Note: This article contains directions for both the ThreatLocker Portal and the ThreatLocker Legacy Portal. If you are using the Legacy Portal, you can find the appropriate directions by scrolling down in the article.

The Login Settings Page provides a central location to manage where and how your administrators are able to access the ThreatLocker Portal. Here, you can set Organization-wide restrictions on which Countries or IP addresses your users can log in from, restrict MFA options, Allow SSO, and override the MFA restrictions for specific users.  

Login settings can be accessed from the 'Login Attempts' pane of the Health Center or the Login Settings through the 'Additional Options' on the Administrators page.

Both paths will open the same side panel, 'Login Settings - [Your Organization Name]'. Settings configured here are applied across the entire organization. 

ThreatLocker Access

The 'ThreatLocker Access' section determines the level of access ThreatLocker Staff has to your organization. This can be configured to give No access, Read-Only access, or Full Control to Solutions Engineers and Cyber Heroes. Changes to these settings can only be made by Super Admins within your organization, ThreatLocker Staff is unable to make changes to these settings on your behalf. 

Your Solutions Engineer is the primary technical point of contact for your account. This is the team member you would have worked with through your deployment and onboarding process. By default, Solutions Engineers will have Full Control selected, and we recommend keeping this set during your trial and onboarding process. 

Cyber Heroes designates access for Cyber Hero Support and the Application Request team, who may need access to your account to assist in troubleshooting any issues you encounter. By default, the Cyber Heroes will have Read-Only access to your account. If you have Cyber Hero Management, the Cyber Heroes will need Full Control access to your account in order to process Application Requests. 

Login Restrictions

This section allows you to restrict administrator login attempts to ensure security in your environment by geographical location and IP address, restrict available MFA modes, and enable/enforce Office 365 SSO. 

Country Restrictions

Under 'Country Restrictions' , choose 'Allow Selected' to create a list of countries from which login to your ThreatLocker account is permitted, or choose 'Block Selected' to set a list of countries from which login to your ThreatLocker account is prohibited. 

Please note: If you choose 'Allow selected', login attempts from all countries not allowed will be blocked. If you choose 'Block selected', logins from all countries or IPs not on the blocklist will be permitted. Please ensure that you permit your own country when configuring this option, as it is possible to block legitimate sign-ins to your own account. 

IP Address Restrictions

Under 'IP Address Restrictions', choose 'Allow Selected' to create a list of IPv4 addresses from which login to your ThreatLocker account is permitted, or choose 'Block Selected' to set a list of IPv4 addresses from which login to your ThreatLocker account is prohibited.  

Please note: If you choose 'Allow Selected', all IP addresses not on the allowed list will be blocked. If you choose 'Block Selected', all IP addresses not on the blocked list will be permitted. This does not override Allowed Countries.  If you allow specific IPs within a country and also allow the country itself via Country Restrictions, the entire country will be allowed. 

MFA Restrictions

Under 'MFA Restrictions', you can select which Multi-Factor Authentication methods can be utilized when signing in. These settings are organization-wide unless a User Override is configured in the section below. If you enable 'Allow Selected', any or all choices between DUO, SMS, and OTC can be enabled. Choosing 'None' will allow the administrator to use their choice. Restricting to a particular method when an admin is using another method will prompt the admin to reset OTC on their next login. 

If you haven't previously set up DUO, you can navigate to the Integrations Page and set up the DUO Integration for your organization. For assistance with the DUO Integration, see our associated article here.  

Allow SSO

The 'Allow SSO' option lets admins establish O365 SSO. ThreatLocker does not recommend using SSO for your ThreatLocker Account. After this option is enabled, the administrator will need to switch their account from a standard login to SSO. Please see the following article for further instructions: How to Enable O365 SSO | ThreatLocker Help Center (kb.help)

Enabling the "Allow SSO" option will generate a further option, Enforce SSO / Disable Local Login, which will force all users within your organization to utilize SSO. 

Warning: Enforcing SSO will prevent any administrators within your organization signing in if they do not have SSO set up. 

Login Restrictions - User Override

'User Override' allows particular admins to be permitted to use other MFA methods, outside of those selected in 'MFA Restrictions'. If OTC is the only allowed MFA method across an organization, for example, an MFA User Override can be established to allow a specified administrator to utilize either the DUO integration or SMS for authentication.

Login Settings on the Legacy Portal

The Login Settings Page provides a central location to manage the Geo Restrictions and MFA settings on your ThreatLocker account. Here, you can set restrictions on organization-wide Geo Restrictions by countries and/or IP addresses, restrict MFA options, and override the MFA restrictions for specific users. 

Navigate to Security Center > Login Settings.

Geo Restrictions

In the Geo Restrictions tab, you can specify countries and/or IP addresses from which logins to your ThreatLocker account are permitted or prohibited.

Under 'Do you want to restrict login to your ThreatLocker Account by country', select 'Yes' to create a list of countries from which login to your ThreatLocker account is permitted, or a list of countries from which login to your ThreatLocker account is prohibited. 

Please note: If you create an allowlist, all countries not on the allowlist will be blocked. If you create a blocklist, all countries not on the blocklist will be permitted.

In the 'Allowed Countries' dropdown, select countries that login is permitted from, clicking the 'Add' button after each selection to create an allowlist.

In the 'Blocked Countries' dropdown, select countries that login is prohibited from, clicking the 'Add' button after each selection to create a blocklist.

When you have finished creating either an allowlist or a blocklist, be sure to click the 'Update Settings' button in the top left corner to save your settings.

Under 'Do you want to restrict login to your ThreatLocker Account by IP Address', select 'Yes' to create a list of IP addresses from which login to your ThreatLocker account is permitted, or a list of IP addresses from which login to your ThreatLocker account is prohibited.

In the 'Allowed IP Addresses' textbox, input IP addresses that login is permitted from, clicking the 'Add' button after each selection to create an allowlist.

In the 'Blocked IP Addresses' textbox, input IP addresses that login is prohibited from, clicking the 'Add' button after each selection to create a blocklist.

When you have finished creating either an allowlist or a blocklist, be sure to click the 'Update Settings' button in the top left corner to save your settings. 

Please note: If you create an allowlist, all IP addresses not on the allowlist will be blocked. If you create a blocklist, all IP addresses not on the blocklist will be permitted. This does not override Allowed Countries.  If you whitelist specific IPs within a country and also whitelist the country itself with Geo Restrictions, the entire country will be whitelisted.

MFA Settings 

In the MFA Settings tab, at the top you will find a list of all ThreatLocker Admins on your account with their current MFA Method listed.

Below that, you can choose to limit the options for MFA across your organization. Once you select the button next to 'Yes', you can choose between DUO (if it is configured), SMS, or OTC. You can choose as many options as you'd like. These settings will apply to your entire organization. 

If you haven't previously set up DUO, you can navigate to the Integrations Page and set up the DUO Integration for your organization. For assistance with the DUO Integration, see our associated article here.

You also have the ability to override the MFA settings for any user. Select 'Yes' in the next section under 'Do you want to override login restriction settings per user?'  

Next, select the username from the dropdown list. Then select the desired MFA methods from the next dropdown, and click the 'Update' button.

 

Be sure to click the 'Update Settings' button at the top of the page after you make your selections. The next time admins log into the ThreatLocker Portal, if they do not currently have MFA set up, they will be forced to set up MFA according to your Login Settings.