PCShield

Enhance your desktop security

Protecting your desktop computers against unwanted access is a majorchore. Windows 95 doesn't provide much protection against unwanted access,nor does it let you audit local workstation activity. Windows NT offers someauditing and access control, but room for improvement exists. You don't have towait for Microsoft to make improvements, however. You can use AXENTTechnologies' PCShield, a software add-on that enhances NT and Win95 desktopsecurity. The software adds new features and control mechanisms to yourOS's existing security setup. In addi-tion, PCShield scales well and fits into most networks.

Installation
To install PCShield, you must install the software's Security Managercomponent, build a security database by configuring security settings, and buildan installation kit. After I built the security database, I used theinstallation kit to install PCShield on my client workstations.

To install the Security Manager, I defined an installation directory, and thesetup wizard copied all the necessary files into this directory. Then I clickedSecurity Manager on the Start menu.

When I ran Security Manager for the first time, the software's GettingStarted dialog box guided me through each step of creating the security databaseand installation kit. To create the database, I clicked File, New. Then Idefined a password and passphrase for the database, to which only securityadministrators would have access. I defined a directory path to store thedatabase on and I modified the security policies.

PCShield has eight built-in security policy templates for desktop, notebookcomputer, and Microsoft Office users. The software also includes a standardsystem security policy template, as Screen 1 shows. You can configure PCShieldto accommodate a range of user needs. For example, to prevent users from placingmalicious software on your company's systems, you can configure PCShield to letonly programmers create files with extensions ending in .exe and .dll.

For my test, I modified an existing desktop template to provide securityfor my network. After I defined the policies, I added users who were authorizedto access PCShield-enabled systems. I also defined groups and assignedthese groups to workstations. PCShield's user-group architecture is similar to NT's architecture. However, the software's architecture doesn'tintegrate into NT's user database, so you might need a substantial amount oftime to add more than a dozen users.

PCShield doesn't have an interface you can use to import user informationfrom NT servers. You can use the software's import facility to importworkstation and user information from text files, but you must create acomma-delimited text file before you can import the files. You can use a MicrosoftWindows NT Server 4.0 Resource Kit tool to dump a list of users out to afile.

Using PCShield, I defined workstations and assigned users to thoseworkstations. Under standard NT security, you define which workstations auser can log on to. PCShield takes this concept a step further: A user canlog on locally only at workstations designated for that user. For example, I added my workstation to the PCShield workstation list and configured thesoftware's properties so that users can log on to my Win95 system onlythrough my account. Even if a user presses Escape at the logon prompt, that userwon't gain access to the system because PCShield replaces theinitial logon dialog with a dialog of its own. In addition, when youinstall PCShield, users can't use a 3.5" boot disk to access the harddisks on Win95 systems. NT systems don't provide this feature.

After I configured policies, user groups, and workstations, I created theinstallation kit and installed PCShield on my workstations. To create theinstallation kit, I selected the appropriate workstations from the list Icreated. PCShield then built an installation kit for the workstations Iselected. (You can store the kit on 3.5" disks, a hard disk, or a networkdrive.) I then went to each computer and ran the setup program to installthe software. PCShield includes an unattended installation option so you caninstall the software from a remote location.

After I installed the software on my workstations, I rebooted each systemto activate PCShield. When you activate the software, PCShield presents thesecured logon dialog prompt. I installed and configured PCShield on 10workstations in less than 1 hour.

Features Abound
PCShield automatically encrypts file data using Data Encryption Standard(DES), Triple DES, or AXENT's proprietary encryption method. I wouldn't use DES to encrypt sensitive information, but Triple DES and AXENT encryptionprovide strong protection schemes.

A major concern for users when a new product rolls out is how that productwill affect the Help desk load. PCShield minimizes the Help desk load byproviding automated updates for client systems. Systems administrators can placeenterprisewide updates on a designated server. When a computer that PCShieldcontrols logs on to the network, the computer's security kernel checks to seewhether any new updates are available. If a new update is available, the clientsystem automatically copies the update from the designated server and installsthe update on the computer.

One of my favorite PCShield features is the audit trail. Win95 systemsdon't provide audit trails, which can result in serious accountability problemsif unusual events originate from Win95 workstations. For systems administrators,determining who a user is and what that user does on Win95 systems is almostimpossible. NT, however, has a basic, built-in auditing capability. When youconfigure audit trails using PCShield, you can see what users are doing on theirworkstations, regardless of the platform they're running. You can also sort,filter, and customize the audit trails. If you want to use the audit trails inother software systems, you can print or export them to industry standardformats.

PCShield offers many important policy configuration settings. For example,Program access control lets you assign program-access rights forprotected-file access, file access type, and encryption settings. Accessrights lets you define which file types the software will automaticallyprotect, which users can access those files, and what type of access those usershave to the files. Password policies lets you define password length,character types, password life span, words users can't use as passwords, oldpasswords that users can't reuse, and combinations of characters. Auditingpolicies lets you define the events PCShield will audit and log. To simplifyadministrative review, you can configure the software to gather logs frommultiple workstations and transfer those logs to network-based audit files atregular intervals.

I can configure PCShield's intruder alert program to capture specificevents (e.g., failed events, system shutdowns, protected file access, passwordchanges, and Registry updates). I can also specify where I want the software tostore the alert information and the type of encryption to use to protect theevent data.

PCShield protects the Registry, so users can't make unauthorized changes.The software also lets you control access to the Control Panel, DOS prompt, F8key at the boot, Run command, drive displays, and screen-saver settings.

A Great Security Add-on
PCShield is a stellar add-on for NT and Win95 systems. I recommend PCShield,especially if you use Win95 systems. The software can easily increase yoursystem's security.