A software-based locking tool to secure I/O devices
A growing reliance on computers for the processing and storage of critical data means that securing system integrity is crucial. A lot of public hype exists about the external threats that system crackers pose, yet internal threats are more likely to compromise the integrity of a company's computing resources. Whether those threats take the form of a virus accidentally unleashed by an unsuspecting user or sensitive data purposely copied for illegitimate use, the result is the same. DigitalWave's SecureNT 1.2 offers a partial solution to internal threats.
SecureNT's focus is on control of I/O devices. The application supplies a software-based locking mechanism for 3.5" disk drives, CD-ROM drives, and COM and LPT ports. This locking mechanism resides on each user's machine and takes the form of a native service under Windows NT and a virtual device driver (VxD) under Windows 9x. You use the SecureNT Administrator, which Screen 1 shows, to administer each service or VxD remotely.
To evaluate SecureNT, I used NT Server 4.0 configured as a PDC and a Win95 workstation. According to SecureNT documentation, this configuration isn't optimal but is sufficient for testing core functionality.
I installed SecureNT on the PDC. This process was typical of NT installations and required the usual agreement to licensing terms and installation path specification. However, this step only set up SecureNT Administrator. I had to install the service components to make use of SecureNT's functionality. To install components under NT, I had to copy an executable into the \winnt\system32 directory and install the executable as a native service.
The procedure under Win95 was more complicated. Before installing the service component, I had to install Distributed Component Object Model 95 (DCOM95), and I installed two client libraries from the Win95 Server Tools included on the NT Server 4.0 CD-ROM. To wrap up the installation, I copied a directory that contained the Win95 VxD and installation tool from the PDC to the Win95 machine.
Using the Software
SecureNT relies heavily on group membership to control functionality, so the first task is to create the supported groups. You must create seven user groups: two groups for full and view-only access to SecureNT Administrator, and five groups for long-term access to I/O devices. After I added myself to the SNT_ADMIN group, I was able to run SecureNT Administrator. When you first open SecureNT Administrator, the application doesn't list any workstations in Network Neighborhood because it assumes an all-locked policy. This setup is appropriate because the first time you start SecureNT, a service component locks all I/O devices for which SecureNT is responsible.
You can use SecureNT Administrator and group membership to handle exceptions to the all-locked policy. For long-term or permanent access to one or more I/O devices, group membership is the method of choice. In my case, I added one highly trusted user to the SNT_ALL group and one user who consistently worked with archive data to the SNT_CDROM group. On the PDC, SecureNT didn't seem to fully recognize the group modifications until I restarted the service component. However, after the first system reboot, I no longer encountered this problem. The Win95 client completely ignored the fact that a user was part of the SNT_ALL group. This shortcoming might result from the fact that Win9x clients support only locking CD-ROM and disk drives. When I removed the user from SNT_ALL and added the user to the SNT_CDROM and SNT_FLOPPY groups, the Win95 client correctly detected the change and unlocked the CD-ROM and disk drives.
For temporary access, the SecureNT Administrator provides a means for remote administration of I/O device locks. To modify the device locks, the Administrator requires you to add the corresponding workstation to the Administrator's Network Neighborhood. You can accomplish this task using different techniques, including lookup by username, selection from workstation lists, and manual entry. After you add workstations in Network Neighborhood, you can simply select a workstation device to lock or unlock. When unlocking a device, the application provides options for unconditional and timed access. In both cases, end users can automatically receive a dialog box that informs them of the lock modification. In the case of a timed lock, a dialog box also keeps end users informed of the time remaining before the application relocks the device.
I found that working with the Win9x client was tedious, requiring the installation of additional packages, a couple of reboots, and some extra configuration. DigitalWave limits support for Win9x clients to only CD-ROM and disk-drive locks, but the company is working on COM and LPT support for the product's next version. The application currently supports LPT locks under NT, but the locks don't apply to local printers, so you must handle this separately. For mid- to large-sized networks, SecureNT provides an adequate solution for a portion of the internal-security dilemma. For smaller networks, however, hardware locks or machines stripped of drives that support removable media might make more sense.
Contact: DigitalWave * +352.315126 (Luxembourg)
Price: $435 for SecureNT Administrator; $44 for 1 to 24 client licenses
System Requirements: Windows NT 4.0 for SecureNT Administrator; NT or Windows 9x for the client component