ControlGuard Endpoint
Access Manager
Like DeviceLock, Endpoint Access Manager
requires either Microsoft SQL Server or
SQL Server 2005 Express. If you have neither
installed, the setup wizard adds and configures
SQL Server 2005 Express for you—a nice touch
that simplifies installation.
While installing the product, I noticed that
its Installation Guide PDF file doesn’t follow
the wizard exactly. This inconsistency didn’t
throw me off too much, but it was frustrating
to see that the documentation hadn’t been
updated to coincide with the actual product.
During installation, I missed the fact that
Endpoint Access Manager requires Microsoft
IIS, so setup paused with the standard Abort,
Retry, or Ignore dialog box. I left the message
onscreen and installed IIS through the Control
Panel Add or Remove Programs applet. I was
then able to click Retry, and the Endpoint Access Manager installation continued. The
installation could have easily bombed out
because I didn’t have a prerequisite in place,
but I was pleased that it let me continue.
The product then prompted me to create
a new database. You can choose No and set
up the database yourself, but I decided to let
the installation wizard do it for me. The wizard
asked for the connection information to the
SQL Server database. This information filled
in automatically, so all I had to do was click
Create.
After the installation was complete, I double-
clicked the ControlGuard Administration
Console desktop icon and the software presented
me with logon dialog box. The Installation
Guide gave me the initial username
or password that I needed to log on. You can
easily change the password from within the
administration console. The first time you start
the console, a wizard walks you through the
configuration process. The User Manual also
provides a nice workflow that shows you how
to get everything up and running.
The first step in the wizard is to set up
directory collaboration with Endpoint Access
Manager. I tested this functionality only with
Windows Server 2003 AD, but NT domains and
Novell eDirectories domains are also options.
The purpose of AD integration is to let you
create logical groups of computers to manage
based on OUs you already have in AD.
The next step is to add the computers to
which you want to apply the settings. If you
have your computers segregated into OUs, this
step will be simple. For example, if your OU
structure contains two OUs called Managers
and Ops Floor beneath All Computers, it would
be easy to deploy the policies to just those two
separate OUs and not to the other servers or
domain controllers (DCs).
Endpoint Access Manager uses a certificate
to ensure that the server and client are communicating
with the correct machines. The
certificate has to live in the \system32 folder
under C:\windows on each client machine.
You can copy the certificate manually or use
the included MSI Updater to insert the certificate
into the MSI installation file. Adding the
certificate is simple. If you want, you can also
update the .msi file with some initial policies.
Doing so helps ensure that all your new PCs are
secured as soon as their computer accounts
are added to the domain.
Before you can send out a policy to secure
endpoints, you need to install the agent onto
each PC. The typical methods are available
(i.e., setup.exe file, batch script, Group Policy),
but what sets Endpoint Access Manager apart
is its “on-the-fly distribution.” This feature
installs the client onto all network computers
almost immediately. After you start the Endpoint
Access Manager AD Synchronization
service, you can set it to synchronize with
AD every x minutes. (I set it to 5 minutes.)
Now, every time a computer is added to AD,
the ControlGuard Endpoint Access Manager
Service is automatically installed onto the new
machine. What I like about this method is that
it’s totally hands-off for the administrator. You
have enough to worry about without having to
manage the installation of the Endpoint Access
Manager client!
I waited a few minutes for the client to
install, but nothing happened. The XP firewall
log indicated that the Endpoint Access Manager
server was trying to connect to the XP
client through port 135. I opened that port, but
the client still wouldn’t install. The deployment
event log within the ControlGuard Administration
Console indicated that I needed to
fix the security or WMI settings on the XP
client. I couldn’t find any documentation that
described which ports needed to be opened
for the client to install, and the Support Page
at ControlGuard’s Web site appeared to be
down for reorganization. To continue with
my testing, I decided to simply shut off the
XP firewall. The client then installed in a few
minutes. This documentation oversight needs
to be addressed soon.
The final step is to create Access Control
Lists (ACLs) that define which devices can
and can’t be used on a computer. I called my
first ACL total lockdown and proceeded to lock
everything—removable storage, floppy drives,
Bluetooth ports, printer ports. Figure 2 shows
the ACL Editor. Endpoint Access Manager can
lock down the same devices as DeviceLock,
but also adds protection for Palm OS devices,
Windows CE devices, Research in Motion
(RIM) devices, and printers, as you see in Table
1. When I logged in as a normal user on the XP
PC, I was immediately denied access to my
USB thumb drive.
As I mentioned earlier, DeviceLock’s tight
integration with Group Policy lets it use the
RSOP tool to determine which security settings
will apply to a given user or PC. Endpoint
Access Manager doesn’t have the same integration.
Instead, it uses a tool called the ACL
Simulator. You simply add the name of the
computer and the name of the user or group
to which the policy will apply, then click Calculate.
This functionality is no better or worse
than that of the RSOP tool—just different.
Make Your Choice
Both SmartLine and ControlGuard offer exceptional
products that can help you get a handle
on rogue devices that can potentially steal your
company data. Endpoint Access Manager has
the simplest interface of the two and offers all
its tools on one handy screen. I also valued
the Endpoint Access Manager AD Synchronization
service, which ensures that all new
computers added to the AD domain have the
ControlGuard Endpoint Service installed and
running.
Both products support the use of white lists
(ControlGuard calls its list an Approved Device
List). This feature lets you permit certain
devices based on users, computers, devices,
or vendors. For example, suppose you want
to disable the USB port for all devices except a
mobile Internet card. This feature lets you create
a blanket policy that disables the USB port
yet permits this one special device.
DeviceLock hits a home run with its Group
Policy integration. This functionality lets you
install and configure the client service in one
place. The management tools do get a little
busy until you get comfortable with the purpose
of each one.
After you’ve secured your network’s endpoints,
you’ll probably want to generate a
report either for auditing purposes or for
confirmation that you’ve set everything up
correctly. Endpoint Access Manager offers
extremely detailed reports via a Web page. (For
that reason, IIS is required during the initial
installation.) DeviceLock has its reporting
built directly into the DeviceLock Enterprise
Manager, which lets you make policy changes
directly from the report. For example, if the
report shows that the floppy drive is accessible
to everyone when it shouldn’t be, you can
right-click that particular endpoint and make
the necessary security changes immediately.
Neither vendor has a great support Web
site. I expected to see more than a few FAQs
and would have liked to browse each company’s
Knowledge Base (KB) articles. This
lack of detailed support was by far my biggest
disappointment while reviewing these two
products.