SecureNT 1.2 - 24 Mar 2000

A software-based locking tool to secure I/O devices

A growing reliance on computers for the processing and storage of critical data meansthat securing system integrity is crucial. A lot of public hype exists about the externalthreats that system crackers pose, yet internal threats are more likely to compromise theintegrity of a company's computing resources. Whether those threats take the form of avirus accidentally unleashed by an unsuspecting user or sensitive data purposely copiedfor illegitimate use, the result is the same. DigitalWave's SecureNT 1.2 offers a partialsolution to internal threats.

SecureNT's focus is on control of I/O devices. The application supplies asoftware-based locking mechanism for 3.5" disk drives, CD-ROM drives, and COM and LPTports. This locking mechanism resides on each user's machine and takes the form of anative service under Windows NT and a virtual device driver (VxD) under Windows 9x. Youuse the SecureNT Administrator, which Screen 1shows, to administer each service or VxD remotely.

Installation
To evaluate SecureNT, I used NT Server 4.0 configured as a PDC and a Win95 workstation.According to SecureNT documentation, this configuration isn't optimal but is sufficientfor testing core functionality.

I installed SecureNT on the PDC. This process was typical of NT installations andrequired the usual agreement to licensing terms and installation path specification.However, this step only set up SecureNT Administrator. I had to install the servicecomponents to make use of SecureNT's functionality. To install components under NT, I hadto copy an executable into the winntsystem32 directory and install the executable as anative service.

The procedure under Win95 was more complicated. Before installing the servicecomponent, I had to install Distributed Component Object Model 95 (DCOM95), and Iinstalled two client libraries from the Win95 Server Tools included on the NT Server 4.0CD-ROM. To wrap up the installation, I copied a directory that contained the Win95 VxD andinstallation tool from the PDC to the Win95 machine.

Using the Software
SecureNT relies heavily on group membership to control functionality, so the first task isto create the supported groups. You must create seven user groups: two groups for full andview-only access to SecureNT Administrator, and five groups for long-term access to I/Odevices. After I added myself to the SNT_ADMIN group, I was able to run SecureNTAdministrator. When you first open SecureNT Administrator, the application doesn't listany workstations in Network Neighborhood because it assumes an all-locked policy. Thissetup is appropriate because the first time you start SecureNT, a service component locksall I/O devices for which SecureNT is responsible.

You can use SecureNT Administrator and group membership to handle exceptions to theall-locked policy. For long-term or permanent access to one or more I/O devices, groupmembership is the method of choice. In my case, I added one highly trusted user to theSNT_ALL group and one user who consistently worked with archive data to the SNT_CDROMgroup. On the PDC, SecureNT didn't seem to fully recognize the group modifications until Irestarted the service component. However, after the first system reboot, I no longerencountered this problem. The Win95 client completely ignored the fact that a user waspart of the SNT_ALL group. This shortcoming might result from the fact that Win9x clientssupport only locking CD-ROM and disk drives. When I removed the user from SNT_ALL andadded the user to the SNT_CDROM and SNT_FLOPPY groups, the Win95 client correctly detectedthe change and unlocked the CD-ROM and disk drives.

For temporary access, the SecureNT Administrator provides a means for remoteadministration of I/O device locks. To modify the device locks, the Administrator requiresyou to add the corresponding workstation to the Administrator's Network Neighborhood. Youcan accomplish this task using different techniques, including lookup by username,selection from workstation lists, and manual entry. After you add workstations in NetworkNeighborhood, you can simply select a workstation device to lock or unlock. When unlockinga device, the application provides options for unconditional and timed access. In bothcases, end users can automatically receive a dialog box that informs them of the lockmodification. In the case of a timed lock, a dialog box also keeps end users informed ofthe time remaining before the application relocks the device.

The Verdict
I found that working with the Win9x client was tedious, requiring the installation ofadditional packages, a couple of reboots, and some extra configuration. DigitalWave limitssupport for Win9x clients to only CD-ROM and disk-drive locks, but the company is workingon COM and LPT support for the product's next version. The application currently supportsLPT locks under NT, but the locks don't apply to local printers, so you must handle thisseparately. For mid- to large-sized networks, SecureNT provides an adequate solution for aportion of the internal-security dilemma. For smaller networks, however, hardware locks ormachines stripped of drives that support removable media might make more sense.