Leave a comment

SCCM Endpoint Protection supports Removable Media (DLP)

Abstract overview

Microsoft System Center Configuration Manager (SCCM) contains a component called Endpoint Protection.  Endpoint Protection here means protecting the organization assets.  Assets mean data, software and hardware (Windows workstations and servers) in your environment.  Out of the box, SCCM provides 2 features under Endpoint Protection:

1. Antimalware
2. Firewall

SCCMEndPointProtection1

Antimalware is protecting the Endpoint by not allowing programs on the Windows Operating System from performing destructive operations.  The operations I want to call out here is a malware piece of software that takes sensitive data and sends it outside of the network to someone who should not have that data.

Firewall is protecting the Endpoint by not allowing unauthorized data packets from coming into or out of the network.  The Firewall deals with the data coming to/from the network.  For the scenario where data is being taken from the network to outside of the network, Antimalware and Firewall are working together, each covering a different scenario.

There is another security hole that is now covered by SCCM Endpoint Protection: Removable Media devices.  Removable Media devices are hardware devices that connect to the Windows computer with a Universal Serial Bus (USB) cable or a Bluetooth connection.  Removable Media devices contain file-system storage.  With file-system storage, data (files) can be read from and written to Removable Media devices.  Antimalware protects the organization from data being read from Removable Media devices.

What about data being written to Removable Media devices?  SCCM Endpoint Protection needs a feature that will protect sensitive data from leaving the organization.  Squadra Technologies Security Removable Media Manager (secRMM) is Windows security software that focuses on data being written to Removable Media devices (smart phones, tablets, usb drives/sticks, SD-Cards, CD/DVD, etc.).  secRMM lets you define authorization rules to prevent writing and also has the best monitoring (i.e. logging each write event) solution on the market today.  secRMM integrates into SCCM Endpoint Protection and provides this critical functionality.  In addition to protecting the organization from sensitive data leaving (stolen or mistakenly taken), any piece of data that does leave the organization is accounted for by secRMM.  This allows organizations to adhere to strict data regulations that are being required today (i.e. medical, legal, financial, etc.).

SCCMEndPointProtection2

Technology overview

Integrating secRMM into SCCM did not require new technology.  SCCM has a feature called “Compliance Settings” (previously named Desired Configuration Management).  “Compliance Settings” allows you to specify values for software running within the organization.  The values you specify are the appropriate values for work to be performed within the organization.  Should the value(s) change, either by a person or programmatically, it will have an adverse impact to the organization.  When a value is set to the wrong value, it is said to be “out of compliance”.  Security settings within the organization typically protect the values from being changed.  For example, the file system (i.e. NTFS) and registry permissions can protect a majority of the values.  However, there are permissions assigned to personnel and programs that give update access to the values.  Given that the values do get changed either intentionally or not, an automated feature that checks the values and reports if they are “out of compliance” is needed to prevent improper values from causing adverse impacts.  This is exactly what SCCM “Compliance Settings” does.  It also includes a feature called remediation.  Remediation will set the value back to the correct value if it is found to be “out of compliance”.

The “Removable Media Policies” under SCCM “Endpoint Protection” makes it very easy to create SCCM “Compliance Settings” specifically for protecting sensitive data being written to Removable Media devices.  Within a large organization, you might want to define more than one “Removable Media Policy”.  SCCM allows you to do this.  Then, for each policy, you assign it to a collection of computers.

Technology specifics

The secRMM integration into SCCM Endpoint Protection is implemented as an SCCM Console Extension.  Each “Removable Media Policy” generates a collection of SCCM “Compliance Settings” “Configuration Items” (CI).  There is always one parent CI and one or more child CIs.  The parent CI performs the secRMM discovery and each child CI is responsible for a specific secRMM property (i.e. AllowedDirectories, AllowedSerialNumbers, AllowedUsers, etc.).  In addition to the CI collection, a single SCCM “Compliance Settings” “Configuration Baseline” (CB) is created and associated with the CI collection.  Both the CIs and CB reside in a console subfolder under the appropriate parent folder (i.e. CI or CB).  This makes the folder structure within the SCCM console very organized and easy to manage.  All management of the CIs and CBs can be performed with the “secRMM SCCM Console Extension” thereby abstracting the “Compliance Setting” user interface that comes with SCCM.  The SCCM Administrator is free to use either user interface though.  The “secRMM SCCM Console Extension” support SCCM “Compliance Settings” remediation.

SCCMEndPointProtection3

Combining the powerful features of SCCM “Compliance Settings” (i.e. compliance monitoring, remediation, alerting and reporting) with secRMM is a very powerful solution for protecting an organizations data.  secRMM is deeply integrated into the Microsoft System Center suite and also has:

  1. Operations Manager Management Pack (alerts, tasks)
  2. Operations Manager Data-warehouse reports
  3. Security Audit and Collection Services (ACS) reports
  4. Orchestrator extension
Leave a comment

Preventing the NSA Security Breach

               SafeCopyEndUserNotAuthorized

By now everyone has heard the news about the security data breach at the National Security Agency.

So frustrating right?!

If only the NSA were using secRMM’s “Enforceable two man policy”, Snowden would have not been able to copy data without another human involved.

Below is a hyperlink to an article discussing the security breach.  Below the hyperlink, we extracted key excerpts from the article.  Each comment could have been addressed by secRMM.

http://investigations.nbcnews.com/_news/2013/08/26/20197183-how-snowden-did-it?lite&ocid=msnhp&pos=1

As a system administrator, Snowden was allowed to look at any file he wanted, and his actions were largely unaudited. “At certain levels, you are the audit,” said an intelligence official.

He was also able to access NSAnet, the agency’s intranet, without leaving any signature, said a person briefed on the postmortem of Snowden’s theft. He was essentially a “ghost user,” said the source, making it difficult to trace when he signed on or what files he accessed.

The “thin client” system and system administrator job description also provided Snowden with a possible cover for using thumb drives.

Finally, Snowden’s physical location worked to his advantage. In a contractor’s office 5,000 miles and six time zones from headquarters, he was free from prying eyes. Much of his workday occurred after the masses at Ft. Meade had already gone home for dinner. Had he been in Maryland, someone who couldn’t audit his activities electronically still might have noticed his use of thumb drives.

Leave a comment

Microsoft BitLocker Monitoring Extension

BitLockerLogo

Microsoft BitLocker is a software disk drive encryption technology.  This means that the end-user who plugs the device in needs to authenticate with Windows before the disk is accessible to them.  Authentication is usually performed by specifying a password but can also be performed with a physical security card.

Microsoft makes it very easy to administer BitLocker  in the enterprise with a tool called “Microsoft BitLocker Administration and Monitoring (MBAM)”.  Furthermore, Microsoft distinguishes between encryption on non-removable hard drives and removable hard drives.  For removable hard drives, they coin BitLocker as “BitLocker to Go”.  The “to Go” part meaning the storage drive can be moved from one Windows computer system to another Windows computer system.

Squadra Technologies Security for Removable Media Manager (secRMM) compliments the “BitLocker to Go” experience by tracking how the end-user is using the encrypted removable media device.  secRMM compliments Microsofts MBAM because MBAM is focused more on managing and deploying the devices whereas secRMM is focused on how the device is being used by the end-user.

The secRMM events tell you that the device is configured for BitLocker when the device is plugged into the Windows computer.  Specifically, you will get two events when the “BitLock to Go” device is plugged in.  The first secRMM ONLINE event will tell you that a device has been plugged in and that it is configured for BitLocker encryption.  This event also tells you that the end-user has not yet authenticated with Windows so that he/she cannot yet actually use the device.  From a security standpoint though, it is important to know that someone has plugged the device in.  Once the end-user authenticates successfully, another secRMM ONLINE event is logged indicating the device is ready for use.

secRMM logs all removable media (smartphones, tablets, usb drives, SDCards, CDRoms, etc.) events into the Windows security event log and also into a Windows event log named secRMM (that is only accessible to Administrators).  secRMM has an Excel 2010+ AddIn that lets you look at the event log data in a tabular format.  If you use Microsoft System Center, secRMM is integrated into SCCM, SCOM and Orchestrator (with Service Manager coming soon).  We used the secRMM Excel AddIn for the screen shots below.

When the “BitLocker to Go” device is first plugged in, you will get an event that looks like the screen shot below.  Notice the very last line.

OnlineNotYetAuthorized

Once the end-user authenticates to Windows, you will see an event that looks like the screen shot below.  Notice the Serial Number from screen shot 1 to screen shot 2.

OnlineAuthorized

Then, whenever a file is written to the device, you will get an event that looks like the screen shot below. Notice that the source file (i.e. the file the end-user copied to the removable media device) is captured.

Write

Finally, when the “BitLocker to Go” device is removed from the Windows computer, you will get an event that looks like the screen shot below.

Offline

In conclusion, Microsoft BitLocker is a very good software encryption technology.

For more information on secRMM, please visit http://www.squadratechnologies.com.

For more details on “BitLocker to Go”, you might also want to read this blog.
For more details on “Microsoft BitLocker Administration and Monitoring”, you might also want to read this blog.

Leave a comment

Windows Powershell/VBScript to un-mount a smart phone or tablet

Thanks for reading the squadra technologies blog!

The one line of Power-shell script below un-mounts a USB cable attached Windows Portable Device (WPD) from the Windows Operating System (XP thru W8/2012):

Invoke-WMIMethod -path Win32ext_WPD -name EjectDevice -argumentList (Get-WmiObject -Class Win32ext_WPD -Namespace root/cimv2 -ComputerName . -Filter “strFriendlyName = ‘SAMSUNG-SGH-I747′”).strId

*** change ‘SAMSUNG-SGH-I747′ to the phone/tablet name you see in Windows Explorer

To have this functionality, just download and install the squadra technologies Security Removable Media Manager. (secRMM).   The WMI WPD provider that comes with the secRMM install does not need a license so you can have this functionality free of charge!

Even better yet, the device will still take a battery charge from the PC you have it attached to so your end-user can still charge their device yet cannot copy data to it.

Of course, the secRMM product does the above line with a simple checkbox and has many more powerful security features such as locking a device to a particular userId.  For a complete list of the secRMM features, you can read the introduction chapter in the secRMM Administrator Guide (online PDF).

And just in case you have not yet started playing with Powershell, here is the equivalent VBScript:

Set objWMIService = GetObject (“winmgmts:\\.\root\cimv2″)
Set colItems = objWMIService.ExecQuery (“Select * from Win32ext_WPD Where strFriendlyName = ‘SAMSUNG-SGH-I747′”)
For Each objItem in colItems
Set objWMIWPDStatic = objWMIService.Get(“Win32ext_WPD”)
Set objInParam = objWMIWPDStatic.Methods_(“EjectDevice”).inParameters.SpawnInstance_()
objInParam.Properties_.Item(“strObjectDeviceId”) =  objItem.strId
Set objOutParams = objWMIService.ExecMethod(“Win32ext_WPD”, “EjectDevice”, objInParam)
Exit For
Next

I hope this is helpful to someone out there.  Happy scripting!
If you have any question about the script, please feel free to contact me and we can talk over a best approach.

Leave a comment

An introduction to how smartphones and removable media work on Windows computers

Have you ever attached your smartphone to your Windows computer and then looked at the phone in Windows Explorer?  The phone gets listed in Explorer and you can even copy files to it (apple the exception).  What makes the phone different from a regular storage device is that it does not get assigned a drive letter.  Some of the older (1-2 years ago…smile) phones get assigned a drive letter but the newer phones being sold today do not get a drive letter.

The cool thing about Explorer is that in general, the end-users experience for working with either a drive letter or a storage device such as the phone are pretty much identical.  You can drag (copy) files to these devices, open files, create folders, etc.

So what is happening under the covers to have Explorer be able to handle non-drive letter devices like drive letter devices?  The answer is a Microsoft technology called Windows Portable Devices (WPD).  WPD is implemented as a device driver and is exposed to the non-kernel (i.e. user-mode code) layer as COM objects.  Microsoft makes WPD available to the hardware manufacturers who make the smartphones or any other type of plug and play hardware.  The hardware manufacturers lean towards using WPD because then they do not have to develop their own software to integrate their hardware into Windows.  Having worked with the WPD COM API, I will tell you that Microsoft has done a great job at implementing this technology.  The only thing I could say that would make it even better is if it was exposed in WMI so IT Admins could have easy scripting access to the WPD information.  So that is what we did.  The Powershell line below will show you the WPD devices attached to a Windows computer:

Get-WmiObject Win32ext_WPD

At Squadra Technologies, we have a security product called secRMM that focuses on securing any type of plug-and-play storage device.  That includes the new smartphone devices.  Our goal was to make the WPD devices and the file system devices (i.e. those that get assigned a drive letter) the same within secRMM.    Since secRMM needed to access the WPD information, we decided that we might as well write a WMI provider for the WPD information so that even if you did not use secRMM, you could still get at the WPD data.  The WPD WMI provider gets installed with the secRMM product.  Again, you do not need to buy secRMM to get the functionality of the WPD WMI provider.

If you do not write in Powershell, here is another example in VBScript:

Set objWMIService = GetObject (“winmgmts:\\.\root\cimv2″)
Set colItems = objWMIService.ExecQuery (“Select * from Win32ext_WPD”)
For Each objItem in colItems
Wscript.Echo “WPD device: ” & _
“Friendly Name: ” & objItem.strFriendlyName & _
“, Manufacturer: ” & objItem.strManufacturer & _
“, Description: ” & objItem.strDescription & _
“, Serial Number: ” & objItem.strSerialNumber
Next

We will continue to work hard to stay on the leading edge of all the device technology coming into the market and share what we discover.  We hope this introduction was informative.  If you have any questions, please contact me at anthony@squadratechnologies.com.

Leave a comment

USB security issues in the government

There are two major issues with removable media in today’s worlds. First, information is being stored on removable media devices with little, or no security measures implemented. And by security measures, I mean both physical and software based. As is recently pointed out in a massive security breach in Ontario, Canada. The second problem is just as bad. It appears that most folks who come across a thumb drive sitting in a public location will pick it up, and what’s worse, they’ll actually plug it into their trusted computer systems to check it out. This is a hackers dream come true and the easiest way to infiltrate corporations and government institutions to install malicious code.  Whether it’s protecting against data loss, or protecting against intrusion, there must be appropriate solutions put in place to protect organizations.

If you read the two artices for the U.S. government and the Canadian government, you can see that removable media (i.e. smart phones, usb flash/thumb drives, external disks, etc.) are still a serious security concern.  Without a piece of software that acts like a firewall between removable media and the operating system, the security breaches involving removable media will continue.  We here at Squadra Technologies have addressed this very issue.  Our flagship product “security Removable Media Manager” secRMM, is a software firewall between the Windows OS and the removable media devices.  Every file that gets written to the removable media device is logged.  In addition, secRMM tells you the user, program and most importantly, the complete path of the file(s) that was written to the removable media device.  We make a strong point of mentioning the complete path of the file because to us here at Squadra Technologies, it is logical that this is the most crucial piece of information you must collect in order to solve the security issues around data leaving the organizations network/domain.  Believe it or not however, most removable media security solutions on the market today are not collecting this crucial data,  including the biggest security companies.  Organizations must implement a solution like secRMM to properly audit the write activity to removable media, otherwise, security breaches like those mentioned in the articles will continue to occur.

Leave a comment

Rounding out System Center EndPoint Protection 2012

Microsoft introduced System Center EndPoint Protection 2012 (SCEP) (formerly known as ForeFront EndPoint Protection or FEP :-) ) at the Microsoft Management Summit (MMS) 2012 conference. What is really great about bringing SCEP into System Center is that now customers will get to protect their workstations and servers from malware by owning a System Center Enterprise license.  This is going to let organizations run a pure Microsoft solution set without having to go to an outside vendor to get their malware protection.

I think SCEP is missing one key component that the other security vendors provide with their framework solutions.  That missing component is broadly called Data Leak (or Loss) Prevention (DLP).  Some tell me that Microsoft “BitLocker To Go” addresses that.  This is not entirely true.  DLP and encryption technology must both be present to address removable media (i.e. smart phones, usb/flash drives, external storage, bluetooth storage, SD-Cards, etc.).  So while “BitLocker To Go” is necessary, it does not address DLP.

In the security space, we must take removable media seriously; especially if you need to show compliance with regulations such as HIPPA and/or PCI.  Removable media devices allow complete end-users (those people who really don’t know much about IT) to be as powerful and destructive (from a company perspective) as the greatest hacker in the world!  Why?  Anyone can attach a removable media device to their workstations or server and copy local or network files to the device (given they have at least read access).  The fact that they copied data to the device is not logged anywhere!  I know alot of organizations simply lock-down the usb ports.  However, this is counter-productive to the employees that are just trying to get their jobs done (especially the IT guys).

What would be ideal is if we could allow removable media to be used in the corporation and be guaranteed that whatever files were copied to a removable media device were tracked/audited.  Something similar to the Windows security events when a user logins and logs out.  Squadra Technologies Security Removable Media Manager (secRMM) does just that…and much more!

If you are the person responsible for security audits, you will want to know that when a file is written to a removable media device, secRMM records the user (and SID), the file (source and destination), the source file size, the source file last written, the removable media device serial number, model, description, logical drive, volume name, the program used to perform the copy and the program PID.  If the program is CMD, Explorer, VBScript. JScript, PowerShell or (especially) the “Windows Explorer like” secRMM GUI named SafeCopy, you get additional details of what exactly the user did to invoke the copy.  Other secRMM events (btw, secRMM logs events to both the security event log and its own “secRMM” event log) are online and offline removable media events, administration change events and authorization failure events (because secRMM also lets you control how removable media gets used).

secRMM’s architecture relies solely on the base Windows Operating System.  It comes with a Microsoft Operations Manager (OpsMgr)Management Pack (MP) and has reports for both the OpsMgr Data Warehouse and the OpsMgr Audit Collection Services (ACS) databases.  The auditing capabilities of secRMM surpasses all of the big name solutions in the DLP space.  One other important feature that secRMM provides is the concept that is now provided in Configuration Manager which is policy that “follows the user”.  secRMM is compatible with hardware and software encryption solutions (including Microsoft “BitLocker To Go”) and works with any removable media device.  There are many more benefits to secRMM and I urge you to take 15 minutes to explore this great solution.

Combining Microsoft System Center EndPoint Protection 2012 with Squadra Technologies Security Removable Media Manager is a winning combination!

Follow

Get every new post delivered to your Inbox.