During the past few weeks, I've been concentrating my reviews on security scanning tools. This week, I take a break from scanning tools to look at WinShield SecurePC, a desktop security and control solution from Citadel Technology.

Features and Benefits
You can install SecurePC on standalone or networked computers—for this review, I looked at the networked version. The main difference between the two is that with the standalone version, administrators must configure settings on each PC; with the networked version, administrators can configure multiple security profiles and push them to the desired workstations.

SecurePC lets administrators select the rights and privileges that end-users will have on their workstations. You can use the product to configure policies that protect Windows NT, Windows 9x, and Windows 3.x workstations. SecurePC's features are too numerous to list here, but let's look at a few of the more important ones.

For desktop protection options, administrators can control access to the Start menu and desktop shortcuts, control Windows Explorer and Active Desktop settings and functions, prohibit changes to the Start menu and desktop appearance, and control network access and settings. Under the system protection options, administrators can control access to settings, the Control Panel, and Help and Run functions. You can also prevent access to regedit and general system settings, allow the use of only specific CD-ROMs, prevent changes to printers or printer drivers, control access to DOS and DOS applications, and allow only the use of approved software applications. Specific user control and security settings include automatically logging off inactive network users, defining which users can access specific applications, and defining how long users can access the computer or a specific application. Internet security options include the ability to allow access to only approved Web sites, using keywords to restrict users from sending or receiving data via Internet connections (i.e., HTTP, POP, FTP, or SMTP), and controlling the amount of Internet access and email use each day. Screen 1 shows a few of the many control settings.

Installation and Use
Citadel Technology recommends that you install the networked version of SecurePC on a Pentium-class workstation running NT or Win9x. SecurePC works with NT Server 4.0 and Novell NetWare 3.12 or higher servers to store and push out the workstation profiles. For this test, I decided to see how SecurePC stands up in a real-world environment. I installed SecurePC on a Pentium 166MHz laptop with 64MB of RAM and a 3.0GB hard disk running Windows 98. I then took my laptop to a favorite client's site, a cyber-night club that has PCs available for customers to use. In a typical week, the night club's IT staff has to rebuild two or three computers after a customer has figured out how to get past the weak Win98 security and play with the settings or delete files on the workstation. The environment consists of Win98 workstations, all of which authenticate to an NT 4.0 domain controller.

Installing the software on my laptop was easy and didn't require a system reboot. The program firsts asks for a network path (a Uniform Naming Convention—UNC—path) to install the software to and then asks for a password to protect access to the software. After I plugged my laptop in to my client's network, I quickly created a default user profile restricting access to everything except Microsoft Internet Explorer (IE). SecurePC also let me force users to authenticate to the server and not bypass the Win98 login screen simply by pressing the Escape key. I also set the workstations to automatically log off after 20 minutes of use.

Pushing the profiles to the night club workstations was simple. Clicking the Members tab let me select which users were members of the specified profile. After I finished this selection process, I simply saved my settings and rebooted each workstation. My client was amazed at how locked down his environment now was, and even I was impressed with how easy it was to control multiple workstations. SecurePC also has a reporting capability, as Screen 2 shows, that lets users generate reports that list all the changes SecurePC invokes on a particular PC.

Unfortunately, my client was very disappointed when I told him that I had to remove SecurePC from his environment. However, I'm sure he'll be ordering his copy very soon.

Looks Can be Deceiving
At first glance, SecurePC looks like nothing more than a glorified Windows policy editor. Upon closer inspection, the program and its features prove that this product is much more than that.

In a perfect world, we'd have only NT workstations connecting to NT servers. This environment would let you use the OS's built-in, free NT User Profiles to control user access. Unfortunately, this isn’t a perfect world and we have Win9x workstations, which are inherently insecure, connecting to our networks. With SecurePC, administrators can sleep better at night knowing that they can finally give the Win9x workstations the level of protection that NT user profiles provide.

The standalone version of SecurePC costs $99.95, not a bad price but a lower price point might help SecurePC enter the home user market. The networked version costs $550.00 for 10 seats—a little steep for most environments. But for an environment that requires high security and the use of Win9x systems, this product might be well worth the cost. SecurePC will definitely stay on my list of products to recommend as part of the Ultimate Security Toolkit.

In Brief
Contact: Citadel Technology * (214)520-9292
Web: http://www.citadel.com/default-citadel.asp
Price: $550 networked, $99.99 standalone
Pros: Comes with an easy-to-use interface. Provides an easy way to make Registry and policy changes. Provides a level of security on Windows 9x workstations unobtainable elsewhere.
Cons: In a Windows NT-only environment, you can configure the same settings with user profiles and policies. Email and Web content filtering is better done at the gateway level and not on each workstation. Product does not specify any Windows 2000 compatibility.