Many years ago, users’ only access to company data occurred through dumb terminals to a mainframe. The data resided safely in the data center, and the only way it might physically leave that data center was on reel-to-reel tape or large, heavy hard drives. By contrast, today’s users have multiple access points to company data—for example, USB drives, floppy drives, and even burnable CD/DVD drives. Dishonest employees can easily use these points of access to steal sensitive data. If you’ve considered blasting your users’ USB ports with hot glue, you aren’t alone. But perhaps there’s a more elegant solution available to you.
The two products I investigate in this comparative review—Smart- Line’s DeviceLock and ControlGuard’s Endpoint Access Manager—can help you take back control of all those vulnerable access points. I’ve focused on only two representative products here, but keep in mind that other options are available, including functionality that Microsoft introduced in Windows XP SP2—see the sidebar “A Snapshot of the Endpoint Security Market,” for more information.
DeviceLock Security’s installation starts with the execution of a typical setup.exe file. However, I found the installation a bit confusing. The installation wizard has two main options to choose from: Use the Service + Consoles option to install the DeviceLock service and management consoles, or use the Server + Consoles option to install the server component and the consoles. At first, these options look the same, but as you can see, one is the DeviceLock service and the other is the server product. The first option is selected by default, leading to my confusion.
According to the DeviceLock Manual PDF guide, the “DeviceLock Service should be installed on the computer so you can control the access to devices on that computer.” Is the DeviceLock Service required on the management server? I called the company to ask for clarification. A friendly technician explained that the service is necessary only if you want to protect USB and other endpoints on the server. Otherwise, you can skip the service installation on the server and deploy it just to the user’s PC. I find it a bit odd that the service is selected by default, but apparently it’s provided as a convenience.
There’s also a Custom option. I used this method to install the service and the server. The optional DeviceLock Enterprise Server component—which requires a SQL Server back end—allows for the centralized collection and storage of shadow data and audit logs. If you have a SQL Server infrastructure, ControlGuard recommends that you use that. If you don’t have SQL Server available, the PDF manual provides a direct link for downloading SQL Server 2005 Express.
After the installation was complete, I was presented with three separate consoles on the desktop: DeviceLock Management Console (a Microsoft Management Console—MMC— snap-in), DeviceLock Service Settings Editor (similar to the new tools that DeviceLock adds to Group Policy), and DeviceLock Enterprise Manager (recommended if you have a large network without Active Directory—AD). These consoles were a bit overwhelming, combined with the product’s promise of Group Policy integration.
To keep things initially simple, I started with DeviceLock Enterprise Manager and remotely installed the DeviceLock Service onto my test XP machine. As I expected, the service wasn’t able to install because the XP SP2 firewall was blocking it. The DeviceLock Manual provides detailed instructions for either opening the XP firewall with the necessary ports or setting a specific port for all DeviceLock communication. I used Group Policy to configure the XP firewall, and I was able to install the service remotely.
The DeviceLock Service is also available in an MSI format, so you can install it through Group Policy or SMS. I highly recommend a structured AD with hierarchal organizational units (OUs), in which users and computers are taken out of the default containers. This setup helps you organize and find user and computer leaf objects, and makes Group Policy deployment much easier.. I would place a policy at the highest All Computers OU, then deploy the DeviceLock Service from there. There isn’t a built-in automated method to deploy the client agent (as the ControlGuard product offers), so I had to set up my own way to ensure that all desktops had the DeviceLock agent installed as soon as they were added to the domain. To do this, I applied a Group Policy to an OU containing all the users’ computers. Now, every time I add a computer to the domain, the client software is installed automatically. Figure 1 shows Device- Lock’s smooth integration with your existing GPOs.
After I verified that the DeviceLock agent was running (it runs as a typical NT service), I used DeviceLock Enterprise Manager to deploy my first policy. This simple process lets you select specific AD users or groups, the date and time those users or groups are permitted to access the device, and even the specific user rights (i.e., Read, Write, Format, Eject) allowed for each device. You can secure not only USB ports but also Bluetooth ports, CD/DVD drives, FireWire ports, floppy drives, hard disks, infrared (IR) ports, parallel ports, removable devices, serial ports, tape drives, Wi-Fi access points (APs), and Windows Mobile devices. When you think of points of access, USB is probably the first type that comes to mind, but data can be compromised from many entry points. For a listing of endpoints that DeviceLock protects, see Table 1.
As soon as I attempted to access a USB device on the XP client, a dialog box immediately informed me that access was denied. I tried to find a way around the policy but was thwarted at every attempt. I even tried to stop the DeviceLock service, but the Stop button was disabled.
Integrating DeviceLock management with Group Policy is a brilliant idea. After using DeviceLock Enterprise Manager to play around with policies, I decided to deploy a policy using a Group Policy Object (GPO). Opening a new GPO brings up a new addition called SmartLline DeviceLock—not a simple administrative (ADM) template but a fully functional GUI that looks and feels just like the aforementioned DeviceLock Service Settings Editor. Using this screen, I was able to deploy endpoint security settings to users’ computers just as I had done through DeviceLock Enterprise Manager. If you already have structured AD and Group Policy management procedures in place, I highly recommend that you use this method to deploy the settings.
As you apply policies to secure endpoints, it can quickly become difficult to determine a given PC’s actual settings. Because DeviceLock is heavily integrated with AD and Group Policy, it can take advantage of Microsoft’s Resultant Set Of Policy (RSOP) tool.
Like DeviceLock, Endpoint Access Manager requires either Microsoft SQL Server or SQL Server 2005 Express. If you have neither installed, the setup wizard adds and configures SQL Server 2005 Express for you—a nice touch that simplifies installation.
While installing the product, I noticed that its Installation Guide PDF file doesn’t follow the wizard exactly. This inconsistency didn’t throw me off too much, but it was frustrating to see that the documentation hadn’t been updated to coincide with the actual product.
During installation, I missed the fact that Endpoint Access Manager requires Microsoft IIS, so setup paused with the standard Abort, Retry, or Ignore dialog box. I left the message onscreen and installed IIS through the Control Panel Add or Remove Programs applet. I was then able to click Retry, and the Endpoint Access Manager installation continued. The installation could have easily bombed out because I didn’t have a prerequisite in place, but I was pleased that it let me continue.
The product then prompted me to create a new database. You can choose No and set up the database yourself, but I decided to let the installation wizard do it for me. The wizard asked for the connection information to the SQL Server database. This information filled in automatically, so all I had to do was click Create.
After the installation was complete, I double- clicked the ControlGuard Administration Console desktop icon and the software presented me with logon dialog box. The Installation Guide gave me the initial username or password that I needed to log on. You can easily change the password from within the administration console. The first time you start the console, a wizard walks you through the configuration process. The User Manual also provides a nice workflow that shows you how to get everything up and running.
The first step in the wizard is to set up directory collaboration with Endpoint Access Manager. I tested this functionality only with Windows Server 2003 AD, but NT domains and Novell eDirectories domains are also options. The purpose of AD integration is to let you create logical groups of computers to manage based on OUs you already have in AD.
The next step is to add the computers to which you want to apply the settings. If you have your computers segregated into OUs, this step will be simple. For example, if your OU structure contains two OUs called Managers and Ops Floor beneath All Computers, it would be easy to deploy the policies to just those two separate OUs and not to the other servers or domain controllers (DCs).
Endpoint Access Manager uses a certificate to ensure that the server and client are communicating with the correct machines. The certificate has to live in the \system32 folder under C:\windows on each client machine. You can copy the certificate manually or use the included MSI Updater to insert the certificate into the MSI installation file. Adding the certificate is simple. If you want, you can also update the .msi file with some initial policies. Doing so helps ensure that all your new PCs are secured as soon as their computer accounts are added to the domain.
Before you can send out a policy to secure endpoints, you need to install the agent onto each PC. The typical methods are available (i.e., setup.exe file, batch script, Group Policy), but what sets Endpoint Access Manager apart is its “on-the-fly distribution.” This feature installs the client onto all network computers almost immediately. After you start the Endpoint Access Manager AD Synchronization service, you can set it to synchronize with AD every x minutes. (I set it to 5 minutes.) Now, every time a computer is added to AD, the ControlGuard Endpoint Access Manager Service is automatically installed onto the new machine. What I like about this method is that it’s totally hands-off for the administrator. You have enough to worry about without having to manage the installation of the Endpoint Access Manager client!
I waited a few minutes for the client to install, but nothing happened. The XP firewall log indicated that the Endpoint Access Manager server was trying to connect to the XP client through port 135. I opened that port, but the client still wouldn’t install. The deployment event log within the ControlGuard Administration Console indicated that I needed to fix the security or WMI settings on the XP client. I couldn’t find any documentation that described which ports needed to be opened for the client to install, and the Support Page at ControlGuard’s Web site appeared to be down for reorganization. To continue with my testing, I decided to simply shut off the XP firewall. The client then installed in a few minutes. This documentation oversight needs to be addressed soon.
The final step is to create Access Control Lists (ACLs) that define which devices can and can’t be used on a computer. I called my first ACL total lockdown and proceeded to lock everything—removable storage, floppy drives, Bluetooth ports, printer ports. Figure 2 shows the ACL Editor. Endpoint Access Manager can lock down the same devices as DeviceLock, but also adds protection for Palm OS devices, Windows CE devices, Research in Motion (RIM) devices, and printers, as you see in Table 1. When I logged in as a normal user on the XP PC, I was immediately denied access to my USB thumb drive.
As I mentioned earlier, DeviceLock’s tight integration with Group Policy lets it use the RSOP tool to determine which security settings will apply to a given user or PC. Endpoint Access Manager doesn’t have the same integration. Instead, it uses a tool called the ACL Simulator. You simply add the name of the computer and the name of the user or group to which the policy will apply, then click Calculate. This functionality is no better or worse than that of the RSOP tool—just different.
Make Your Choice
Both SmartLine and ControlGuard offer exceptional products that can help you get a handle on rogue devices that can potentially steal your company data. Endpoint Access Manager has the simplest interface of the two and offers all its tools on one handy screen. I also valued the Endpoint Access Manager AD Synchronization service, which ensures that all new computers added to the AD domain have the ControlGuard Endpoint Service installed and running.
Both products support the use of white lists (ControlGuard calls its list an Approved Device List). This feature lets you permit certain devices based on users, computers, devices, or vendors. For example, suppose you want to disable the USB port for all devices except a mobile Internet card. This feature lets you create a blanket policy that disables the USB port yet permits this one special device.
DeviceLock hits a home run with its Group Policy integration. This functionality lets you install and configure the client service in one place. The management tools do get a little busy until you get comfortable with the purpose of each one.
After you’ve secured your network’s endpoints, you’ll probably want to generate a report either for auditing purposes or for confirmation that you’ve set everything up correctly. Endpoint Access Manager offers extremely detailed reports via a Web page. (For that reason, IIS is required during the initial installation.) DeviceLock has its reporting built directly into the DeviceLock Enterprise Manager, which lets you make policy changes directly from the report. For example, if the report shows that the floppy drive is accessible to everyone when it shouldn’t be, you can right-click that particular endpoint and make the necessary security changes immediately.
Neither vendor has a great support Web site. I expected to see more than a few FAQs and would have liked to browse each company’s Knowledge Base (KB) articles. This lack of detailed support was by far my biggest disappointment while reviewing these two products.