DeviceLock 6.4.1 Beta 2 Build 21111 / 6.4 Build 21108

Using endpoint data leak prevention (DLP) solution called DeviceLock®, network administrators can lock out unauthorized users from USB and FireWire devices, WiFi and Bluetooth adapters, CD-Rom and floppy drives, serial and parallel ports, PDAs and smartphones, local and network printers and many other plug-and-play devices. Once DeviceLock® is installed, administrators can control access to any device, depending on the time of day and day of the week.

For enterprises standardized on software and hardware-based encryption solutions like PGP® Whole Disk Encryption, TrueCrypt and Lexar® SAFE PSD S1100 USB drives, DeviceLock® allows administrators to centrally define and remotely control the encryption policies their employees must follow when using removable devices for storing and retrieving corporate data. For example, certain employees or their groups can be allowed to write to and read from only specifically encrypted USB flash drives, while other users of the corporate network can be permitted to "read only" from non-encrypted removable storage devices but not write to them.

The USB white list allows you to authorize only specific devices that will not be locked regardless of any other settings. The intention is to allow special devices (e.g. smart card readers) but lock all other devices. Media White List feature allows you to authorize access to specific DVD/CD-ROM disks, uniquely identified by data signature, even when DeviceLock® has otherwise blocked the DVD/CD-ROM drive. A convenience when DVD/CD-ROM disks are routinely used for the distribution of new software or instruction manuals, Media White Listing can also specify allowed users and groups, so that only authorized users are able to access the contents of the DVD or CD-ROM.

The DeviceLock®'s optional data shadowing capability significantly enhances the corporate IT auditor’s ability to ensure that sensitive information has not left the premises on removable media. It captures full copies of files that are copied to authorized removable devices, Windows Mobile and Palm OS-based PDAs and smartphones, burned to CD/DVD or even printed by authorized end users. Shadow copies are stored on a centralized component of an existing server and any existing ODBC-compliant SQL infrastructure of the customer’s choosing.

DeviceLock® Enterprise Server can monitor remote computers in real-time, checking DeviceLock® Service status (running or not), policy consistency and integrity. The detailed information is written to the Monitoring log. Also, it is possible to define a master policy that can be automatically applied across selected remote computers in the event that their current policies are suspected to be out-of-date or damaged.

DeviceLock® allows you to generate a report concerning the permissions that have been set. You can see which users are assigned for what device and what devices are on the USB white list on all the computers across your network.

DeviceLock® provides a level of precision control over device resources unavailable via Windows Group Policy - and it does so with an interface that is seamlessly integrated into the Windows Group Policy Editor. As such, it’s easier to implement and manage across a large number of workstations.

Major Functions:

1. Anti-keylogger. DeviceLock detects USB keyloggers and blocks keyboards connected to them. Also, DeviceLock obfuscates PS/2 keyboard input and forces PS/2 keyloggers to record garbage instead of the real keystrokes.
2. Monitoring. DeviceLock Enterprise Server can monitor remote computers in real-time, checking DeviceLock Service status (running or not), policy consistency and integrity. The detailed information is written to the Monitoring log. Also, it is possible to define a master policy that can be automatically applied across selected remote computers in the event that their current policies are suspected to be out-of-date or damaged.
3. RSoP Support. You can use the Windows standard Resultant Set of Policy snap-in to view the DeviceLock policy currently being applied, as well as to predict what policy would be applied in a given situation.
4. Batch Processing. Allows you to define settings for a class of similar computers with similar devices (e.g. all computers have USB ports and CD-ROMs) across a large network in a fast and consistent manner. DeviceLock Service can be automatically installed or updated on all the computers in a network using DeviceLock Enterprise Manager.
5. Graphical Reporting. DeviceLock can automatically generate graphical reports based on audit and shadow logs.
6. Permissions Report. Allows you to generate a report displaying the permissions and audit rules that have been set on all the computers across the network.
7. Report Plug-n-Play Devices. Allows you to generate a report displaying the USB, FireWire and PCMCIA devices currently connected to computers in the network and those that were historically connected.
8. Traffic Shaping. DeviceLock allows you to define bandwidth limits for sending audit and shadow logs from DeviceLock Service to DeviceLock Enterprise Server. This Quality of Service (QoS) feature helps reduce the network load.
9. Stream Compression. You can instruct DeviceLock to compress audit logs and shadow data pulled from endpoints by DeviceLock Enterprise Server service. Doing this decreases the size of data transfers and thus reduces the network load.
10. Optimal Server Selection. For optimal transfer of audit and shadow logs, DeviceLock Services can automatically choose the fastest available DeviceLock Enterprise Server from a list of available servers.

Major Features:

1. Access Control. You can control which users or groups can access USB, FireWire, Infrared, COM and LPT ports; WiFi and Bluetooth adapters; any type of printer, including local, network and virtual printers; Windows Mobile and Palm OS-based PDAs and smartphones; as well as DVD/CD-ROMs, floppy drives, and other removable and Plug-and-Play devices. It's possible to set devices in read-only mode and control access to them depending on the time of day and day of the week.
2. Tamper Protection. Configurable DeviceLock Administrators feature prevents anyone from tampering with DeviceLock settings locally, even users that have local PC system administration privileges. With this feature activated, only designated DeviceLock security administrators working from a DeviceLock console or GPO can install/uninstall the program or edit DeviceLock policies.
3. AD Integration. DeviceLock’s most popular console integrates directly with the Microsoft Management Console (MMC) Active Directory (AD) Group Policy platform. As Group Policy and MMC-style interfaces are common knowledge for Microsoft administrators, there really is no proprietary interface to learn or appliance to buy to effectively manage endpoints centrally. The simple presence of the DeviceLock MMC console on a Group Policy administrator’s computer allows for direct integration into the Group Policy Management Console (GPMC) or the Active Directory Users & Computers (ADUC) console with absolutely zero scripts, ADO templates, or schema changes. Security administrators can dynamically manage endpoint data leakage and auditing settings right along with other Group Policy–related tasks. In addition to the MMC snap-in console for Group Policy, DeviceLock also has traditional administrative consoles that can centrally manage any AD, LDAP, or workgroup network of Windows computers. XML-based policy templates can be shared across all DeviceLock consoles as well.
4. Content-Aware Rules. Administrators can now selectively grant or deny access to certain true file types for removable media. When configured, the control will look into the file(s) to determine their true file type (regardless of file name and extension) and determine access and shadowing per the applied policy. For flexibility, Content-Aware Rules for file types can be defined on a per-user or per-group basis at the device type layer. For example, certain users or groups can be allowed to copy Microsoft Word documents to USB flash drives, but be prevented from writing Microsoft Excel documents to the same removable storage devices. Administrators can also deny read access to all executable files from Removable, DVD/CD–ROM and Floppy devices, but allow write access to the same drives for other approved file types. True file type rules can also apply to pre-filtering of shadow copies to manage the volume of data.
5. USB White List. Allows you to authorize a specific model of device to access the USB port, while locking out all others. You can even "White List" a single, unique device, while locking out all other devices of the same brand and model, as long as the device manufacturer has supplied a suitable unique identifier, such as a serial number.
6. Media White List. Allows you to authorize access to specific DVD/CD-ROM disks, uniquely identified by data signature, even when DeviceLock has otherwise blocked the DVD/CD-ROM drive. A convenience when DVD/CD-ROM disks are routinely used for the distribution of new software or instruction manuals, Media White Listing can also specify allowed users and groups, so that only authorized users are able to access the contents of the DVD or CD-ROM.
7. Temporary White List. Allows granting temporary access to a USB-connected device by the issuing of an access code, rather than through regular DeviceLock permission setting/editing procedures. Useful when permissions need to be granted and the system administrator has no network connection; for example, in the exceptional case of accommodating a sales manager who calls in with a request for USB access when working outside the company's network.
8. Auditing. DeviceLock‘s auditing capability tracks user and file activity for specified device types and ports on a local computer. It can pre-filter audit activities by user/group, by day/hour, by true file type, by port/device type, by reads/writes, and by success/failure events. DeviceLock employs the standard event logging subsystem and writes audit records to a Windows Event Viewer log with GMT timestamps. Logs can be exported to many standard file formats for import into other reporting mechanisms or products. Also, audit records can be automatically collected from remote computers and centrally stored in SQL Server. Even users with local admin privileges can't edit, delete or otherwise tamper with audit logs set to transfer to DeviceLock Enterprise Server.
9. Shadowing. DeviceLock’s data shadowing function can be set up to mirror all data copied to external storage devices, printed, or transferred through serial and parallel ports. DeviceLock can also split ISO images produced by CD/DVD burners into the original separated files upon auto-collection by the DeviceLock Enterprise Server (DLES). A full copy of the files can be saved into the SQL database or to a secure share managed by the DLES. Shadowing activities can be pre-filtered just like regular auditing to narrow down what is collected. DeviceLock’s audit and shadowing features are designed for efficient use of transmission and storage resources with stream compression, traffic shaping for quality of service (QoS), performance/quota settings, and automated optimal DLES server selection.
10. Mobile Device Data Leakage Prevention. With DeviceLock, you can set granular access control, auditing, and shadowing rules for mobile devices that use Windows Mobile or Palm OS. You can centrally set permissions with fine granularity, defining which types of data that specified users and/or groups are allowed to synchronize between corporate PCs and their personal mobile devices, such as files, pictures, calendars, emails, tasks and notes. DeviceLock detects the presence of mobile devices attempting to access ports through USB, COM, IrDA or Bluetooth interfaces.
11. Network-Awareness. Administrators can define different online vs. offline security policies for the same user account. A reasonable and often necessary setting on a mobile user’s laptop, for example, is to disable WiFi when docked to the corporate network and enable it when undocked.
12. TrueCrypt & PGP® Whole Disk Encryption Integration. DeviceLock can detect encrypted PGP® and TrueCrypt disks (USB flash drives and other removable media) and apply special "encrypted" permissions to them. For enterprises standardized on encryption solutions, DeviceLock allows administrators to centrally define and remotely control the encryption policies their employees must follow when using removable devices for storing and retrieving corporate data. For example, certain employees or their groups can be allowed to write to and read from only specifically encrypted USB flash drives, while other users of the corporate network can be permitted to "read only" from non-encrypted removable storage devices but not write to them.
13. Lexar® SAFE PSD Integration. DeviceLock detects hardware-encrypted Lexar® SAFE PSD S1100 USB drives and applies special "encrypted" permissions to them.