May 01, 2008
£7.20 per seat for 200-499 seats (exc VAT); includes first-year maintenance
- Ease of Use:
- Value for Money:
- Overall Rating:
- Strengths: Access policies can be linked to AD user and group membership, very easily deployed, superb media and device type support, media white lists
- Weaknesses: Too many management interfaces spoil the view
- Verdict: Keep your corporate data safe with a superb range of access controls for virtually any type of removable media
DeviceLock aims to solve this problem by delivering the facilities to control access to workstation ports and removable devices from a central location. Apart from USB ports, it can manage access to serial, parallel and infra-red ports plus CD, DVD, MO and wireless network adapters. This version brings Windows Mobile devices under its wing, allowing you to control precisely what your users can do with these. Windows Vista is finally supported and it’s now possible to conduct remote real-time monitoring of the DeviceLock service on selected client systems. Previous versions introduced the concept of enforcing the use of encryption when writing to removable storage devices, and support for the open-source TrueCrypt has been added.
For testing we put DeviceLock on a Boston Supermicro dual 3GHz Xeon 5160 server running Windows Server 2003 R2 and acting as an AD domain controller. The initial process is simple enough, although the number of management options is confusing. You get a standard console that’s deployed as an MMC snap-in and provides access for creating and managing policies and viewing logs. A second integrates with the Windows Group Policy Editor, while the Enterprise Manager is provided for large networks. You need the Enterprise Server component, which requires access to an SQL database, if you want to centrally manage logs of client activity and allow data from shadowing operations to be moved to a centralised storage location.
If you’re not using Active Directory, the Enterprise Manager is the preferred choice as it provides a scan function that locates NT authentication domains, workgroups and specific computers and provides tools to swiftly deploy the DeviceLock agent. For general configuration in our AD domain we found the standard management console sufficient. Creating access policies and deploying them was an absolute breeze as all permissions can be set at the user and group membership levels. You choose which device you want to control, select AD users and groups, determine access levels and decide what times and days of the week they are active on.
We created a policy to block all access to USB ports across all systems on the test LAN and this took seconds to complete. We could also easily fine-tune it to allow administrators read and write access to USB devices but read only rights for mere users. If you wish you can customise access further by using a white list of permitted USB devices. The serial number assigned by the manufacturer is imported into the DeviceLock database and is then used to identify and allow access.
DeviceLock’s shadow feature allows it to mirror data written by a user to removable storage devices. The data is stored locally on each PC in a private area and is accessed from the management console, where you can open a selected file or copy it to the management system for further inspection. One annoyance was that DeviceLock only displays security IDs instead of user names for each shadowed operation.
The new controls for Windows Mobile devices are extensive, from managing general read, write and execute rights to controlling access to email, calendars, contacts, media, favourites and so on. For wireless and bluetooth devices you have general controls that allow read or write operations to be blocked, and you can prevent format operations for storage devices such as hard disks and tape drives as well.
DeviceLock is an elegant solution that can control access to removable media along with the latest Windows Mobiles.
SC Webcasts UK
Information Security Manager
Infosec People - Hammersmith, West London
Junior Penetration Tester, Hertfordshire, to £35k + benefits
Infosec People - England, Hertfordshire
Cyber Security Architect
CYBER EXECS - London (Greater)
SOC Analyst, Aldershot, £47-56k + package
Infosec People - Hampshire, England, Aldershot
Senior Security Engineer
Loveworklife Recruitment - United Kingdom
Sign up to our newsletters
SC Magazine UK Articles
- Tesco Bank allegedly ignored warnings of hack from Visa
- Investigatory Powers and Digital Economy Bills could threaten economy
- Updated: A million German routers knocked offline by failed Mirai botnet attack
- Gooligan ad fraud malware infects 1.3M Android users, installs over 2M unwanted apps
- Microsoft update left Azure Linux virtual machines open to hacking
- SC Awards Europe 2016 winners announcements!
- ISIS radicalises 'lone wolves' through strong social media presence
- Updated: How will Brexit affect the cyber-security industry in UK and Europe?
- ICYMI: CEO Sacked; MS Zero-day; Passwords dropped; Ransomware wild, charging hack
- 9.2 million medical records for sale on darkweb
- ICYMI: Tesco warned; IP Bill threatens economy; German routers offline; Azure trojan; Gooligan fraud
- Data centres are on the move - where will they end up?
- 90% of ITDMs believe IAM is crucial to digital transformation success
- Research: Hacked companies could see customer exodus if breached
- Misconfigured drive exposes locations of explosives used by oil industry