Product Reviews

The security threat posed by removable devices can't be ignored. It's now all too easy for employees to swipe huge chunks of valuable corporate data with nothing more than a cheap USB key. In most cases, there's no need for staff to have any access to a workstation's ports, but either way network administrators need to lock down access tightly.

There are plenty of products on the market that can be centrally managed, and we've already seen DeviceWall from Centennial Software. DeviceLock offers a similar set of features, although it became clear during testing that it's more versatile, has better reporting facilities and supports more port types.

For testing, we loaded DeviceLock on our Windows AD test domain, which only took a couple of minutes. Each system requires an agent service installed and, although deployment options aren't as comprehensive as DeviceWall, you can use AD Group Policies to push the agent out. Two management consoles are provided, with the standard DeviceLock Manager offering a simple interface for setting access permissions on individual systems. The Enterprise Manager console is better suited to larger networks, since it's designed to administer multiple systems.

DeviceLock works by monitoring user requests to devices and ports and deciding whether to permit or deny access based on policies set from the main console. If access has been blocked, the user

ADVERTISEMENT

merely receives the standard Windows Access Denied message, so there's no indication that DeviceLock is even in the background. The Manager is easy enough to use and provides a tree of all workgroups and domains, which it automatically populates. Selecting a system displays a list of ports to the right, and you can select individual entries or multiple ports and decide what access levels should be permitted. We could browse our domain and add users and groups to the list. There's also a schedule to determine what periods of each day the policy should be active for.

The benefit of this method is that multiple access policies based on user and group membership can be deployed to selected workstations for different ports, making DeviceLock extremely versatile. Common access policies for ports and devices can also be deployed easily using the Batch Permissions tool.

For each port, you can either permit or deny access, but where read and write operations are supported, read-only access can be enforced. DeviceLock also tackles the issue of USB input devices, as you can permit the use of keyboards, but stop flash drives from being used, for example. However, unlike DeviceWall, DeviceLock isn't geared up for mobile workers, as permissions can't be changed without them accessing the network where the console is operating. Consequently, a mobile DeviceLock client user can't request a change in their access permissions while the device is off-site - with DeviceWall they can. On the other hand, reporting is far more extensive, because DeviceLock maintains audit logs of all activity. Even these activities can be customised, so you could activate audits on individual systems and ports and also use the scheduler to run these at specific times.

Apart from the mobile question, we found DeviceLock a solid solution to what's becoming a major security concern. It's easy to deploy and offers high levels of access control, and is also better value than much of the competition.