PatchLink's Sanctuary

Most companies have policies regulating copying of corporate data and forbidding installation of unauthorized software. But a policy without an enforcement mechanism is only marginally better than posting a memo on the lunchroom wall.

If you're serious about endpoint security, take a look at PatchLink's Sanctuary Suite. We tested the 4.1.3 version in our Syracuse University InformationWeek Labs and found its application- and device-control features essential to helping IT departments put teeth behind corporate policies.

Using Sanctuary, IT can create whitelists of approved applications; software not on the lists simply won't execute. It also enforces policies around the use of removable media and connectivity options, including wireless LANs and Bluetooth.

On the downside, Sanctuary will cause administrative headaches: Some employees will clamor for exceptions, leading to a multitude of policies to manage, and any application whitelist requires constant vigilance to include the latest versions of mission-critical apps and browser plug-ins. But given today's regulatory climate and the never-ending hit parade of malware that people bring into the business environment, we say, pop a few Advil and get over it.

PatchLink is competing in this space with Bit9's Parity, which uses both blacklists and whitelists to define applications that can run on managed PCs. Its device-control feature can enable or disable the use of removable media and log data being copied to portable storage systems. Data-leak prevention vendors also are releasing client software that includes device control. Code Green Networks, for example, offers a client that can prevent sensitive files from being reproduced, and Vontu's Vontu 7 alerts administrators if restricted data is copied to removable media.On the application security front, there are options that provide more flexibility than simply allowing or disallowing applications to run. We recently reviewed BeyondTrust Privilege Manager, which lets administrators elevate user rights as needed; it doesn't, however, eliminate the malware risk.

IRON-FISTED CONTROL
Sanctuary deals with the threat of malware from untrusted sources, such as rogue Internet applications, by referring to trusted lists of application groups. It uses the SHA-1 hashing algorithm to create "signatures" of allowed applications. Only those apps that are members of an allowed group can run.

While similar functionality is available to Windows administrators using Active Directory Group Policy, it's much easier to manage with a tool like Sanctuary. The Group Policy editor isn't the best place to manage application file names and hashes, while Sanctuary was designed specifically for this purpose. It also computes hashes for you, eliminating an extra step.

The whitelist database is built from scans of Sanctuary client computers, specified by IT. The logical approach is to dedicate systems with up-to-date operating system and application versions to serve as reference machines. Scans are initiated remotely from the administrative console, and results are compared against a reference database of known file definitions and predefined file groups. Allowing or denying permission for a subset of users to run a program then becomes a function of associating the file group with an object in your enterprise directory. We tested this feature by denying the use of Mozilla Firefox for an Active Directory user group.

The reference machines must be kept up to date and rescanned regularly, of course, but Sanctuary allows administrators to automate this process. The current version of the Sanctuary suite also lets IT block execution of VBScript, Microsoft Office VBA, and JavaScript files en masse. If you need to allow a specific script, you'll need to change the setting to prompt for all running scripts, which is far from desirable.PatchLink says functionality will be added to an upcoming release that will make scripts part of the file-scanning process, which should provide greater granularity over script execution. PatchLink also needs to work on Sanctuary's group policy settings: As the product currently stands, it can get very confusing to tailor policies for multiple groups.PLUGGING PORTS
The other half of the equation is preventing data leakage. IT can enable or disable hardware devices on the client via Sanctuary's Device Explorer, which bears an uncanny resemblance to Windows device manager. We could set any device as "disabled," "enabled for read-only," or "enabled for read-write." In testing we successfully made a DVD-RW drive on a test laptop read-only for an AD user group and disabled the wireless LAN, Bluetooth, and infrared ports. Each device has both online and offline permissions, so you can create rules that allow full use of the DVD-RW when the client can communicate with the server and disable the device when it can't.

For any removable storage medium (CD-RW media, USB thumb drives, external hard disks, tapes) IT can set copy limits, enable a scheduled window for when copying is permitted, and turn on shadowing. Shadowing logs any files being copied to or from remote devices, and includes an option to place a copy of the file being transferred in a restricted folder. Each of these options can be enabled universally or for files of a specific type, such as DOC, PDF, or XLS.

Sanctuary closes one more loophole with the capability to encrypt removable devices so that data on them is accessible only from other workstations running the Sanctuary client. Alternately, the "Easy Exchange" feature allows a user who knows the password to access the encrypted device from any computer.

Two important pieces of the encryption puzzle missing from the 4.1.3 version--but promised in an upcoming release--are password recovery, to let the Sanctuary administrator recover data from a removable device when passwords are forgotten or locked, and password lockout, to deactivate a device after a number of failed password attempts. Now, you will have to poke a hole in your firewalls, and this hole must stay open for Sanctuary clients to communicate with the application server. However, the client-server communication may be encrypted with Transport Layer Security.

Bottom line, when coupled with sound patching and hardening of the host operating system, Sanctuary provides almost complete endpoint security.The missing piece? Full hard-disk encryption à la Windows Vista BitLocker to protect data when the entire computer is stolen--an all-too frequent event with laptops. No endpoint can be completely secure without it.

Michael Fudge Jr. is a systems administrator for the iSchool at Syracuse University. Write to him at [email protected].