Product Reviews

No Entrance, No Exit

These tools can help you use Group Policy to restrict access to USB ports and various hardware devices.

• By Jeremy Moskowitz
• 02/01/2006

In an open environment like this, it’s far too easy for some sneaky user to slip a USB disk into one of your computers and walk away with sensitive or valuable data. It could also go the other way -- a disgruntled employee or malicious user could walk in the door with EvilApp.exe on a USB disk, connect the disk into the back of an open workstation and infect your entire network.

You need to lock down all the access points to your machines. Windows XP has some provisions to help, but it’s not an obvious fix: there’s a new Registry key to lock out unauthorized users from a system’s USB ports. All you have to do is activate that setting -- on each and every machine you need to secure.

Managing this setting update through Group Policy is far better than running around to every machine on your network.

Many custom ADM files (templates that define the settings an administrator can configure through Group Policy) end up "tattooing" the Registry. When the computer moves around within an AD domain, any restrictions stay with it until specifically removed. The biggest problem with this approach is that it’s only for locking out USB ports. There are many other access points through which the bad guys could get your sensitive data out or get malicious programs in.

To do the job right, you need to restrict access to floppy drives, CD-ROM drives, and WiFi and Bluetooth devices. Out of the box, there are some Group Policy settings that can help you control a fraction of these devices, but not all. Fortunately, there are add-ons that can leverage Group Policy to lock down the hardware that’s giving you headaches -- Smartline DeviceLock 5.7 and Safend Protector.

The interface should be relatively familiar to Windows admins (see Figure 1). DeviceLock’s potential lockdown points appear in the Computer Configuration portion of the Group Policy Object. The example in Figure 1 shows which AD groups have access to the USB ports. DeviceLock also lets you specify the time for which these entries are valid.

Other hardware options are configured in much the same way: Simply double-click the entry, specify the AD users or groups that should have the restriction and specify the options.

[Click on image for larger view.]

Figure 1. DeviceLock simply snaps into existing Group Policy Objects, so the learning curve is relatively short.

Setting up DeviceLock is simple: Load the software on the Group Policy administration machine, then install a service on all potential target machines. The service is wrapped up as an MSI that you can deploy through Group Policy.

DeviceLock is a simple tool with a simple mission. As such, it doesn’t give you a huge array of control options. The USB control is excellent, with the ability to add specific USB devices to accept, thereby rejecting any non-specified devices.

Other hardware devices, such as Bluetooth devices and WiFi access, would benefit from similar levels of control. Also, it would be helpful to be able to specify which devices it could contact through Bluetooth or WiFi, and the ability to restrict PCMCIA (PC Card) slots.

DeviceLock also offers a standalone management console if needed, but it almost seems superfluous, since Group Policy is the ideal way to control the enterprise.

Safend Protector
Safend Protector has a similar mission to DeviceLock, but uses two products to restrict USB port usage: USB Port Protector and USB Auditor. Auditor helps you figure out who is using what port, then Safend Protector and Group Policy lock it down.

Safend Protector goes further. It can also help you control access to Firewire connections, PCMCIA cards, serial and parallel ports, WiFi connections, and IrDA and Bluetooth devices.

[Click on image for larger view.]

Figure 2. Safend Protector has a Policy Builder application that helps you create GPOs.

Safend Protector requires software on all target machines. This software component is wrapped up as an MSI you can easily deploy with Group Policy. While DeviceLock’s entire user interface is self-contained within Group Policy, Safend Protector takes a different approach. It uses a separate interface to design deployment policies.

Once you’ve finished setting up a policy, simply save it and Safend Protector basically writes it to AD as a new Group Policy Object. For example, I configured a policy (see Figure 2) that prohibits PCMCIA card usage, except for smart cards. After defining all the necessary policies, go to the Group Policy Management Console (GPMC) and link the GPOs to the users or computers you want to update with those settings.

Pick Your Lock
Both DeviceLock and Safend Protector help you effectively and efficiently restrict user access to hardware devices with Group Policy. They can both control many different types of devices and offer good granular control. Choosing one over the other really comes down to a matter of interface and style of operation.

Safend Protector runs as part of the operating system, which means that a determined hacker would have trouble turning it off. It also has a password- protected uninstall routine, so even local administrators can’t remove it. That gives Safend Protector the upper hand in terms of security.

The downside is that it has a different interface for editing policies. Flipping back and forth between the custom Safend Protector utility and the GPMC was a bit tedious, so the winner from the interface perspective is DeviceLock.

While DeviceLock has the familiar interface and ease of operation, the downside is that it runs as a service. As such, it’s easier to turn off or uninstall completely. Users that are local machine administrators may be tempted to do this to remove any restrictions.

It’s a good idea to use Group Policy to control access to your network’s hardware devices. Doing so will simplify your administrative tasks, help you provide greater security for your network and keep your company’s critical data where it belongs. Both of these products extend Group Policy’s reach, and are worthy of serious consideration in your enterprise.