Strengths: Access policies can be linked to AD user and group membership, very easily deployed, superb media and device type support, media white lists
Weaknesses: Too many management interfaces spoil the view
Verdict: Keep your corporate data safe with a superb range of access controls for virtually any type of removable media
SummaryAll too often administrators fail to realise that the biggest threat is already inside their walls. With the average workstation now equipped with a choice selection of ports and removable storage devices it’s all too easy for users to swipe masses of company data.
DeviceLock aims to solve this problem by delivering the facilities to control access to workstation ports and removable devices from a central location. Apart from USB ports, it can manage access to serial, parallel and infra-red ports plus CD, DVD, MO and wireless network adapters. This version brings Windows Mobile devices under its wing, allowing you to control precisely what your users can do with these. Windows Vista is finally supported and it’s now possible to conduct remote real-time monitoring of the DeviceLock service on selected client systems. Previous versions introduced the concept of enforcing the use of encryption when writing to removable storage devices, and support for the open-source TrueCrypt has been added.
For testing we put DeviceLock on a Boston Supermicro dual 3GHz Xeon 5160 server running Windows Server 2003 R2 and acting as an AD domain controller. The initial process is simple enough, although the number of management options is confusing. You get a standard console that’s deployed as an MMC snap-in and provides access for creating and managing policies and viewing logs. A second integrates with the Windows Group Policy Editor, while the Enterprise Manager is provided for large networks. You need the Enterprise Server component, which requires access to an SQL database, if you want to centrally manage logs of client activity and allow data from shadowing operations to be moved to a centralised storage location.
If you’re not using Active Directory, the Enterprise Manager is the preferred choice as it provides a scan function that locates NT authentication domains, workgroups and specific computers and provides tools to swiftly deploy the DeviceLock agent. For general configuration in our AD domain we found the standard management console sufficient. Creating access policies and deploying them was an absolute breeze as all permissions can be set at the user and group membership levels. You choose which device you want to control, select AD users and groups, determine access levels and decide what times and days of the week they are active on.
We created a policy to block all access to USB ports across all systems on the test LAN and this took seconds to complete. We could also easily fine-tune it to allow administrators read and write access to USB devices but read only rights for mere users. If you wish you can customise access further by using a white list of permitted USB devices. The serial number assigned by the manufacturer is imported into the DeviceLock database and is then used to identify and allow access.
DeviceLock’s shadow feature allows it to mirror data written by a user to removable storage devices. The data is stored locally on each PC in a private area and is accessed from the management console, where you can open a selected file or copy it to the management system for further inspection. One annoyance was that DeviceLock only displays security IDs instead of user names for each shadowed operation.
The new controls for Windows Mobile devices are extensive, from managing general read, write and execute rights to controlling access to email, calendars, contacts, media, favourites and so on. For wireless and bluetooth devices you have general controls that allow read or write operations to be blocked, and you can prevent format operations for storage devices such as hard disks and tape drives as well.
DeviceLock is an elegant solution that can control access to removable media along with the latest Windows Mobiles.