Pros & Cons
-
- Protects against data theft via any port or device.
- Can whitelist specific USB devices, set per-user or per-group permissions, define time-based permissions, even assign read-only access.
-
- Requires some study to understand and configure the product.
- Not yet Vista-compatible.
- Whitelisting specific devices requires more steps than in other products.
DeviceLock Specs
| OS Compatibility: | Windows XP |
| Type: | Business |
If you're serious about end-point security, whether for one computer or a hundred, DeviceLock is the solution. It can control access to every type of removable media, including USB drives, removable hard drives, digital media cards, floppy disks, and writeable CD/DVDs. It can cut off communication ports of all types if they aren't needed for legitimate purposes. It can even set specific limitations on particular users or groups, or for particular time periods. You'll have to work a little harder to get it set up, but it'll be well worth the effort.
Competitors
Feel the Power
DeviceLock manages devices at multiple levels. It can block a particular port type completely or block the use of specific device types on that port. For example, you'd typically block USB storage devices but allow USB keyboards, mice, printers, and scanners. If your computer has no serial- or parallel-port devices, for example, you can just shut those ports down. The app can also make exceptions for individual devices or device models. You can whitelist specific known USB devices such as your own Apple iPod and your personal USB drive. It can also pull a variety of reports from all DeviceLock-equipped computers on the network. Finally, DeviceLock can report each computer's current settings, list every device that is now or has ever been connected to each computer, and supply a full audit of all activity.
You get two distinct configuration applets with DeviceLock, the DeviceLock Enterprise Manager (DLEM) and the DeviceLock Management Console (DLMC). The Enterprise Manager pushes out specific setting changes to one or more computers and gathers reports from your computers. It can even install the DeviceLock agent on another computer, provided you have sufficient licenses. The Management Console, on the other hand, lets you view and modify the settings for one computer at a time. Whichever you use, I suggest you define a new user account and add it to the DeviceLock Administrators group—otherwise, any Administrator-level account can change the settings. When you want to run either of the configuration applets, you'll just right-click its icon and choose Run As to run using that dedicated account.—
Adventures in Security
My DeviceLock contact advised me to use the DLEM to configure the product even for a single-computer installation. I had to play with it for a while before I grasped how it works. You're probably accustomed to configuration dialogs that show current settings before you change them. The DLEM can't do that, because it may be controlling multiple computers with disparate settings. Instead, you make changes in specific areas while leaving everything else unchanged; then you use the DLEM to push those changes out to the computers you've selected. If you want to see the big picture, the DLEM will generate a report of the settings on all the computers it has under its control.
I started by setting DeviceLock to do the main job handled by Safend, AntiCopy, and Secure it Easy—blocking access to all USB drives except for approved ones. I right-clicked the DLEM shortcut and chose Run As to use the special DeviceLock Administrator account I'd defined earlier. I configured it to control access for USB storage devices but leave other devices such as mice, keyboards, printers, and scanners alone. Finally, I enabled the option to display a message when DeviceLock blocks access to a USB or FireWire device; without this message, the user just sees "Access Denied" upon trying to open the device. My settings all chosen, I pushed them out to the computers involved—just the local computer, in this case.
When I tried inserting my drawerful of USB drives, DeviceLock blocked them all and displayed a warning message in a balloon tip. It correctly recognized that U3-formatted drives manifest as both a normal drive and a virtual CD; the warning message mentioned both drives. It wasn't fazed by devices with no internal serial number. DeviceLock didn't suppress the devices from appearing in Windows Explorer, the way AntiCopy does. But any attempt to open a blocked device got an implacable "Access denied" message.—
Adventures in Security
Unlike Safend Personal Protector and AntiCopy, DeviceLock doesn't offer any quick and easy path from the "device not allowed" notification to the USB device whitelist. But when you do open the whitelist, you've got a serious degree of control. You pick any device from a list, whether it's currently connected or not. You pick one or more users or groups, from Everyone to "Jimbo in Accounting." And you can whitelist either the device itself or all devices of the same exact model. I tested this with a pair of physically and internally identical USB drives, both of which lack a serial number. DeviceLock dealt with the lack of individual identification by offering to whitelist only the device model—an appropriate response.
Like AntiCopy, DeviceLock can disable CD/DVD writers; the other two products don't have this ability. But unlike AntiCopy, DeviceLock lets you whitelist specific CD/DVD media—a nice touch. It can also disable the floppy disk drive and block devices that connect through serial or parallel ports, infrared, Bluetooth, or Wi-Fi. This is one comprehensive protector.
DeviceLock easily blocked access to the system's internal reader for digital memory cards. Mata Hari isn't going to get away with copying company secrets to her camera's memory card. Fixing it to allow access under some circumstances was more of a challenge. A DeviceLock representative said that the company is considering adding a whitelist for digital media, but it's not yet present. I solved the problem nicely by whitelisting the card reader itself and giving specific users access to removable media—but only during working hours.
The feature list goes on and on. The product can, for example, even detect and block hardware, and its shadowing feature will record a copy of all data that's legitimately copied to removable devices. You probably don't need that, but a company's audit policies might require it. The one thing it doesn't have (yet) is full compatibility with Windows Vista.
You're not going to load up DeviceLock and have instant control over end-point security. But once you read the friendly manual and master the art of configuring the product, you'll have truly solid protection, on a par with what the enterprise types use. If you need end-point security protection, DeviceLock is the logical choice.
More Security Software reviews:
Final Thoughts
DeviceLock
If you're serious about end-point security, whether for one computer or a hundred, DeviceLock is the solution. Once you master its not-for-wimps interface, you can totally lock up any number of computers against data theft (of course, you'll need a license for each).