15.2  Local user accounts

Local accounts are accounts created in WinRoute or imported from a domain. These accounts are stored in the WinRoute configuration database (see chapter 25.2  Configuration files). These accounts can be useful especially in domainless environments or for special purposes (typically for the firewall's administration).

Regardless on the method used for creation of the account, each user can be authenticated through the WinRoute's internal database, Active Directory or Windows NT domain.

The basic administrator account (Admin) is created during the WinRoute installation process. This account has full rights for WinRoute administration. It can be removed if there is at least one other account with full administration rights.

Warning

  1. All passwords should be kept safe and secret, otherwise they might be misused by an unauthorized person.

  2. If all accounts with full administration rights are removed and you logout from the WinRoute administration, it is not possible to connect to the WinRoute administration any longer. Under these conditions, a local user account (Admin with a blank password) will be created automatically upon the next start of the WinRoute Firewall Engine.

  3. Provided that you forget your administration password, contact the Kerio Technologies technical support (see chapter 26  Technical support).

Creating a local user account

Open the User Accounts tab in the User and groups → Users section. In the Domain combo box, select Local User Database.

Local user accounts in WinRoute

Figure 15.2. Local user accounts in WinRoute


Click on the Add button to open a guide to create a new user account.

Step 1 — basic information

Creating a user account — basic parameters

Figure 15.3. Creating a user account — basic parameters


Name

Username used for login to the account.

Warning

The user name is not case-sensitive. We recommend not to use special characters (non-English languages) which might cause problems when authenticating at the firewall's web interfaces.

Full name

A full name of the user (usually first name and surname).

Description

User description (e.g. a position in a company).

The Full Name and the Description items have informative values only. Any type of information can be included or the field can be left empty.

Email address

Email address of the user that alerts (see chapter 19.4  Alerts) and other information (e.g. alert if a limit for data transmission is exceeded, etc.) will be sent to. A valid email address should be set for each user, otherwise some of the WinRoute features may not be used efficiently.

Note: A relay server must be set in WinRoute for each user, otherwise sending of alert messages to users will not function. For details, refer to chapter 18.3  Relay SMTP server.

Authentication

User authentication (see below)

Account is disabled

Temporary blocking of the account so that you do not have to remove it.

Note: For example, this option can be used to create a user account for a user that will not be used immediately (e.g. an account for a new employee who has not taken up yet).

Domain template

Define parameters for the corresponding user account (access rights, data transfer quotas and content rules). These parameters can be defined by the template of the domain (see chapter 15.1  Viewing and definitions of user accounts) or they can be set especially for the corresponding account.

Using a template is suitable for common accounts in the domain (common user accounts). Definition of accounts is simpler and faster, if a template is used.

Individual configuration is recommended especially for accounts with special rights (e.g. WinRoute administration accounts). Usually, there are not many such accounts which means their configuration comfortable.

Authentication options:

Internal user database

User account information is stored locally to WinRoute. In such a case, specify the Password and Confirm password items (later, the password can be edited in the Web interface — see the Kerio WinRoute Firewall — User's Guide).

Warning

  1. Passwords may contain printable symbols only (letters, numbers, punctuation marks). Password is case-sensitive. We recommend not to use special characters (non-English languages) which might cause problems when authenticating via the Web interface.

  2. NTLM authentication cannot be used for automatic authentication method by NTLM (refer to chapter 25.3  Automatic user authentication using NTLM).. These accounts also cannot be used for authentication to the Clientless SSL-VPN interface (see chapter 24  Kerio Clientless SSL-VPN (Windows)).

NT domain / Kerberos 5

Users are authenticated through the Windows NT domain (Windows NT 4.0) or through the Active Directory (Windows 2000/2003/2008).

Go to the Users section of the Active Directory / NT domain tab to set parameters for user authentication through the Windows NT domain or/and through the Active Directory. If Active Directory authentication is set also for Windows NT domain, then Active Directory will be preferred.

Note: User accounts with this type of authentication set will not be active unless authentication through Active Directory or/and NT domain is enabled. For details, see chapter 15.3  Local user database: external authentication and import of accounts.

Step 2 — groups

Creating a new user account — groups

Figure 15.4. Creating a new user account — groups


Groups into which the user will be included can be added or removed with the Add or the Remove button within this dialog (to create new groups go to User and Groups → Groups — see chapter 15.5  User groups). Follow the same guidelines to add users to groups during group definition. It is not important whether groups or users are defined first.

Hint

While adding new groups you can mark more than one group by holding either the Ctrl or theShift key.

Step 3 — access rights

Creating a new user account — user rights

Figure 15.5. Creating a new user account — user rights


Each user must be assigned one of the following three levels of access rights.

No access to administration

The user has no rights to access the WinRoute administration. This setting is commonly used for the majority of users.

Read only access to administration

The user can access WinRoute. He or she can read settings and logs but cannot edit them.

Full access to administration

These users have full rights to administration and are equal to the Admin account. If there is at least one user with the full access to the administration, the default Admin account can be removed.

Additional rights:

User can override WWW content rules

User can customize personal web content filtering settings independently of the global configuration (for details, refer to Step 5).

User can unlock URL rules

If this option is checked, the user is allowed to bypass the rule denying access to the queried website — at the page providing information about the denial, the Unlock button is displayed. The unlock feature must also be enabled in the corresponding URL rule (for details, refer to chapter 12.2  URL Rules).

User can dial RAS connection

If the Internet connection uses dial-up lines, users with this right will be allowed to dial and hang up these lines in the Web interface (see chapter 11  Web Interface).

User can connect using VPN

The user is allowed to connect through WinRoute's VPN server (using Kerio VPN Client). For detailed information, see chapter 23  Kerio VPN.

User can use Clientless SSL-VPN

The user will be allowed to access shared files and folders in the local network via the Clientless SSL-VPN web interface.

The Clientless SSL-VPN interface and the corresponding user right in WinRoute is available for Windows only. For details, see chapter 24  Kerio Clientless SSL-VPN (Windows).

User is allowed to use P2P networks

Traffic of this user will not be blocked if P2P (Peer-to-Peer) networks are detected. For details, see chapter 17.1  P2P Eliminator.

User is allowed to view statistics

This user will be allowed to view firewall statistics in the web interface (see chapter 11  Web Interface).

Hint

Access rights can also be defined by a user account template.

Step 4 — data transmission quota

Creating a new user account — data transmission quota

Figure 15.6. Creating a new user account — data transmission quota


Daily and monthly limit for volume of data transferred by a user, as well as actions to be taken when the quota is exceeded, can be set in this section.

Transfer quota

Setting of daily, weekly and monthly limit of volume of transferred data for the user.

Use the Direction combo box to select which transfer direction will be controlled (download — incoming data, upload — outgoing data, all traffic — both incoming and outgoing data).

The limit can be set in the Quota entry using megabytes or gigabytes.

Quota exceed action

Set actions which will be taken whenever a quota is exceeded:

  • Block any further traffic — the user will be allowed to continue using the opened connections, however, will not be allowed to establish new connections (i.e. to connect to another server, download a file through FTP, etc.)

  • Don't block further traffic (Only limit bandwidth...) — Internet connection speed (so called bandwidth) will be limited for the user. Traffic will not be blocked but the user will notice that the Internet connection is slower than usual (this should make such users to reduce their network activities). For detailed information, see chapter 9  Bandwidth Limiter.

Check the Notify user by email when quota is exceeded option to enable sending of warning messages to the user in case that a quota is exceeded. A valid email address must be specified for the user (see Step 1). SMTP Relay must be set in WinRoute (see chapter 18.3  Relay SMTP server).

If you wish that your WinRoute administrator is also notified when a quota is almost exceeded, set the alert parameters in Configuration → Accounting. For details, refer to chapter 19.4  Alerts.

Note:

  1. If a quota is exceeded and the traffic is blocked in result, the restrictions will continue being applied until the end of the quota period (day or month). To cancel these restrictions before the end of a corresponding period, the following actions can be taken:

  2. Actions for quota-exceeding are not applied if the user is authenticated at the firewall. This would block all firewall traffic as well as all local users. However, transferred data is included in the quota!

Hint

Data transfer quota and actions applied in response can also be set by a user account template.

Step 5 — web content rules and language preferences

Creating a new user account — Web site content rules

Figure 15.7. Creating a new user account — Web site content rules


In the WWW content scanning options section, special content filter rules settings for individual users can be defined. By default, all elements are allowed. WinRoute allows to block the following web elements:

ActiveX objects

Active objects at web pages. This option allows/blocks <object> and <embed> HTML tags.

<Script> HTML tags

The executive code in JavaScript, VBScript, etc.

Pop-up windows

Automatic opening of new browser windows — usually pop-up windows with advertisements.

This option will allow / block the window.open() method in JavaScript.

<Applet> HTML tags

Applets in Java.

Cross-domain referers

This option allows / blocks the Referer item included in an HTTP header.

The Referer item includes pages that have been viewed prior to the current page. This option allows to block Referer in case that it includes a server name different from the one defined in the particular HTTP request.

The Cross-domain referer function protects users' privacy (the Referer item can be monitored to see which pages are opened by each user).

The Language options section allows setting of preferred language of the WinRoute's web interface (including the Kerio StaR interface). The browser detected option sets preferred language in accordance with settings in user's web browser and uses the language with the highest preference rate available. English will be used if none of other preferred languages is available.

Preferred language also applies to email alerts sent by the firewall (notices of reaching of data transfer quota, detected viruses, detected P2P networks, etc.). If language is detected and set by using user's web browser preferences, language set as preferred for the previous user's login to the web interface will be used. If the user has not logged into the web interface before, alerts will be in English.

Note: These settings can be customized at a corresponding page of the WinRoute's Web interface (see Kerio WinRoute Firewall — User's Guide). If the user can override content rules, any changes can be made. Users who are not allowed to override rules can enable or/and disable only features which are available for them (set in their personal configuration). Language preferences can always be changed.

Hint

Content rules can also be defined by a user account template.

Step 6 — user's IP addresses

Creating a new user account — IP addresses for VPN client and automatic logins

Figure 15.8. Creating a new user account — IP addresses for VPN client and automatic logins


If a user works at a reserved workstation (i.e. this computer is not by any other user) with a fixed IP address (static or reserved at the DHCP server), the user can use automatic login from the particular IP address. This implies that whenever a connection attempt from this IP address is detected, WinRoute assumes that the connection is performed by the particular user and it does not require authentication. The user is logged-in automatically and all functions are available as if connected against the username and password.

This implies that only one user can be automatically authenticated from a particular IP address. When a user account is being created, WinRoute automatically detects whether the specified IP address is used for automatic login or not.

Automatic login can be set for the firewall (i.e. for the WinRoute host) or/and for any other host(s) (i.e. when the user connects also from an additional workstation, such as notebooks, etc.). An IP address group can be used for specification of multiple hosts (refer to chapter 14.1  IP Address Groups).

Warning

Automatic login decreases user's security. If an unauthorized user works on the computer for which automatic login is enabled, he/she uses the identity of the host's user who is authenticated automatically. Therefore, automatic login should be accompanied by another security feature, such as by user login to the operating system.

IP address which will be always assigned to the VPN client of the particular user can be specified under VPN client address. Using this method, a fixed IP address can be assigned to a user when he/she connects to the local network via the Kerio VPN Client. It is possible to add this IP to the list of IP addresses from which the user will be authenticated automatically.

For detailed information on the Kerio Technologies' proprietary VPN solution, refer to chapter 23  Kerio VPN.

Editing User Account

The Edit button opens a dialog window where you can edit the parameters of the user account. This dialog window contains all of the components of the account creation guide described above, divided into tabs in one window.