Product Review: GFI EndPointSecurity

A data thief can get away with more precious data in his pockets, a negligent employee can dump more malware to the corporate computers and a malicious user can upload more illegal content to the corporate web servers than ever before – and in less time. It’s time to look at a product that can give us some countermeasures against these potential security threats.

Product: GFI EndPointSecurity

Product Homepage: GFI EndPointSecurity – Network device control

Free 30-day eval: Download GFI EndPointSecurity

Introduction

Steward Brand joined the first Hacker Conference in 1984 and stated the following: “On the one hand information wants to be expensive, because it’s so valuable. The right information in the right place just changes your life. On the other hand, information wants to be free, because the cost of getting it out is getting lower and lower all the time. So you have these two fighting against each other“. Since then, the slogan “information wants to be free” has become a good reminder for network administers to keep their networks hermetically sealed as regards to the flow of valuable information and data – or at least try to… To put it more precisely: the trick is to make only the required information available to a certain person or group of people, at the right time and place – and to keep the more delicate information secreted within the company’s “safe” walls. Much of this can be controlled with permission settings on files, folders, database tables, websites etc. (access control) and for example content management systems, but the problem becomes evident as soon as we mention “place”. If some user needs to be able to read a specific file, or a table in a database, that information can also be copied to another “uncontrolled” destination or device by the same user, which might not be in the interest of the company. Within a short time the information is spread across multiple locations – “it’s airborne” as they said in the movie ‘Outbreak’ (1995).

So, what devices are we talking about? We need to worry about: iPod’s, MP3 players, digital cameras, mobile phones, card-readers, flash drives, CD/DVD writers, floppies, PDA’s and other plug-and-play devices which have storage capabilities… It’s almost too easy to use these devices on modern Windows platforms, users just have to plug them in to a USB or a FireWire port and they are up and running, with a large amount of gigabytes in their complete control – no driver installation or admin approval is required by default. While that is good for the users, as in many other cases usability has a large drawback on security. The devices are small and easily concealable, installation requires no technical expertise – it has never been easier to steal data. Technological breakthroughs have made available devices that boast:

Increased data storage and data transfer speeds
Increased device portability through a substantial reduction in physical device size
Increased device availability by the development of mass-appeal low-cost products
Simplified the connectivity methods to computer systems

So, what kind of dangers do these devices bring? According to the Gartner Group, 70% of unauthorized access to information systems is committed by employees. It’s a known fact, that internal threats are the most common threats on the typical network – and yet, the ‘enemy within’ is left with too much power behind the very expensive corporate firewalls. Loss of information can be extremely harmful for most corporations: data leakage, data disclosure incidents, blackmail, identity theft, industrial espionage, etc. When information is exposed to the public at the wrong time it can damage a company’s reputation – such things can be fatal, even for larger companies. Many lines of business face increased requirements which demand more protection and tighter control over client records and confidential information. The data that network administrators protect can be anything from blueprints, budgets, social security/credit card numbers, engineering plans, price lists, source code, database schemes, video/sound files, client/financial records and mailing lists to ‘the Coca Cola recipe’ itself – in the end it’s all just bits and bytes that need concealment.

Dissatisfied employees that feel they have been unfairly dismissed can sell company knowledge, strategies or other sensitive information and in that way take advantage of their trusted position and permissions. Another example is people leaving the company to work with a competitor, the dishonest ones may use the information acquired to gain an edge over their previous employer. The point is that internal users may deliberately or accidentally copy confidential information to these devices, introduce malicious code (malware of any kind) or transfer other unwanted data to the corporate network. So, what can we do about this?

First, we need a written corporate portable storage control policy as part of the company’s IT security policy. But what tools do we have, as Windows administrators, to insure that the policy is followed by users? Since Windows Group Policies gives us very limited control over the mentioned devices, the common approach has been anything from physically blocking ports (USB / FireWire, etc.) to a total ban of iPods and similar devices on the network. It’s obvious that none of these countermeasures are adequate in most scenarios. We need technological barriers, such as those offered by GFI EndPointSecurity, to protect networks against unauthorized device usage. Let’s take a look at what GFI EndPointSecurity can do for us…

Main Features

In GFI EndPointSecurity portable device classes are organized into the following categories:

Floppy disk

CD/DVD ROM

Storage Devices

Printers

PDAs

Network Adapters

Modems

Imaging Devices

Other Devices

Internal / External

CD R/W ROM

DVD R/W ROM

Internal / External

USB drives

MP3 players

iPods

Card Readers

USB Hard disks

USB / FireWire

Pocket PCs

BlackBerry

Smart phones

WiFi

Bluetooth dongles / connections

Infrared dongles / connections

Smart phones

Mobile phones

USB modems

Digital Cameras

Webcams

Scanners

Bluetooth dongles / ports

Infrared dongles / ports

Magneto optical drives (internal and external)

Zip drives

Tape drives

For each category administrators are able to set the access levels. Regarding Floppy disks and Storage devices we can select between Read and Read/Write access, for other devices we can define whether users should be able to access those devices or not.

Installation

GFI EndPointSecurity consists of a server part and a client part. On the server-side, policies are configured and settings are pushed to the clients. On the client-side, a GFI EndPointSecurity software agent must be installed. The agent handles and enforces the device policies provided by the server.

GFI EndPointSecurity 3.0 can protect all the 32-bit versions of Microsoft Windows 2000, XP and 2003. GFI will be supporting the 32-bit version of Microsoft Windows Vista within the next release cycle of GFI EndPointSecurity. Development of support for 64-bit Windows operating systems is currently underway and will be available in a future release.

Installing the application is very straight forward and easy to perform. You can install GFI EndPointSecurity in English or German and during the installation process you will need a personal License Key (a 30 day trial download is available on the GFI website) and to select the destination folder for the binary files. User Account information for the GFI EndPointSecurity Logger Service must also be provided – this must be a domain administrator – or the local system account can be used, see Figure 1.

Figure 1: Enter User Account information

After the installation has completed the GFI EndPointSecurity Quick Start Wizard appears. This wizard takes us through the most important steps in configuring the product. Note that by default, new security groups are created by the wizard automatically.

Figure 2: Quick Start Wizard: Device Control

Installing the agent from a central location on to remote computers is pretty straight forward – it’s possible to search the domain and to hit the “Detect Protection Status” button to see whether the agent is already deployed and when the agent was last updated with protection policies (Figure 3). The installation of the remote agent is performed from within the GFI EndPointSecurity console, see Figure 5.

Figure 3: Select Computers…

By default the wizard provides us with 3 available protection policies ‘out-of-the-box’: Servers, Workstations and Laptops, see Figure 4. Each policy can be configured to whatever protection level that is needed on the specific type of computers, depending on the required groups needed by the defined. For example, it might be better to divide by departments (Sales, Marketing and Production, etc.) in some environments. Policies can be added and configured manually later on. After setting up the different protection polices, computer accounts are manually added to these policies.

Figure 4: Quick Start Wizard: Select the protection policy

The GFI EndPointSecurity 3.0 console is very simple and easy to master. Changes to Protection Policies must be ‘applied’ after configuration by pressing the “Apply” button – a bit like when configuring Microsoft ISA 2004/2006 Servers.

Figure 5: GFI EndPointSecurity Management Console

The deployment report shows us the status of the remote agent installation process, see Figure 6. If the remote computer is not online we get an error message like the one in Figure 7.

Figure 6: Deployment status reports

Figure 7: Deployment status reports

After installing GFI EndPointSecurity and deploying the agent to the server we can see 3 new services (2 for the server and 1 for the optional local agent):

Figure 8: Installed GFI EndPointSecurity services

A standard workstation only needs the “GFI EndPointSecurity 3.0 agent service” listed above – this service takes care of almost everything related to device access on the client.

The admin point of view

The GFI EndPointSecurity Administration Console is simple and easy to master after the first few mouse clicks, see Figure 9.

Figure 9: GFI EndPointSecurity 3.0 Administration Console

Protection Status gives a quick and detailed overview of the configured agents and their update level.
Protections Policies contains all configuration policies.
Options provides access to policy defaults and logging options.
General gives access to licensing information and support information, etc.

Protection policies are connected to Active Directory groups or users, so after the preliminary setup of GFI EndPointSecurity, the rest can be controlled via Active Directory as part of normal user administration. Figure 10 shows how Active Directory security groups are connected to access permissions for Storage Devices.

Figure 10: Protection Policy Defaults

A number of Active Directory groups are created ‘behind the scenes’, each with a description of its purpose (Figure 11).

Figure 11: Active Directory Users and Computers: GFI groups

If no SQL 2000/2005 servers are available on the network, default logging is done by using the local GFI EndPointSecurity agent application log. This is, of course, not the easiest way for administrators to get an overview of what is happening on the network, but it is sufficient.

Figure 12: Event Viewer: EndPointSecurity auditing

By setting up logging to an SQL server we can centralize log information and report on the basis of this information, but we’ll get back to this later…

So, what about the user’s point of view? Most users will not even notice the existence of the GFI EndPointSecurity agent. An experienced user would be able to spot the service running in the background, but apart from this, all the users will see is Windows default block messages like “Access denied” when trying to do something that is out of the users “scope”.

Reporting

As an add-on to GFI EndPointSecurity, a report pack can be purchased (a 30 day trial download is available on GFI website), installed and configured to provide an overview of how GFI EndPointSecurity performs and what actions are taken. With this add-on, management and other personnel can determine how devices are used and accessed throughout the network. By default, reports that show things like device usage summary, trends and statistics, most active machines and users, technical reports, etc. can be generated quickly. These reports are nicely formatted in tables and graphs for easy reading and can be customized to fit any company’s needs (by using the EndPointSecurity Custom Report Wizard).

Before installing GFI EndPointSecurity Report pack, the GFI Report Center Framework must be installed – this takes only a few seconds to complete. The ReportPack needs to be pointed to the SQL data source generated by GFI EndPointSecurity, see Figure 13.

Figure 13: SQL database selection

By configuring the mail settings correctly, reports can be sent on a specified schedule to a specific e-mail address (Figure 14).

Figure 14: Mail settings

The GFI Report Center (Figure 15) is a common platform for GFI products that takes advantage of ReportsPacks to produce reports for management and technicians. Many GFI products have specific ReportPack add-ons that make it very easy for administrators to provide reports that match the main product – and the process can even be scheduled.

Figure 15: GFI ReportCenter 3.5

Both default and customized reports can be scheduled to run in a given interval for ‘today’, ‘yesterday’, ‘last 7 days’, ‘last 30 days’ or a custom date range (Figure 16).

Figure 16: Schedule Report Wizard: Time Schedule

The reports can be exported to a file in PDF, XLS, DOC or RTF format. Report files are placed in a default folder or can be pointed to individual folders for each scheduled report. Another option is to send the reports by mail. This can also be done by using the default mail settings or by specifying individual mail settings for each scheduled report (Figure 17).

Figure 17: Schedule Report Wizard: Advanced

Conclusion

GFI EndPointSecurity offers many great features to take control of vulnerable data and network environments. This product allows the control of data flow to and from storage devices on a user by user basis throughout the network. Future Windows operating systems (Vista and above) provide some built-in functionality for controlling access to removable storage devices through Group Policy, but GFI EndPointSecurity still offers corporations a number of security-related features that Microsoft Windows Vista Group Policy currently does not offer. In Microsoft Windows Vista, administrators can configure which users are allowed or denied access to different portable storage devices – this level of granular control however, cannot be extended to devices without a file system. GFI EndPointSecurity provides system administrators with the ability to exert almost the exact same level of granular control over all 32-bit versions of Windows 2000, XP, 2003 based computers and all devices without a file system. These include printers, scanners, modems, Bluetooth dongles, etc.

Another important aspect of EndPointSecurity is the tracking of portable device usage and the investigation of suspicious activity. As opposed to Windows Vista, GFI EndPointSecurity logs all user-based portable device activity to either Windows Event Logs or a Microsoft SQL server and enables IT pros to generate device usage activity trends and reports based on this data. I recommend you to go and download the trial and test this powerful piece of software. Enjoy!