DeviceLock®

Main DeviceLock® Features

Access Control. You can control which users or groups can access USB, FireWire, Infrared, COM and LPT ports; WiFi and Bluetooth adapters; any type of printer, including local, network and virtual printers; Windows Mobile and Palm OS-based PDAs and smartphones; as well as DVD/CD-ROMs, floppy drives, and other removable and Plug-and-Play devices. It's possible to set devices in read-only mode and control access to them depending on the time of day and day of the week.

USB White List. Allows you to authorize a specific model of device to access the USB port, while locking out all others. You can even "White List" a single, unique device, while locking out all other devices of the same brand and model, as long as the device manufacturer has supplied a suitable unique identifier, such as a serial number.

Media White List. Allows you to authorize access to specific DVD/CD-ROM disks, uniquely identified by data signature, even when DeviceLock has otherwise blocked the DVD/CD-ROM drive. A convenience when DVD/CD-ROM disks are routinely used for the distribution of new software or instruction manuals, Media White Listing can also specify allowed users and groups, so that only authorized users are able to access the contents of the DVD or CD-ROM.

Temporary White List. Allows granting temporary access to a USB-connected device by the issuing of an access code, rather than through regular DeviceLock permission setting/editing procedures. Useful when permissions need to be granted and the system administrator has no network connection; for example, in the exceptional case of accommodating a sales manager who calls in with a request for USB access when working outside the company's network.

Device/Port Auditing. Gives IT staff a complete record of port and device activity, such as uploads and downloads by user and filename in the standard Windows Event log. Also, audit records can be automatically collected from remote computers and centrally stored in SQL Server. Even users with local admin privileges can't edit, delete or otherwise tamper with audit logs set to transfer to DeviceLock Enterprise Server.

Data Shadowing. The DeviceLock optional data shadowing capability significantly enhances the corporate IT auditor's ability to ensure that sensitive information has not left the premises on removable media. It captures full copies of files that are copied to authorized removable devices, burned to CD/DVD or even printed by authorized end users. Shadow copies are stored on a centralized component of an existing server and any existing ODBC-compliant SQL infrastructure of the customer's choosing.

Mobile Device Data Leakage Prevention. With DeviceLock, you can set granular access control, auditing, and shadowing rules for mobile devices that use Windows Mobile or Palm OS. You can centrally set permissions with fine granularity, defining which types of data that specified users and/or groups are allowed to synchronize between corporate PCs and their personal mobile devices, such as files, pictures, calendars, emails, tasks and notes. DeviceLock detects the presence of mobile devices attempting to access ports through USB, COM, IrDA or Bluetooth interfaces.

Tamper Protection. Every user with local administrator privileges is not automatically given DeviceLock administration privileges. The Chief Security Officer or other super-administrator has discrete control over who has DeviceLock administration privileges.

Group Policy Integration. You have a choice of DeviceLock management consoles including the ability to manage DeviceLock settings using the Windows standard Group Policy interface, making it easier for busy administrators to merge hardware lock-out tasks into their overall systems management workload.

TrueCrypt & PGP® Whole Disk Encryption Integration. DeviceLock can detect encrypted PGP® and TrueCrypt disks (USB flash drives and other removable media) and apply special "encrypted" permissions to them. For enterprises standardized on encryption solutions, DeviceLock allows administrators to centrally define and remotely control the encryption policies their employees must follow when using removable devices for storing and retrieving corporate data. For example, certain employees or their groups can be allowed to write to and read from only specifically encrypted USB flash drives, while other users of the corporate network can be permitted to "read only" from non-encrypted removable storage devices but not write to them.

Lexar® SAFE PSD Integration. DeviceLock detects hardware-encrypted Lexar® SAFE PSD S1100 USB drives and applies special "encrypted" permissions to them.

Extended DeviceLock® Functions

Anti-keylogger. DeviceLock detects USB keyloggers and blocks keyboards connected to them. Also, DeviceLock obfuscates PS/2 keyboard input and forces PS/2 keyloggers to record garbage instead of the real keystrokes.

Monitoring. DeviceLock Enterprise Server can monitor remote computers in real-time, checking DeviceLock Service status (running or not), policy consistency and integrity. The detailed information is written to the Monitoring log. Also, it is possible to define a master policy that can be automatically applied across selected remote computers in the event that their current policies are suspected to be out-of-date or damaged.

RSoP Support. You can use the Windows standard Resultant Set of Policy snap-in to view the DeviceLock policy currently being applied, as well as to predict what policy would be applied in a given situation.

Batch Processing. Allows you to define settings for a class of similar computers with similar devices (e.g. all computers have USB ports and CD-ROMs) across a large network in a fast and consistent manner. DeviceLock Service can be automatically installed or updated on all the computers in a network using DeviceLock Enterprise Manager.

Permissions Report. Allows you to generate a report displaying the permissions and audit rules that have been set on all the computers across the network.

Report Plug-n-Play Devices. Allows you to generate a report displaying the USB, FireWire and PCMCIA devices currently connected to computers in the network and those that were historically connected.

Traffic Shaping. DeviceLock allows you to define bandwidth limits for sending audit and shadow logs from DeviceLock Service to DeviceLock Enterprise Server. This Quality of Service (QoS) feature helps reduce the network load.

Stream Compression. You can instruct DeviceLock to compress audit logs and shadow data pulled from endpoints by DeviceLock Enterprise Server service. Doing this decreases the size of data transfers and thus reduces the network load.

Optimal Server Selection. For optimal transfer of audit and shadow logs, DeviceLock Services can automatically choose the fastest available DeviceLock Enterprise Server from a list of available servers.