DeviceGuard

Overview

DeviceGuard is a tool for monitoring and administration of:

- logical drives,
- USB- devices,
- parallel and serial ports,
- FireWire- and infrared ports,
- WLAN devices.

DeviceGuard is installed as service on client computer and administered preferred by Microsoft Active Directory (group policies). DeviceGuard runs on Windows 2000, Windows XP or Windows 2003 clients. Server sides there are no particular guidelines – it is recommended to use Windows 2000/2003 Server with Active Directory, but every other technologies allowing centralized changes in the registry, are applicable (e.g. ZENworks).

Monitoring drives

DeviceGuard permanently monitors the drives, which are available on user's computer. The decision whether a drive is provided on the computer depends on drive type (Floppy, Removable Drive, CD/DVD/CD-RW).

When a drive type is detected which is not allowed on the computer the access to this drive is locked. Additionally the locked device can be hid.
Is for example a USB memory stick connected to a USB port, Windows installs the necessary drivers to provide the drive. Once drive is available, DeviceGuard identifies the drive type. If „Removable Drives“ are not allowed, drive access is locked and optional the drive is hid (recommended). The user it is represented as if never a memory stick was connected to USB port.

USB port monitoring

DeviceGuard can monitor connected devices. The USB device identification takes place on base of VID and PID values. The VID value is the vendor id, the PID value is the product id. VID is a unique number assigned to each computer hardware device that helps a computer identify the hardware being installed in the computer. The PID is assigned by manufacturer. To monitor a specific device the exact VID/PID value is entered in the monitoring list. To monitor all devices of one manufacturer only the VID value is entered in the list.
Furthermore monitoring of USB device classes is possible. So for example input devices (HID – Human Input Devices) can be allowed and USB drives (USBStor) can be locked. By the monitoring of USB devices two methods are used:

Allow specific devices
DeviceGuard checks all installed devices against a given list (VID-PID-values and /or classes) and locks devices which are not contained in the list.

Lock specific devices
In this case DeviceGuard locks only devices or classes which are contained in die in the list. All other devices remain unaffected.

Both methods are costly, but allow a high security level, because the devices are locked in the driver level and not only in the presentation level. The effort is reduced when monitoring proceeds by USB device classes.

The necessary information needed for configuration can be gathered from the DeviceGuard Monitor.

Parallel, serial, FireWire, infrared, WLAN ports

DeviceGuard can monitor parallel, serial, FireWire, infrared and WLAN ports and control the access dependent on user and computer according to the central configuration. DeviceGuard locks the ports and not the connected. type (e.g.: COM1, COM2), all ports will be locked/allowed – there is no chance of differentiation .

Administration

DeviceGuard is configured via the registry of the computer which runs DeviceGuard. For central configuration of all computers in a network a policy template (deviceguard.adm) is provided which can be used in ActiveDirectory under Windows 2000/2003 Server.

the use of Windows 2000/2003 Server with Active Directory is recommended, but not a requirement. You can use other technologies like Novell ZENworks oder ScriptLogic which allow centralised change of client registry, too.

Logging

DeviceGuard logs it's activities to file or send SMTP messages if activated. The Logfile deviceguard.log is stored in directory ..\SYSTEM32.
SMTP messages will be sent, if prohibited devices are connected to the client PC. To protect users anonymity, all user information can be eliminated during logging and SMTP messages.

System requirements

• Windows 2000
• Windows XP
• Windows 2003
• Windows Vista (beta 1)