WatchGuard, in its LiveSecurity and SOHO product suites, offers a variety of network-security applications, as well as firewall and VPN servers. WatchGuard ServerLock 1.1 is the company’s entry into the server and data-security software services market. WatchGuard’s aim is to protect your sensitive data, registry keys, and user accounts from external tampering. ServerLock features an easy-to-use UI, is simple to administer, and provides minimal configuration complexity.
Typically, hardening or securing crucial data and settings on new or existing Windows 2000 or Windows NT servers is challenging. In particular, using standard Windows rights management to efficiently protect data is a complex undertaking. ServerLock provides instant protection to the server on which you install the product, so you can quickly beef up the security of any server, whether it resides on your internal network or in a demilitarized zone (DMZ).
ServerLock requires a 200MHz Pentium processor or faster, 128MB of RAM, and only 6MB of hard disk space. The software runs on Win2K and NT 4.0 (including NT Workstation and NT Server 4.0, Terminal Server Edition—WTS) with Service Pack 4 (SP4) or later. To facilitate ServerLock’s file-security features, the product requires NTFS. For my review, I used a 450MHz Pentium II system with 256MB of RAM, running Win2K Server SP1.
ServerLock offers two installation modes: Solo and Managed. You’ll use Solo Mode on a single server that won’t act as a ServerLock manager. Managed Mode lets you use a ServerLock manager system to remotely administer other systems.
Installing ServerLock is straightforward: You need only to supply an administrative password and software license key, then obtain an activation key. You can get the activation key directly from the installation program, over the Internet, by phone, or by fax. By complete coincidence, when I first installed ServerLock, my server’s video card died just as I was activating the product—before I completed the activation process. When I attempted the installation a second time, I couldn’t complete the activation because the software had already recorded the product key at WatchGuard’s Web site. A quick email message to WatchGuard’s technical support removed the faulty activation, and I was able to complete the installation properly.
A word about the administrative password: WatchGuard requires that you use strong password complexity. The password that you enter must contain a minimum of seven characters and must include one uppercase character, one number, and one symbol (e.g., an exclamation point). Unless you follow the company’s guidelines for password creation, the installation will fail. I like this requirement—too many security products allow almost any password, and some don’t even require one for modifying or viewing settings.
After I completed the installation, I wanted to configure my local security settings. I entered my administrative password to access the local ServerLock control panel. The user-friendly control panel, which Figure 1 shows, contains a large button that lets you switch the control panel from Maintenance to Operational modes, and a series of buttons that let you "unprotect" the system components that ServerLock covers: the registry, user accounts, files, and Custom Rules. Simply clicking an option’s button locks or unlocks security for that option. You can quickly disable ServerLock’s security by switching to Maintenance Mode to facilitate software installation and file or user account maintenance.
Out of the box, ServerLock provides basic security for crucial registry entries, system files, and folders. Although these default protection options likely address the needs of most users, WatchGuard has included a Custom Rules editor that lets you apply rules to any file, folder, or registry key that you can think of. To launch the Custom Rules editor, click the Edit Custom Rules button at the bottom of the control panel. The Custom Rules editor, which Figure 2 shows, presents you with a simple window: In the window’s upper half, you enter the items that you want to protect; in the lower half, you enter custom rules. To enter a file or folder, you simply type the filename (e.g., C:\test1). If you select a file or folder that’s deeper than the root directory, ServerLock asks whether you want to apply protection to all folders above the target folder. The Custom Rules editor also permits wildcard file selection (i.e., *.doc) so that you can provide global protection to a specific file type within a directory. When you enter registry keys, you simply enter the full registry key in the window’s upper half, then click the Send Rules to ServerLock button.
The Custom Rules editor also lets you import rules from an external text file. If you have a large quantity of folders or registry keys, you can type them into the text file, then import them into the editor’s input window. Despite this functionality, I found all this data entry somewhat tedious, given some programs’ large number of registry keys. In a later version, WatchGuard might think about building in a GUI that permits for quick selection of items for protection.
After I entered a few files and folders in the Custom Rules editor, I tried to delete or modify the files. A standard Windows error message stated that I didn’t have adequate privileges to perform the action—even though I was logged on as an administrator. ServerLock had appropriately locked down security for those files. To further ensure that ServerLock was working as advertised, I attempted a deletion of all the files in one folder, in which I had specified protection of any .doc files. As I expected, the software left all the .doc files intact and deleted all other files. This item-by-item specification expands ServerLock’s reach and certainly adds to the product’s value. ServerLock also protects any accounts on your system from modification or deletion. However, this feature is available only under NT 4.0, not Win2K. Considering that Win2K doesn’t use a standard SAM database to hold user accounts (as NT 4.0 does), I hope WatchGuard implements Win2K functionality soon.
Configuration is as easy as it gets. If you have any questions during installation, configuration, or definition of custom rules, you can always turn to the well-written print manuals that accompany the product.
ServerLock includes a remote administration utility to help you manage and monitor other ServerLock-enabled systems on your network. Simply open the ServerLock console, and select the Connect to System option from the Connect To dialog box’s drop-down menu. After you connect to the remote system and enter the administrative password, you’ll see a smaller iconized version of ServerLock’s control panel. Configuring options for remote systems is just as easy as configuring options for local systems. All data and settings that the software transfers between systems are heavily encrypted to ensure consistent protection.
You can also configure ServerLock to provide a log that monitors a system’s security. With this feature, you can determine whether a user has gained access to ServerLock and disabled an item’s security or whether a colleague has made an errant change. To view the log file, simply use Notepad or the DOS text editor to open the file.
ServerLock is a fine, affordable product that will put the finishing touches on your security scenario. The product has practically no system impact: Your system performance will experience no degradation. Although WatchGuard says that ServerLock reduces the need for an intrusion-detection software package, I recommend that you think twice before implementing ServerLock as your only form of protection. The product does an excellent job of protecting sensitive data and objects, but a solid intrusion-detection package and a properly hardened server offer many benefits.
|WatchGuard ServerLock 1.1|
Contact: WatchGuard * 206-521-8340
Price: $1295; $7995 for enterprise bundle
Pros: Installation and configuration are simple; Custom Rules help extend ServerLock’s coverage; remote management helps ease maintenance burden
Cons: Text input of Custom Rules can be tedious for broad protection; no account protection for Win2K servers