ControlGuard Access Manager 3.0
ControlGuard
Price: $10-$50 per seat
Employees are using--and sometimes abusing--USB memory sticks,
iPods, wireless network cards and PDAs. Uncontrolled use of these
devices exposes the organization to data loss and theft, and
unauthorized access to corporate networks.
Until recently, nothing short of putting everyone under video
surveillance or conducting physical searches could alleviate the
problem, but ControlGuard's Access Manager is among several
software packages that effectively allow you to monitor and control
what devices can be attached to workstations.
Configuration/Management: B
Server and console installation was fairly simple. Access Manager
can integrate into Microsoft Workgroups, domains and Active
Directory, and Novell eDirectory. Workstations can either be
auto-discovered or entered manually. Access Manager can be set up
to regularly synchronize with Active Directory.
Access Manager deploys two distinct types of agents: a control
agent that enforces policies and reports to the server, and a
monitoring agent that only reports. Agents can be installed
manually, pushed out through products like SMS, or through the
console.
Policy Control: B
Access Manager makes it easy to convert security policies into
working control points through access control lists and in granular
detail. For example, an administrator can specify the type of
device; a specific piece of media, for example, the MS Access
Install Disk 1 CD; rights, e.g., read-only; or an exact device,
such as a specific USB drive issued by the IT department.
Administrators can pick users, workstations or groups and apply
generic or specific access control lists. Access Manager also
allows the administrator to test the access control list before it
is deployed. Out of the box, the default policy is set to deny.
Effectiveness: B
Access Manager makes it possible to enforce what was once
unenforceable, making it relatively easy for administrators to turn
policies into control points. Since Access Manager can be used in
environments ranging from Workgroups to Active Directory, it will
fit in with small businesses and large enterprises. Unfortunately,
Access Manager does not work with Macintosh OS X, Linux or
Unix.
In our testing, we developed a series of access control lists
that both denied access and gave partial access to specific devices
and media. The system effectively prevented us from violating the
assigned access control lists. We also tried to bypass and
uninstall the agent without admin privileges, but gave up after two
hours.
The control coverage is extensive: removable media, input/output
devices, modems, PDAs, printers, MP3 players, CD/DVD burners,
memory sticks, LAN adapters, digital cameras, scanners, iPods, cell
phones, memory cards, WiFi, Bluetooth, PCI, ISA, PCMIA, FireWire,
infrared and Zip drives.
Reporting: B
There are approximately 20 canned reports (you can also create
custom queries) available in three modes--summary, regular and
detailed. These include an events summary report, events by
workstation or user, and forensics data. Reports are generated in
HTML format and can be exported.
Verdict
ControlGuard Access Manager is an effective tool for controlling
what devices users can add to their workstations and how they are
used. While it does not work with Macintosh, Unix or Linux systems,
it would be an effective solution in a Windows shop of any
size.
Testing methodology
We created users and policies against assorted USB memory sticks,
WiFi cards, PCMIA cards, CD burners and iPod products. The
platforms included Windows 2000 Server, Windows XP and Windows XP
Professional as test machines.
This review originally appeared in the Sept. 2006 edition of
Information Security magazine.