By far, the hardest security hole to plug in the Windows enterprise is the one that comes from within -- and by that we mean the downloading of unauthorized intellectual property onto removable end point devices.
Many administrators don't realize they can use Windows features in Group Policy and Active Directory to lock down hardware, and, indeed, the technology to do so has been around for some time.
But in the past few years, tools for port protection have started appearing that offer rich management and control of a wide range of hardware devices, such as USB ports, Wi-Fi, CD ROMs, memory sticks, printers and scanners, said Jeremy Moskowitz, an independent consultant and Group Policy expert based in Wilmington, Del.
Several companies that make software to lock down end points and even provide some reporting tools are; CenterTools Software GmbH, Ludwigsburg, which makes DriveLock; SmartLine Inc., in San Ramon, Calif., which makes DeviceLock; and Safend Inc., in Philadelphia, which makes Protector.
All three companies offer software that gives IT administrators the ability to use Group Policy to manage exactly which groups of users or individuals can download data and on which endpoints. They can even specify what time of day downloads can occur.
Group Policy hardware lockdown
This level of granularity is a far cry from what has been offered in the past in terms of hardware lockdown using Group Policy, Moskowitz said.
"It's not something you used to be able to do out of the box," he said. "There is a way in XP SP2 to control what you read and write to the USB drive. But it doesn't go far enough. What these [companies] are doing is super-fine tuning."
The ability to offer this level of control over end points is not something that most IT administrators expect from Group Policy. Until now, most individuals have used Group Policy to manage management software. And even then it was restricted to working with the OS, Internet Explorer and perhaps some functions of Office or some of the other Microsoft information worker products, said Peter Pawlak, an analyst at Directions on Microsoft, a Kirkland, Wash., consulting firm.
"It was one of the limitations of Group Policy, that it couldn't be used across the board," Pawlak said. "You used to have to bring in other interfaces, some things you would have to write a script. Or you used whatever tool the hardware or software vendor provided to manage it, and each one used a different technique."
"It's better if you can have control centrally using one mechanism," Pawlak added.
Interest among IT managers in preventing access to endpoints is high. "We have a policy in place that says you can't have a CD ROM reader in your machine, or a floppy drive," he said. "The company is worried about people taking drawings and giving them to competitors," said Clyde Johnson, a senior network and systems administrator at materials manufacturing company, HCC Industries in New Bedford, Mass.
Indeed, there are organizations that use epoxy to glue ports shut, said Dor Skuler, vice president of business development at Safend. "Some call center reps work with social security numbers and account balances in front of them," he said. "[Management] doesn't want them to download that information."
Pricing for these products varies because some companies charge for a management server and some don't. Some offer per-site pricing. To cite one example, Safend's Protector costs $32 per computer and does not require a server, according to Skuler.