SQL Server Magazine

Portable storage devices are handy, but they've helped render PCs and laptops much less secure. Shortly after the release of the Apple iPod, clever people figured out that in addition to storing music, the pocket-sized devices could be used to quickly siphon off programs and data from nearly any computer. USB flash drives now hold several gigabytes of data and, with their fast transfer speeds, offer unlimited possibilities for the quick and undetectable theft of company data or the introduction of malware or other unwanted programs. A seemingly endless stream of small, fast devices has appeared on the market, enabling connectivity and data transfer with nothing more than a USB or FireWire port. Windows automatically recognizes and configures many portable storage devices in seconds without additional drivers.

IT departments of every size need to be able to control which users can connect what types of devices to company computers and whether users are allowed to read from and/or write to connected devices. Loss of company data could be more than just an embarrassment; it could violate the law.

Completely disabling all external ports isn't a viable solution—portable devices have too many legitimate uses. Users need to be able to move data around, sync PDAs and mobile phones to their computers, and connect to other devices, such as printers.

Fortunately, several software products are now available that let administrators not only enable and disable ports, but control the types of access that individual users or groups can have to ports. With this type of software in place on a laptop, a sales rep can sync her PDA to the computer, but someone who logs onto that computer with different credentials and plugs a PDA or USB device into one of its ports can't sync the PDA to steal the rep's customer contacts or download data to a USB device. Of course, these software products don't fix all the potential security problems presented by portable media devices, but they're a start.

I tested three products designed to address the need to control access to PC ports: GFI Software's GFI EndPointSecurity 3.0, Centennial Software's DeviceWall 4.0, and SmartLine's DeviceLock 6.0. Each of these products allows control of a variety of ports and devices, such as portable media players, USB memory sticks, CDROM/DVD drives, Compact-Flash and other memory cards, floppy disks, PDAs and mobile phones, network cards, and Wi-Fi, Bluetooth, USB, and FireWire connections. A fourth vendor, SecureWave, didn't make its Sanctuary Device Control product available in time for this review.

GFI EndPointSecurity 3.0
Figure 1 shows the GFI EndPointSecurity 3.0 console. You use this console to create Protection Groups, which contain machines whose ports you want to secure from unauthorized access by portable devices. For each Protection Group, you create a Protection Policy that specifies user and group permissions obtained from Active Directory (AD) for each type of device. GFI EndPointSecurity can control access to portable USB, FireWire, and Bluetooth devices; media players; mobile phones; PDAs; CD-ROM/DVD drives; memory cards; and network cards.

The various devices are grouped by type, so permissions for a user or group apply to all storage devices, or all PDAs, or all CD-ROM/DVDs, regardless of whether they're connected via USB, FireWire, or other method. Users and security groups can be added to the policy for each Protection Group. GFI EndPointSecurity, like the other products reviewed, works well with AD.

From the GFI EndPointSecurity console, you deploy the agent program to individual computers or entire Protection Groups. Agent deployment is fast and requires no user intervention. The agent, like the other clients reviewed, can't be stopped or uninstalled by users with normal user rights; users with administrative privileges, however, would be able to defeat any of the reviewed clients.

Access to devices can be read only or read/write (or prohibited if you don't specify one of the two types of access). For example, granting a user read-only access to a USB drive lets the user copy files from the drive to the computer. Granting no access rights to storage devices prohibits their use, no matter what type of port a user connects them to. Users won't be able to read files to or copy files from memory sticks or media players.

Creating Protection Policies and adding users or groups to policies is quick and easy to do in the GFI EndPointSecurity console, which is a standalone application not integrated with Windows management tools. The console interface makes it easy to see which computers are currently protected. Unfortunately, the ability to grant temporary device access to offline users, a useful feature present in the other two products, isn't available here.

GFI EndPointSecurity logs device-related activity to the software's event log or to a SQL Server database. Both successful and unsuccessful device access and file transfer activity is logged. The ability to log to a SQL Server database is a nice feature that all three products possess. It lets you centralize company-wide activity in one location and use SQL Server reporting utilities to create reports. However, GFI EndPointSecurity's installation process doesn't automatically create the database on the SQL Server system, which I found to be a minor irritation.

GFI also makes the GFI EndPointSecurity ReportPack, an add-on application that lets you view the large number of included reports, schedule automated reports, and create new reports. For businesses that don't already use a separate SQL Server reporting utility, ReportPack is a worthwhile add-on, although I prefer DeviceWall's approach of including the reporting features in the same application as the policy manager.

Overall, I found GFI EndPointSecurity to be a straightforward, solid application. It's designed strictly to help secure network endpoints from unauthorized device use, and it does this well, with a clean, easy-to-use interface. Using USB flash drives, an iPod connected via FireWire, an SDRAM card, and a Bluetooth-enabled mobile phone, I wasn't able to defeat GFI EndPointSecurity's client protection.

   Prev. page   [1] 2 3     next page