|
Source : Redmondmag.com
Writer : Jeremy Moskowitz
You have laptops and kiosks. You may have nurses?stations and library machines. You have consultants in and out all day. You have a big problem.
In an open environment like this, it抯 far too easy for some sneaky user to slip a USB disk into one of your computers and walk away with sensitive or valuable data. It could also go the other way -- a disgruntled employee or malicious user could walk in the door with EvilApp.exe on a USB disk, connect the disk into the back of an open workstation and infect your entire network.
You need to lock down all the access points to your machines. Windows XP has some provisions to help, but it抯 not an obvious fix: there抯 a new Registry key to lock out unauthorized users from a system抯 USB ports. All you have to do is activate that setting -- on each and every machine you need to secure.
Managing this setting update through Group Policy is far better than running around to every machine on your network.
Many custom ADM files (templates that define the settings an administrator can configure through Group Policy) end up "tattooing" the Registry. When the computer moves around within an AD domain, any restrictions stay with it until specifically removed. The biggest problem with this approach is that it抯 only for locking out USB ports. There are many other access points through which the bad guys could get your sensitive data out or get malicious programs in.
To do the job right, you need to restrict access to floppy drives, CD-ROM drives, and WiFi and Bluetooth devices. Out of the box, there are some Group Policy settings that can help you control a fraction of these devices, but not all. Fortunately, there are add-ons that can leverage Group Policy to lock down the hardware that抯 giving you headaches -- Smartline DeviceLock 5.7 and Safend Protector.
Head-to-Head Review
Smartline DeviceLock
DeviceLock helps you lock out ports so that data remains where it should. The latest edition takes that protection to the next level by plugging into Group Policy.
The interface should be relatively familiar to Windows admins. DeviceLock抯 potential lockdown points appear in the Computer Configuration portion of the Group Policy Object. The example in Figure 1 shows which AD groups have access to the USB ports. DeviceLock also lets you specify the time for which these entries are valid.
Other hardware options are configured in much the same way: Simply double-click the entry, specify the AD users or groups that should have the restriction and specify the options.
Setting up DeviceLock is simple: Load the software on the Group Policy administration machine, then install a service on all potential target machines. The service is wrapped up as an MSI that you can deploy through Group Policy.
DeviceLock is a simple tool with a simple mission. As such, it doesn抰 give you a huge array of control options. The USB control is excellent, with the ability to add specific USB devices to accept, thereby rejecting any non-specified devices.
Other hardware devices, such as Bluetooth devices and WiFi access, would benefit from similar levels of control. Also, it would be helpful to be able to specify which devices it could contact through Bluetooth or WiFi, and the ability to restrict PCMCIA (PC Card) slots.
DeviceLock also offers a standalone management console if needed, but it almost seems superfluous, since Group Policy is the ideal way to control the enterprise.
REDMOND RATING:
Smartline DeviceLock
Documentation 5% 8
Installation 5% 8
Feature Set 40% 8
Level of Control 40% 7
Interface 10% 9
Overall Rating: 7.7
棗棗棗棗棗棗棗
Key:
1: Virtually inoperable or nonexistent
5: Average, performs adequately
10: Exceptional
DeviceLock
Smartline Inc.
866-668-5625
212-279-8895
www.devicelock.com
Pricing: $35 for single license, $2,500 for up to 200 computers and $7,500 for up to 2,000 computers
Safend Protector
Safend Protector has a similar mission to DeviceLock, but uses two products to restrict USB port usage: USB Port Protector and USB Auditor. Auditor helps you figure out who is using what port, then Safend Protector and Group Policy lock it down.
Safend Protector goes further. It can also help you control access to Firewire connections, PCMCIA cards, serial and parallel ports, WiFi connections, and IrDA and Bluetooth devices.
Safend Protector requires software on all target machines. This software component is wrapped up as an MSI you can easily deploy with Group Policy. While DeviceLock抯 entire user interface is self-contained within Group Policy, Safend Protector takes a different approach. It uses a separate interface to design deployment policies.
Once you抳e finished setting up a policy, simply save it and Safend Protector basically writes it to AD as a new Group Policy Object. For example, I configured a policy that prohibits PCMCIA card usage, except for smart cards. After defining all the necessary policies, go to the Group Policy Management Console (GPMC) and link the GPOs to the users or computers you want to update with those settings.
REDMOND RATING:
Safend Protector
Documentation 5% 8
Installation 5% 8
Feature Set 40% 8
Level of Control 40% 9
Interface 10% 7
Overall Rating: 8.3
棗棗棗棗棗棗棗
Key:
1: Virtually inoperable or nonexistent
5: Average, performs adequately
10: Exceptional
Safend Protector
Safend
215-496-9646
www.safend.com
Pricing: Starts at $32 per seat
Pick Your Lock
Both DeviceLock and Safend Protector help you effectively and efficiently restrict user access to hardware devices with Group Policy. They can both control many different types of devices and offer good granular control. Choosing one over the other really comes down to a matter of interface and style of operation.
Safend Protector runs as part of the operating system, which means that a determined hacker would have trouble turning it off. It also has a password- protected uninstall routine, so even local administrators can抰 remove it. That gives Safend Protector the upper hand in terms of security.
The downside is that it has a different interface for editing policies. Flipping back and forth between the custom Safend Protector utility and the GPMC was a bit tedious, so the winner from the interface perspective is DeviceLock.
While DeviceLock has the familiar interface and ease of operation, the downside is that it runs as a service. As such, it抯 easier to turn off or uninstall completely. Users that are local machine administrators may be tempted to do this to remove any restrictions.
It抯 a good idea to use Group Policy to control access to your network抯 hardware devices. Doing so will simplify your administrative tasks, help you provide greater security for your network and keep your company抯 critical data where it belongs. Both of these products extend Group Policy抯 reach, and are worthy of serious consideration in your enterprise.
Jeremy Moskowitz, MVP, MCSE founder of Moskowitz, Inc. (Moskowitz-inc.com), is an independent consultant and trainer for Windows technologies. He runs GPanswers.com, and WinLinAnswers.com community forums to answer tough Group Policy and Windows/Linux Integration questions. His popular book on Group Policy is entitled Group Policy, Profiles and IntelliMirror. His latest book is Practical Windows and Linux Integration: Hands-on Solutions for a Mixed Environment. Jeremy frequently contributes to both Redmond magazine and is the Linux track manager at TechMentor. You can contact Jeremy about "No Entrance, No Exit" at jeremym@moskowitz-inc.com. |
相关文章
