Since Windows XP first came out, there has been an ongoing debate among security experts as to the best way to secure a workstation. Some claim that the only real way to prevent users from installing unauthorized software or downloading company files is to remove any floppy disk drives or CD-ROM drives from the workstations.
At the same time though, there are others who say that removing such devices only punishes the help desk employees and that there is no reason to remove such devices when you can simply control them through a group policy. But no matter which side of the debate you're on, there is a free utility called DeviceLock from Smartline, Inc. to aid you in the battle against workstation security. It's designed to lock down a desktop’s hardware on a per user basis.
Acquiring and installing DeviceLock
You can download DeviceLock from Smartline's Web site. The program currently comes in two flavors—one for Windows NT/2000/XP and one for Windows 95/98/Me. I will be evaluating the Windows NT/2000/XP version.
The download consists of a 1.44-MB ZIP file. Simply download the Devicelock.zip file, save it to an empty folder on your system’s hard disk and then use a decompression program such as WinZip or PKZip to decompress it.
After you have unzipped the Devicelock.zip file, double-click on the file Setup.exe to launch the installation process. You'll then see the installation wizard’s Welcome screen. Click the Next button to move on to a screen containing some important notes about the way that DeviceLock operates. I will cover these operational issues later on.
Click Next and you'll see the software’s end user license agreement. The license basically indicates that the software is shareware. You are free to use the software on a single PC for 30 days, but after that you must register the software. You are also free to distribute the software as long as you don’t modify it or make a profit from it.
Click Yes to accept the license agreement and the installation wizard will ask you which folder you want to install the software into. Make your selection and click Next. The installer will then ask you whether you want to perform a typical or a custom setup. A typical setup requires 2,475 KB of disk space while a custom installation can require as little as 840 KB. The custom installation options allow you to leave out options such as the DeviceLock Service, the DeviceLock Manager, and the DeviceLock manual. Normally, I would suggest installing all components unless you are installing them on an end user’s PC. For an end user, I recommend installing only the DeviceLock service.
After selecting which components you wish to install, click Next and Setup will ask which program folder you wish to use. Make your selection, click Next, and you will see a screen containing all of your installation options. Click Next once more and Setup will copy all of the necessary files.
When the copy process completes, Setup will ask you for the location of the registration file. If you are simply installing the trial version then just click Cancel. You will now see a screen that gives you the option of automatically locking several different hardware devices. You can see this screen shown in Figure A. There is also a check box that you can use to create local groups if they do not already exist. You can even select check boxes that prevent the software from locking down USB based keyboards, mice and printers. I personally used the Skip button to avoid locking anything down at this time. Not being familiar with the software I didn’t want to accidentally lock myself out of my computer. After clicking the Skip button, I received a message that installation was now complete.
|You have the option of locking down your hardware during Setup.|
I said that the DeviceLock Manager was an optional component. However, the DeviceLock Manager is the only graphical mechanism for interacting with the software. The idea is that you'll want to install this console on your own PC, but not on the users' PCs. After all, you don’t want users to be able to just open DeviceLock Manager and remove the locks from their PCs.
When you open the DeviceLock Manager, you will see a screen that looks something like the one shown in Figure B.
|The DeviceLock Manager interface|
The DeviceLock Manager allows you to select a PC and then set permissions for the various hardware devices. You can only set the permissions for systems that you have installed DeviceLock onto.
Using the software is simple. All you have to do is to select a PC, select a hardware device on that PC, and click the button that looks like a single key. You will then see a screen that’s very similar to a Windows access control list. From here, you can add and remove security groups and assign each security group either full access or no access to the device. You can even control what times of the day and what days of the week the user is allowed to have access. Some devices also offer additional options. For example, for a removable media device you can choose whether or not to allow the user to format or eject the media (see Figure C).
|You can control who has what type of access to a device at what time.|
You might have noticed in Figure B that there is an icon that displays two keys. This is the batch permission button. This button works similarly to the permissions button, but allows you to assign permissions across multiple PCs simultaneously, if each PC is running a copy of DeviceLock. Batch permissions still give you the flexibility of configuring specific devices and assigning different permissions levels to different users. The only real difference between the permissions screen and the batch permissions screen is the ability to assign permissions to multiple PCs simultaneously.
I had previously evaluated an older version of DeviceLock and had a few issues with it. The older version had trouble recognizing domain users and wouldn’t allow you to lock down USB ports or FireWire ports, which represents a huge security risk.
When I reviewed this version, though, I was very happy to see that these and a few other minor issues had been taken care of. The software works well and seems to be stable. In my eyes, this software is a real winner. While it’s true that you can lock down hardware through group policies, this software is great for anyone who either doesn’t know how or doesn’t have time to do so.