DeviceLock Administrators


 

DeviceLock's default security configuration is based on Windows Access Control Lists (ACL). A user without administrative privileges can't connect to DeviceLock Service, modify its settings or remove it. Everything is controlled by the Windows security subsystem.

 

To turn on the default security based on Windows ACL, select the Enable Default Security check box.

 

Users with local administrator privileges (i.e. members of the local Administrators group) can connect to DeviceLock Service using a management console and change permissions, auditing and other parameters. Moreover, such users can uninstall DeviceLock from their computers, disable or delete DeviceLock Service, modify a service's registry keys, delete a service's executable file, and so on. In other words, users with local administrator privileges can circumvent the default security based on Windows ACL.

 

However, if for some reason, users in your network have administrator privileges on their local computers, DeviceLock does provide another level of protection - DeviceLock Security. When DeviceLock Security is enabled, no one except authorized users can connect to DeviceLock Service or stop and uninstall it. Even members of the local Administrators group (if they are not on the list of authorized DeviceLock administrators) can't circumvent DeviceLock Security.

 

To turn on DeviceLock Security, clear the Enable Default Security check box.

 

Then you need to specify authorized accounts (users and/or groups) that can administer DeviceLock Service. To add a new user or user group to the list of accounts, click on the Add button. You can add several accounts simultaneously.

 

To delete a record from the list of accounts, use the Delete button. Using Ctrl and/or Shift you can highlight and remove several records simultaneously.

 

To define which DeviceLock administrative actions are to be allowed for a user or user group, set the appropriate rights:

 

 

 

 

NOTE: We strongly recommend that accounts included in this list have local administrator privileges because, in some instances, installing, updating and uninstalling  DeviceLock Service may require access rights to Windows Service Control Manager (SCM) and shared network resources.

 

Here is just one example of how to properly define a DeviceLock Administrators list: add a Domain Admins group with Full access rights. Because Domain Admins is a member of the local group Administrators on every computer in the domain, all members of Domain Admins will have full access to DeviceLock Service on every computer. However, other members of the local group Administrators will not be able to administer DeviceLock Service or disable it.

 

Also, by selecting the Enable Unhook Protection check box, you can turn on optional protection against anti-rootkit techniques that could be used to intentionally disable DeviceLock Service. When this protection is turned on, the DeviceLock Driver controls the integrity of its code. If a violation is found, DeviceLock causes Windows to stop with a fatal error (BSOD).

 

NOTE: Some antivirus, firewall and other low-level third-party software may conflict with the unhook protection and cause fatal errors (BSOD). We recommend that you enable this protection only for the systems where it was tested before.

 

Select the Prevent Changes In System Configuration Files check box to instruct DeviceLock Service to automatically secure the Windows Hosts file.

 

NOTE: Because DeviceLock uses the local Hosts file for host name resolution, a malicious user with local administrator rights can modify the Hosts file as required to bypass DeviceLock security policies. In order to minimize security risks, we recommend that you secure the Hosts file using the Prevent Changes In System Configuration Files option. 

 

Also, by selecting or clearing the Use Strong Integrity Check check box, you can specify the type of integrity checks to use. You can run two types of integrity checks to detect corruption in DeviceLock Service's executable files: