It’s also highly useful for organizations that have a hybrid environment and are struggling to find a platform that offers secure access to on-prem resources as well as those in the cloud, as it offers on-prem user authentication for cloud resources via SAML-based SSO.

Its strength in reporting makes UserLock well-suited to organizations that need to prove compliance with strict data protection standards, such as NIST (local government and defense), HIPAA (healthcare), and PCI-DSS (finance).

Its strong compatibility with on-prem environments and support for hardware authentication methods also make UserLock suitable for organizations using thin clients, such as those in the healthcare industry, that are looking to replace their legacy systems.

Final Verdict

UserLock is a powerful user authentication tool for on-premises and hybrid Windows environments, offering multi-factor authentication with contextual access policies, single sign-on, and robust auditing and reporting capabilities.

The platform isn’t the most intuitive in terms of MFA policy creation and therefore requires a degree of technical understanding to configure and manage. However, UserLock’s unique position in providing access to cloud resources via on-premises authentication makes it a strong option for any sized organization with a hybrid (or solely on-prem) Windows environment, and some prior knowledge of Active Directory.

This is a very powerful tool when utilized by its intended audience. On top of user authentication, UserLock offers single sign-on for a more streamlined end user login experience, and granular reporting that helps improve security and prove compliance with a broad range of compliance standards and insurance requirements.

We recommend that any business that needs to secure user access to on-premises resources within a Windows environment consider adding UserLock to their shortlist.