Although the popularity of USB security keys/dongles is growing, some detractors claim that the need to constantly insert a USB device could damage a computer's USB ports, as they were not designed to withstand frequent insertions. To solve this problem, Ensure Technologies' XyLoc system uses a proximity card instead of a USB key. You get the best of both worlds, physical security without having to constantly insert a USB device.
In fact, configured a particular way, this security solution can let you log on without even touching the keyboard. XyLoc is easy to install and simple to use. If you’re weighing alternative USB security options, XyLoc is worth serious consideration.
As shown in Figure A, three components comprise the XyLoc solution—the lock, the key (proximity badge), and the software. The lock remains permanently attached to the user workstation via a USB or serial connection and constantly monitors for the presence of a key.
|These are the XyLoc components.|
The USB version of XyLoc is compatible with Windows 95B, 98, Me, NT4, 2000, and XP, and the serial version is compatible with all 32-bit Windows platforms. Ensure says it has tested the device successfully on all versions of Windows as well as Windows and Novell networking clients.
XyLoc is available in different models depending on your security needs. XyLoc Solo, the version I tested, is designed for individual user workstations; XyLoc Enterprise functions the same way as the Solo version from an end-user perspective but adds a number of functions that allow administrators to perform various management functions from a browser interface, including:
- Create and issue new keys
- Create user groups
- Disable keys (in the case of loss)
- Print audit logs
Other versions include XyLoc Enterprise AI and XyLoc MD, designed specifically for the healthcare industry.
The following are the general system requirements for using the XyLoc system:
- PC compatible, Pentium class processor, portable or desktop computer
- Windows 95/98, Me, NT, 2000, or XP (95B required for USB support)
- CD-ROM drive or a network connection to a server running XSS
- Available serial or USB port
- 5 MB of available hard disk space
Here are the system requirements for running a XyLoc security server:
- Pentium II 350-MHz processor with 128 MB of RAM and 250 MB of hard disk space
- Windows NT 4.0 Server Service Pack 5 or later, Windows 2000 Server, or XP
- Internet Information Services (IIS) 4.0 or later
Installation and configuration
XyLoc installs quickly and easily. Be aware, however, that local administrator rights are required to install XyLoc on Windows NT4, 2000, and XP systems.
The XyLoc user’s guide shows that you should attach the lock to the workstation in a position where it can easily read the signal from the proximity key. If you attach the lock under the desktop, for example, but you carry the key around your neck on a lanyard, the lock may not be able to get a good reading. The manual indicates that the lock should be placed so that the key is roughly parallel to the LED on the lock.
Once you’ve completed the installation and attached the lock device to the USB or serial port, the program presents you with a summary of the current configuration, as shown in Figure B.
|Here is a screen shot of a configuration summary.|
The administrator can configure XyLoc to behave in a variety of ways to control the user logon. The combination of options shown in Figure B indicates that users logging in must confirm their identities by entering their passwords, but to unlock a system when the key has moved out of range requires no password entry.
If you want users to be able to log on without having to type passwords, you can configure XyLoc to allow entry upon detection of the proximity key. Settings for logon options are shown in Figure C.
|These are XyLoc’s configuration options.|
Advanced options allow you to set the user’s access level, specify the automatic logoff time in minutes, and opt to lock workstations after the key has been stationary for a specified period of time—thus preventing users from simply putting their key in a drawer next to their computer. You can enable power options linked to XyLoc so that the workstation will automatically power on when the proximity key comes within range. A variety of other control options are also available.
As Figure B shows, the system can be set to allow the administrator to override the key and log on with a password. If the key is absent, the administrator can still log on as needed. XyLoc requires that at least one user with administrative privileges have this ability. Other users, however, must have the appropriate key to log in.
This setup effectively prevents anyone without a key configured for the workstation to log in except for those with administrative privileges. Administrators can still log in with the password override.
When the key is moved out of range of the lock, the workstation is automatically locked, and you can set the detection range at one of three points: short, medium, or long. When I put the key in a desk drawer where the lock couldn’t detect it, it did lock the workstation, and I was unable to log on unless I used the administrator password.
Another test I performed was to remove the lock from the USB port altogether to see if I could log on. With the user-level logon, I was unable to gain access to the workstation after removing the lock, but I could still get in as an administrator with my password. When you disconnect the device, XyLoc locks the workstation. If you reboot the system after removing the lock, you still won’t be able to access the workstation without the device unless you’re the administrator. When I replaced the lock, it redetected the presence of the key and prompted me to log on by selecting my username in the window. As long as you’ve got the right key or have administrative rights with a password, you can get in; otherwise, XyLoc blocks you out.
XyLoc also prevents users from uninstalling the software. Attempting to uninstall via Add/Remove Programs with user privileges only results in a friendly reminder message that you don’t have the necessary rights to perform the operation.
The normal operation of XyLoc is pretty smooth. When I leave the workstation, it locks, displaying the logon screen. When I return to my desk and XyLoc detects the key, it automatically unlocks the workstation. Not only does XyLoc offer a new level of end-user security, but it also makes the security much more convenient. As long as I’ve got my key, all I have to do is sit down and start working.
Sure, this kind of setup comes with all the drawbacks associated with proximity cards: When users forget their cards or lose them, it will be a hassle to get them back up and running and to secure their workstations. The Enterprise version of XyLoc makes management of situations like this a bit easier, however, because it offers centralized management of user accounts and their keys. If someone loses a key, for example, an administrator can log on to the XyLoc server from any location via a Web browser and disable the key to prevent unauthorized access.
The bottom line
Overall, XyLoc looks like a promising alternative to the traditional user ID and password security system. From the administrator’s perspective, it’s easy to install and manage and can be a solid security addition. For end users, it offers streamlined logon.
In the future, I believe solutions such as XyLoc should be made more practical by integrating them into workstations or keyboards, eliminating the need for an external USB device. Universal proximity cards that grant building access as well as network logon would also be helpful, as this would eliminate the need for users to carry multiple cards.