Product Reviews

No Entrance, No Exit

These tools can help you use Group Policy to restrict access to USB ports and various hardware devices.

You have laptops and kiosks. You may have nurses’ stations and library machines. You have consultants in and out all day. You have a big problem.

REDMOND RATING:
Smartline DeviceLock
Documentation 5%
8
Installation 5%
8
Feature Set 40%
8
Level of Control 40%
7
Interface 10%
9
Overall Rating:
7.7

——————————————
Key:
1: Virtually inoperable or nonexistent
5: Average, performs adequately
10: Exceptional

In an open environment like this, it’s far too easy for some sneaky user to slip a USB disk into one of your computers and walk away with sensitive or valuable data. It could also go the other way -- a disgruntled employee or malicious user could walk in the door with EvilApp.exe on a USB disk, connect the disk into the back of an open workstation and infect your entire network.

You need to lock down all the access points to your machines. Windows XP has some provisions to help, but it’s not an obvious fix: there’s a new Registry key to lock out unauthorized users from a system’s USB ports. All you have to do is activate that setting -- on each and every machine you need to secure.

Managing this setting update through Group Policy is far better than running around to every machine on your network.

Many custom ADM files (templates that define the settings an administrator can configure through Group Policy) end up "tattooing" the Registry. When the computer moves around within an AD domain, any restrictions stay with it until specifically removed. The biggest problem with this approach is that it’s only for locking out USB ports. There are many other access points through which the bad guys could get your sensitive data out or get malicious programs in.

To do the job right, you need to restrict access to floppy drives, CD-ROM drives, and WiFi and Bluetooth devices. Out of the box, there are some Group Policy settings that can help you control a fraction of these devices, but not all. Fortunately, there are add-ons that can leverage Group Policy to lock down the hardware that’s giving you headaches -- Smartline DeviceLock 5.7 and Safend Protector.

DeviceLock

Smartline Inc.
866-668-5625
212-279-8895
www.devicelock.com

Pricing: $35 for single license, $2,500 for up to 200 computers and $7,500 for up to 2,000 computers

Head-to-Head Review
Smartline DeviceLock
DeviceLock helps you lock out ports so that data remains where it should. The latest edition takes that protection to the next level by plugging into Group Policy.

The interface should be relatively familiar to Windows admins (see Figure 1). DeviceLock’s potential lockdown points appear in the Computer Configuration portion of the Group Policy Object. The example in Figure 1 shows which AD groups have access to the USB ports. DeviceLock also lets you specify the time for which these entries are valid.

Other hardware options are configured in much the same way: Simply double-click the entry, specify the AD users or groups that should have the restriction and specify the options.

Short learning curve. Good.
[Click on image for larger view.]
Figure 1. DeviceLock simply snaps into existing Group Policy Objects, so the learning curve is relatively short.

Setting up DeviceLock is simple: Load the software on the Group Policy administration machine, then install a service on all potential target machines. The service is wrapped up as an MSI that you can deploy through Group Policy.

DeviceLock is a simple tool with a simple mission. As such, it doesn’t give you a huge array of control options. The USB control is excellent, with the ability to add specific USB devices to accept, thereby rejecting any non-specified devices.

REDMOND RATING:
Safend Protector
Documentation 5%
8
Installation 5%
8
Feature Set 40%
8
Level of Control 40%
9
Interface 10%
7
Overall Rating:
8.3

——————————————
Key:
1: Virtually inoperable or nonexistent
5: Average, performs adequately
10: Exceptional

Other hardware devices, such as Bluetooth devices and WiFi access, would benefit from similar levels of control. Also, it would be helpful to be able to specify which devices it could contact through Bluetooth or WiFi, and the ability to restrict PCMCIA (PC Card) slots.

DeviceLock also offers a standalone management console if needed, but it almost seems superfluous, since Group Policy is the ideal way to control the enterprise.

Safend Protector
Safend Protector has a similar mission to DeviceLock, but uses two products to restrict USB port usage: USB Port Protector and USB Auditor. Auditor helps you figure out who is using what port, then Safend Protector and Group Policy lock it down.

Safend Protector goes further. It can also help you control access to Firewire connections, PCMCIA cards, serial and parallel ports, WiFi connections, and IrDA and Bluetooth devices.

Protect ya neck!
[Click on image for larger view.]
Figure 2. Safend Protector has a Policy Builder application that helps you create GPOs.

Safend Protector requires software on all target machines. This software component is wrapped up as an MSI you can easily deploy with Group Policy. While DeviceLock’s entire user interface is self-contained within Group Policy, Safend Protector takes a different approach. It uses a separate interface to design deployment policies.

Safend Protector

Safend
215-496-9646
www.safend.com

Pricing: Starts at $32 per seat

Once you’ve finished setting up a policy, simply save it and Safend Protector basically writes it to AD as a new Group Policy Object. For example, I configured a policy (see Figure 2) that prohibits PCMCIA card usage, except for smart cards. After defining all the necessary policies, go to the Group Policy Management Console (GPMC) and link the GPOs to the users or computers you want to update with those settings.

Pick Your Lock
Both DeviceLock and Safend Protector help you effectively and efficiently restrict user access to hardware devices with Group Policy. They can both control many different types of devices and offer good granular control. Choosing one over the other really comes down to a matter of interface and style of operation.

Safend Protector runs as part of the operating system, which means that a determined hacker would have trouble turning it off. It also has a password- protected uninstall routine, so even local administrators can’t remove it. That gives Safend Protector the upper hand in terms of security.

The downside is that it has a different interface for editing policies. Flipping back and forth between the custom Safend Protector utility and the GPMC was a bit tedious, so the winner from the interface perspective is DeviceLock.

While DeviceLock has the familiar interface and ease of operation, the downside is that it runs as a service. As such, it’s easier to turn off or uninstall completely. Users that are local machine administrators may be tempted to do this to remove any restrictions.

It’s a good idea to use Group Policy to control access to your network’s hardware devices. Doing so will simplify your administrative tasks, help you provide greater security for your network and keep your company’s critical data where it belongs. Both of these products extend Group Policy’s reach, and are worthy of serious consideration in your enterprise.

comments powered by Disqus

Reader Comments:

Sat, Mar 19, 2011 ymqjjamu XlO3KQ bfmrfqyihswi, [url=http://bthsbyxamjve.com/]bthsbyxamjve[/url], [link=http://icnarzyyrljn.com/]icnarzyyrljn[/link], http://kzhctlfciqin.com/

XlO3KQ http://bfmrfqyihswi.com/ DOT , [url=http://bthsbyxamjve.com/]bthsbyxamjve[/url], [link=http://icnarzyyrljn.com/]icnarzyyrljn[/link], http://kzhctlfciqin.com/

Mon, Nov 6, 2006 Anonymous Anonymous

Safe end product provides device control permission settings(read/or write).

Wed, May 31, 2006 Roger North Syracuse, NY

Do either of these products provide a way to allow data only access (read/write) & prevent all executables from running?

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.