How it works
To control access, GFI EndPointSecurity™ installs a small footprint agent on your user's machine. This agent is only 1.2 MB in size, meaning your user will never know it is there. GFI EndPointSecurity includes a remote deployment tool based on GFI LANguard™ technology, allowing you to deploy the agent to hundreds of machines with just a few clicks. After installation, the agent queries Active Directory when the user logs on and sets permissions to the different nodes accordingly. If the user is not a member of a group that allows access to a particular device or set of devices, then access is blocked.
Manage user access and protect your network from portable devices
Using GFI EndPointSecurity you can centrally disable access to any portable device, preventing both data theft and the introduction of data or software that could be harmful to your network. Although you could block portable storage devices such as CDs and floppy drives from the BIOS of the individual machine, the solution is inconvenient and impractical when applying software or network upgrades. For example, a new software or device installation would require the administrator to physically visit each machine, switch off the computer, temporarily disable protection, perform the install and then re-enable protection. Furthermore any sophisticated user can hack the BIOS, circumventing the security measure altogether. GFI EndPointSecurity allows you to take control over your environment and the access of a wide variety of devices including:
- Floppy disks
- CDs and DVD ROMs
- Storage devices
- Network adapters
- Imaging devices
- And more
GFI EndPointSecurity incorporates a dedicated node making it possible for administrators to view all computers on a network from a single location. Here, administrators can assign a secondary name to computers, to make it easier to identify them.
Computer auto-discovery and automatic protection
GFI EndPointSecurity can monitor the network, detect new computers that are connected onto the network, notify the administrator, and perform various tasks as configured by the administrator. For example, the administrator can set automatic detection to occur at pre-set intervals - hourly, daily, weekly, etc. One can also set the scope of the auto discovery, for example, only computers detected on the domain or on the entire network. Once computers are detected, the administrator can choose whether to automatically protect them by deploying a pre-defined policy, or simply to be notified that new computers were detected. If auto-protect is selected, as soon as a computer is detected, the product would automatically install the agent and apply the default policy selected by the administrator.
Supports Windows 7 and BitLockerTo Go
Windows 7’s“BitLocker To Go” is designed to encrypt data on removable devices. GFI EndPointSecurity 4.2 can detect devices that are encrypted with BitLocker To Go, and apply different permissions to these devices.
Get detailed reports on device usage with GFI EndPointSecurity ReportPack™ add-on
The GFI EndPointSecurity ReportPack is a powerful reporting package that adds on for free to GFI EndPointSecurity. This reporting package can be scheduled to automatically generate graphical IT-level or higher level management reports, based on data collected by GFI EndPointSecurity. This gives you the ability to report on devices connected to the network, user activity, endpoint files copied to and from devices (including actual names of files copied), and much more. The latest ReportPack includes enhanced reports that highlight users trying to bypass security policies by renaming file extensions etc.
More information about the GFI EndPointSecurity ReportPack
Windows 7 support for tamper-proof agent
The agent used to control machines has a number of security elements applied to render it tamper-proof. Users are unable to uninstall the agent as it is not published as an installed application. As additional security, uninstall can only be accomplished if a special 128-character ID to unlock the uninstaller is registered. A sample of the other security features includes encryption of the configuration file used by the agent; the automatic regeneration of registry keys and critical files if these are tampered with; and an emergency block mode if the configuration file is corrupt, leaving access to the driver only possible by a system reinstall or using the recovery console.
Log the activity of portable device access to your network
USB sticks present a significant threat to your business environment. They are small, easily hidden and can store up to 16 GB of data. Even plugging a digital camera into a USB port gives users access to storage on an SD card. SD cards are available in 32 GB capacity and more; that's a lot of potential for carrying off your data or for exporting infected software onto your network. In addition to blocking access to portable storage media, GFI EndPointSecurity logs device related user activity to both the event log and to a central SQL Server. A list of files that have been accessed on a given device is recorded every time an allowed user plugs in.
Easily configure group-based protection control via active directory
You can categorize computers into protection groups. For each group you may specify the level of protection and portable device access to allow. The ability to group your networked computers is a powerful feature; making, for example, an entire department into one group and then managing the department's setting by managing the group as a single entity. Configuration of GFI EndPointSecurity is effortless and leverages the power of Active Directory. It does not require the administrator to remember and track which policies were deployed to which computers. Many other storage control software requires cumbersome machine by machine administration, forcing you to make the changes on a per-machine basis and then to update the configuration on each machine before the settings take effect. GFI EndPointSecurity does away with all of that.
Advanced granular access control via whitelists and blacklists
GFI EndPointSecurity enables you to allow or deny access to a range of device classes, as well as to block files transferred by file extension, by physical port and by device ID (the factory ID that identifies each device). It is also possible to specify users or groups and then manage their access to devices giving them permissions ranging from no access ever, some access to some devices some of the time, and all of the way to full access at all times. GFI EndPointSecurity allows administrators to define a device whitelist and a blacklist allowing only company-approved devices, effectively and easily blocking all others.
Real-time status monitoring and alerts
GFI EndPointSecurity provides real-time status monitoring through its user interface. It displays statistical data through graphical charts, the live status of the agent and more. GFI EndPointSecurity also allows you to send alerts when specific devices are connected to the network. Alerts can be sent to one or more recipients by email, network messages, and SMS notifications sent through an email-to-SMS gateway or service.
Easy unattended agent deployment
GFI EndPointSecurity provides administrators with the ability to automatically schedule agent deployment after a policy or configuration change. If a deployment fails, it is rescheduled until deployed successfully. The GFI EndPointSecurity remote deployment tool can deploy its security agent network-wide in a few minutes and we facilitate Active Directory deployment through MSI.
Permit temporary device access
Temporary access can be granted to users for a device (or group of devices) on a particular computer for a particular timeframe. This can be done even if the GFI EndPointSecurity agent is not connected to the network!
Policy creation wizard
To facilitate the creation of security policies, GFI EndPointSecurity includes a wizard to create security policies. Administrators can also create new policies based on existing ones.
An email notification containing activity statistics can be sent on a daily or weekly basis, enabling the recipient to have an overview of, for example, how many files were copied to and from devices, how many may potentially carry malware, etc.
- Ability to group computers, e.g., by department, by domain, etc.
- Scan and detect a list of devices that have been used or are currently in use
- Password protected agents to avoid tampering
- Set up custom popup messages for users when they are blocked from using a device
- Browse user activity and device usage logs through a backend database
- Maintenance function that allows you to delete information that is older than a certain number of days
- Support for operating systems in any Unicode compliant language