ControlGuard targets rogue devices

ControlGuard Access Manager 3.0
ControlGuard
Price: $10-$50 per seat

Employees are using--and sometimes abusing--USB memory sticks, iPods, wireless network cards and PDAs. Uncontrolled use of these devices exposes the organization to data loss and theft, and unauthorized access to corporate networks.

Until recently, nothing short of putting everyone under video surveillance or conducting physical searches could alleviate the problem, but ControlGuard's Access Manager is among several software packages that effectively allow you to monitor and control what devices can be attached to workstations.

Configuration/Management: B
Server and console installation was fairly simple. Access Manager can integrate into Microsoft Workgroups, domains and Active Directory, and Novell eDirectory. Workstations can either be auto-discovered or entered manually. Access Manager can be set up to regularly synchronize with Active Directory.

Access Manager deploys two distinct types of agents: a control agent that enforces policies and reports to the server, and a monitoring agent that only reports. Agents can be installed manually, pushed out through products like SMS, or through the console.

Policy Control: B
Access Manager makes it easy to convert security policies into working control points through access control lists and in granular detail. For example, an administrator can specify the type of device; a specific piece of media, for example, the MS Access Install Disk 1 CD; rights, e.g., read-only; or an exact device, such as a specific USB drive issued by the IT department.

Administrators can pick users, workstations or groups and apply generic or specific access control lists. Access Manager also allows the administrator to test the access control list before it is deployed. Out of the box, the default policy is set to deny.

Effectiveness: B
Access Manager makes it possible to enforce what was once unenforceable, making it relatively easy for administrators to turn policies into control points. Since Access Manager can be used in environments ranging from Workgroups to Active Directory, it will fit in with small businesses and large enterprises. Unfortunately, Access Manager does not work with Macintosh OS X, Linux or Unix.

In our testing, we developed a series of access control lists that both denied access and gave partial access to specific devices and media. The system effectively prevented us from violating the assigned access control lists. We also tried to bypass and uninstall the agent without admin privileges, but gave up after two hours.

The control coverage is extensive: removable media, input/output devices, modems, PDAs, printers, MP3 players, CD/DVD burners, memory sticks, LAN adapters, digital cameras, scanners, iPods, cell phones, memory cards, WiFi, Bluetooth, PCI, ISA, PCMIA, FireWire, infrared and Zip drives.

Reporting: B
There are approximately 20 canned reports (you can also create custom queries) available in three modes--summary, regular and detailed. These include an events summary report, events by workstation or user, and forensics data. Reports are generated in HTML format and can be exported.

Verdict
ControlGuard Access Manager is an effective tool for controlling what devices users can add to their workstations and how they are used. While it does not work with Macintosh, Unix or Linux systems, it would be an effective solution in a Windows shop of any size.

Testing methodology
We created users and policies against assorted USB memory sticks, WiFi cards, PCMIA cards, CD burners and iPod products. The platforms included Windows 2000 Server, Windows XP and Windows XP Professional as test machines.

This review originally appeared in the Sept. 2006 edition of Information Security magazine.