I have been talking over the past year about "Hardening Active Directory". In those discussions, we have been talking about implementing a granular password policy so that you K-2 students have a lower password requirement than your financial and guidance users.
We have talked about eliminating domain admins from logging into workstations in your buildings to do anything due to the increased risks of trojans and malware seizing those rights to do bad things to your network.
With many of you, we have talked about turning on increased auditing, but there is a cost for that in terms of performance and login times.
There had to be a better way to secure your Windows network centrally while not destroying network performance.
I believe UserLock from IS Decisions is that better way. By overlaying UserLock over your existing Microsoft Active Directory network we can so some very exciting things:
- Limit the number of concurrent users. Microsoft has always had problems doing what we took for granted years ago with Novell. Now we can limit one student to one ID at one time.
- Limit where an ID can be used by:
- Explicit username
- Group membership
- TCP/IP Address or range
- Time and how long you can be logged on.
- Report on how you are logging in (i.e. VPN, RDP, IIS, etc)
- Report on user ID activity.
- Report directly from the workstation to the UserLock server to avoid the normal slowdowns associated with auditing.
With UserLock a high school student couldn't log in with an elementary school ID -even if they knew the student's simple password.
With UserLock we can truly enforce that domain admin IDs can't login to workstations forcing techs to use a more appropriate ID for troubleshooting workstation issues.
UserLock fully reports on where IDs are used.
I believe that overlaying UserLock over your existing Microsoft Active Directory network is an important next step in better securing your network from the growing number of sophisticated threats that exist today.
You can watch the webinar recording here.