Intellectual property and customer data should be the most tightly guarded information on your network. Unfortunately the proliferation of cheap USB hard drives has made this very difficult. Many security firms or vendors will hype this threat to the point of it becoming hysteria, but the fact remains that is indeed an issue that needs to be addressed.

The majority of times the breach will not be intentional. One of the salesmen may need to work on a proposal for a potential client at night, so he downloads a copy of the fund estimates to his USB key and brings it home. Unfortunately on the way he loses the thumb drive or his laptop. Now financial estimates may leak into the wrong hands, causing any number of issues, and quite a bit of embarrassment. To address this matter many firms require the disabling of usb thumb drives.

To adhere to the policy you could try to disable all USB ports using a domain policy, but unfortunately this will remove your usb keyboards and mice as well. At one point I had used a registry hack that disabled the USBStor.dll from being loaded. This prevented any USB storage device form mounting on the PC. But this was clumsy and also made it difficult for my engineers to use tools on the network that they loaded on USB thumb drives when fixing a users PC. It was at this time I began to look for a managed solution and one of the fist companies I called was DeviceLock. I have been pleased with the product so I wanted to share my experiences with it.

Purchasing
You can download a trial copy of the software from their web site at http://www.devicelock.com/ If you do decide to purchase the software you can do so through a rep that is assigned to your area. A simple update of a license key is all that is needed to convert the installation.

Installation and Deployment
The software is client server based, with a client that needs to be installed on every machine within your network. The client is easily pushed from within the server admin application. The server installation is very straight forward. I chose to install it on a virtual machine on my VMWare Enterprise ESX box. No issuess resource wise or compatibility wise from within the virtual machine. After you have finished the installation you will have three icons to begin working with.

1. DeviceLock Enterprise Manager
2. DeviceLock Management Console
3. DeviceLock Service Settings Editor

Client Installation
The first action that you need to perform is to install the client across the machines that you wish to restrict on the network. This is a fairly easy process. Double click on the DeviceLock Enterprise Manager icon and you should see a similar screen to the following



You can select the targets for the installation using a number of different criteria such as:

1. Domains
2. Organizational Units
3. Computer List
4. LDAP
5. From a File

For this deployment I chose to use a file since I only wanted to test the system on a small number of machines within my network before deploying it to the rest of the firm. After loading in your list of machine names form a text file you just hit scan and watch the progression of the installations. The time required for the installations varies to the number of machines. After the installation of the client, target machines will have a new DeviceLock service that they will not be able to shutdown. This service is what performs the security checks and enforces the policies.

Policy Deployment and Configuration
The next step is to begin the deployment of the policies to the workstations. When you click the File -> Scan Network option you are back to the screen you used for pushing the client. This time you will select the "Set Service Settings". As soon as you choose this setting you will be prompted to Select a current policy or add a new one.



In this case you should click new, then choose edit to create a custom set of values. You immediately have a large number of options to tailor the client to your specific needs.



It is best to read the manual so that you can determine which features will best protect your systems as well as adhere to the security policies set by yourself or by management. I chose to lock down all devices just to cover all risks and prevent any of the more creative users. One feature that I also like is the option to install a custom restriction notice. Basically when an unauthorized device is connected to the pc it gives a message that I was able to customize to inform users to contact myself for questions relating to the security settings.

Temporary Access Keys
One of the features i use quite frequently is the generation of a temporary access keys. When I have users that will be performing a specific task that requires a time period of access to USB devices, I can generate for them a temporary pass key that provides them with access. With this key you can define how long they can have access and to what resources. The key can be set to expire for a number of options from hours to days, up to a month. The key is quite long, but when issued via email users can easily paste it in.

Conclusions
DeviceLock is a simple yet powerful tool that delivers exactly what it promises. I would recommend it to anyone.

Technorati Tag - USB Security

About the Author
Blake Wiedman has been in the technology industry for 10 years. Serving in the United States Air force and working as a security assessor for the banking and financial industry. Blake is currently working as the Head of Technology Infrastructure for a financial firm.
You can contact Blake at: gso.gsecur@gmail.com