USB security: MECM/ConfigMgr/SCCM/SMS more detailed auditing!!!

04/20/2022 – Product/company overview: secRMM is a Windows security solution that audits and controls access to removable storage devices (i.e. USB drives and mobile devices).  secRMM is very easy to implement in that it can operate on a standalone Windows computer (even XP!) or can be centrally managed for thousands of computers (using MECM/SCCM/ConfigMgr, Intune, Active Directory GPOs or WinRM).  It can be configured to have security policies for computers and/or groups of users.

secRMM is developed by Squadra Technologies.  Squadra Technologies is a Microsoft “Independent Software Developer” (ISV) and a member of the “Microsoft Intelligent Security Association” (MISA).

Article details: This is one of those blogs where I am feeling stupid because I know when all the ConfigMgr folks read this, they are going to be thinking “DUH, why didn’t you do this 4-5 years ago?”.  And yes, I agree with them, all I can say is better late than never! 😊 So what are we talking about then?

In the newest version of the ‘secRMM SCCM Console Extension’ (version 9.11.12.0), it now generates a security event (in SCCM speak, a status message) whenever a ‘Removable Media Policy’ gets created, modified or deleted.  The security event contains the userid, computer (where they are running the SCCM console), policy name/revision# and the version of the ‘secRMM SCCM Console Extension’.  We also updated the ‘Removable Media Policy Administration’ report to show these security events.  Below are screenshots to map to the words above.

Download ‘console extension’ from ‘SCCM Community hub’

SCCM ‘Removable Media Activity’ ‘status message’

The new ‘Removable Media Security Administration’ report

Closing: We hope you find this new secRMM feature useful for your environment(s).  Please let us know what you think or if you have a specific requirement for your environment.  You can get more details about secRMM by visiting https://www.squadratechnologies.com.

USB security: Use Microsoft Teams for real-time notifications

04/04/2022 – Product/company overview: secRMM is a Windows security solution that audits and controls access to removable storage devices (i.e. USB drives and mobile devices).  secRMM is very easy to implement in that it can operate on a standalone Windows computer (even XP!) or can be centrally managed for thousands of computers (using SCCM/ConfigMgr, Intune, Active Directory GPOs or WinRM).  It can be configured to have security policies for computers and/or groups of users.

secRMM is developed by Squadra Technologies.  Squadra Technologies is a Microsoft “Independent Software Developer” (ISV) and a member of the “Microsoft Intelligent Security Association” (MISA).

Watch the video: https://youtu.be/ZMYIdW2V6rk

Article details: Microsoft Teams is used by people within the organization to quickly communicate with each other.  It is especially convenient because you can have Teams running on your desktop, laptop and/or your phone.

In some environments, knowing about a security incident in real-time can be helpful in protecting the organization.  For example, if an end-user plugs in a thumb drive in a secured area, the security group might want to know that as soon as possible.

secRMM generates removable storage events into the Windows security and secRMM event logs and can be configured to also send the events to email, syslog, SNMP, Azure Sentinel, SQL and Excel.  With secRMM version 9.11.11.0+, you can now configure secRMM to send the removable storage events to Microsoft Teams.   The secRMM policy property is named ‘SendToTeams’.  This is possible because Microsoft Teams supports webhooks.  A webhook allows a computer program (i.e. secRMM) to participate in Teams just as a human would.

In the screenshot below, you can see an example of secRMM webhook-ed into Teams.  This example is showing that user ‘Tony’ on computer ‘W9’ has plugged in a thumb drive (i.e. an ONLINE event).

Here is the same event from the Teams Android app:

Setting up secRMM to send the removable storage events to Teams requires the URL of the Teams webhook for your environment.  To setup a webhook in Teams, you use the “Connectors” from the Teams Channel where you want the removable storage events to go to.  In the screenshot below, we created a channel called ‘Security’.  In the Security Channel, we then select ‘Connectors’.

Then we created an ‘Incoming Webhook’ in the Security Channel.  Just copy the ‘Webhook URL’ at the bottom of the screen (see screenshot below).

Now, in secRMM, paste the Webhook URL and select which ‘secRMM event types’ you want to go to Teams as shown in the screenshot below.

Closing: We hope you find this secRMM feature useful for your environment(s).  Please let us know what you think or if you have a specific requirement for your environment.  You can get more details about secRMM by visiting https://www.squadratechnologies.com

USB security:“Decentralized identity” for removable storage authorization!

01/31/2022 – Product overview: secRMM is a Windows security solution that audits and controls access to removable storage devices (i.e. USB drives and mobile devices).  secRMM is very easy to implement in that it can operate on a standalone Windows computer (even XP!) or can be centrally managed for thousands of computers.  It can be configured to have security policies for computers and/or groups of users.

Article details: Security uses authentication (prove who you are) and authorization (what can you access…permissions).  secRMM has policy properties that combine the two.  In this blog, we will show you this with a new secRMM property called “RequireAzureVC”. 

The VC stands for “Verifiable Credentials”.  You can read about “Azure Verifiable Credentials” at Introduction to Azure Active Directory Verifiable Credentials (preview) | Microsoft Docs.  This is a new Microsoft Azure technology that is based on an industry standard called Decentralized identify.  You can read about Decentralized identity at https://decentralized-id.com/introduction/.

The way it works is that when one of your end-users plugs in a thumb drive (or any type of removable storage), they get prompted to scan a QrCode using a phone app called “Microsoft Authenticator”.  For this to work, you (the sysadmin/”security admin”) must first issue your end-users a digital credential.  When you issue the end-users a digital credential, it gets stored into the end-users digital wallet (which is the “Microsoft Authenticator” app on the end-users phone).

Here are the steps with screenshots:

1. The sysadmin/”security admin” sets up the “Verifiable Credentials” service in your company’s Azure tenant.

Azure Verifiable Credentials

• The sysadmin/”security admin” issues a digital certificate to the end-users that are allowed to access removable storage (i.e. thumb drives).

• Now, the digital certificate is in the end-users digital wallet (i.e. the Microsoft Authenticator app)

End-Users digital wallet (Microsoft Authenticator)

• The sysadmin turns on the secRMM property named “RequireAzureVC”. 
  The “RequireAzureVC” property gets distributed to all the end-users computers.

• When the end-user plugs in a removable storage device, they are prompted to scan a QrCode (i.e. a Credential) using the “Microsoft Authenticator” app on their phone.

Prompt end-user to proceed with authentication

Prompt for end-user to scan QrCode

• The “Microsoft Authenticator” app verifies the QrCode with the “Verifiable Credentials” service in your Azure tenant.

End-user scans and accepts certificate from their phone

• If it is successfully verified, the removable storage device becomes available to the end-user. 

End-user sees Windows Explorer for the USB device as usual

• If it is not successfully verified, the removable storage device will not be available, and an error message will pop-up to the end-user. 

secRMM block the USB device from mounting and tells the end-user

• All the events that occur are logged to the security and secRMM event logs so security personnel can track removable storage activity.

secRMM event log – ONLINE event

secRMM event log – USER AUTHORIZATION failure

We are very grateful to Microsoft for working with us to implement this new secRMM feature. Not only did they provide a very useful and complete code sample project, they assigned us a technology specialist (thanks Premal Gandhi!) who was always available to us to clarify how the Azure Verifiable Credentials worked in Azure. During our development, we were able to give Microsoft feedback and ask for documentation, product requirements/features to not only help us but to help improve the overall developer experience for Azure Verifiable Credentials application developers.

Closing: We hope you find this new secRMM feature useful for your environment(s).  Please let us know what you think or if you have a specific requirement for your environment.  You can get more details about secRMM by visiting https://www.squadratechnologies.com.

USB security: Microsoft Defender for Cloud integration!!!

05/30/2022 – Product/company overview: secRMM is a Windows security solution that audits and controls access to removable storage devices (i.e. USB drives and mobile devices).  secRMM is very easy to implement in that it can operate on a standalone Windows computer (even XP!) or can be centrally managed for thousands of computers (using MECM/SCCM/ConfigMgr, Intune, Active Directory GPOs or WinRM).  It can be configured to have security policies for computers and/or groups of users.secRMM is developed by Squadra Technologies.  Squadra Technologies is a Microsoft “Independent Software Developer” (ISV) and a member of the “Microsoft Intelligent Security Association” (MISA).

Watch the video: https://youtu.be/ZjuurqFjuy0

secRMM background: secRMM has always been a reliable program to generate very detailed ‘removable storage security events’ into many of the Microsoft technologies such as:

1. Windows security event log and secRMM event log
2. WMI/WinRM events (real-time)
3. Microsoft Endpoint Manager (MEM) (i.e., ConfigMgr, SCCM, SMS)
4. Microsoft Operations Manager (SCOM)
5. Excel
6. standalone SQL database
7. syslog
8. SNMP
9. Email
10. Azure Log Analytics (for Azure Sentinel)
11. Microsoft Teams

You might be asking why secRMM supports so many different output formats.  It is because, over the years, these are the various outputs that customers have requested and because the industry continues to move into new technologies.  This also includes the progress of the Windows operating system where secRMM continues to run on Windows XP and up to Windows 11 (plus the corresponding server versions).

Since there are so many different security monitoring tools in the industry, secRMM needs to be very flexible when it comes to generating the ‘removable storage security events’ so that it can be easily integrated into the various security monitoring scenarios organizations are using.

Article details: If your organization is using ‘Microsoft Azure Defender for Cloud‘ to monitor your security status, you can load the ‘secRMM Defender for Cloud workbook’.  You can get this workbook and the setup guide at:
https://www.squadratechnologies.com/Products/secRMM/SystemCenter/secRMMAzureDefenderForCloud.aspx.

Since Microsoft recommends using ‘Defender for Cloud’ to analyze the security health and status of the computers running in your environment, it only makes sense to include the end-users use of removable storage devices since they are one of the most common resources used in ‘data loss prevention’ (DLP) and/or ‘insider threat protection’ (ITP) security incidents.

From the architecture diagram below, you can see at a high level how secRMM sends its security event data to ‘Microsoft Defender for Cloud’.  The technology link between secRMM and ‘Microsoft Defender for Cloud’ happens with an ‘Azure Log Analytics Workspace’.  If you are not familiar with ‘Azure Log Analytics Workspaces’, just think of it as a database table in the Azure cloud. 

Once secRMM sends it’s security events into the ‘Azure Log Analytics Workspace’, then the ‘secRMM Defender for Cloud workbook’ (running within ‘Microsoft Defender for Cloud’) runs queries (using a Microsoft language called ‘Keyword Query Language’ (KQL)) to get the data from the ‘Azure Log Analytics Workspace’ and into the workbooks User Interface (UI) dashboard (i.e., charts and tables of the data).  Below are screenshots of the workbooks UI dashboard.

Closing: We hope you find this secRMM feature useful for your environment(s).  Please let us know what you think or if you have a specific requirement for your environment.  You can get more details about secRMM by visiting https://www.squadratechnologies.com.

USB security: Excel Pivot Table cybersecurity auditing!!!

04/27/2022 – Product/company overview: secRMM is a Windows security solution that audits and controls access to removable storage devices (i.e. USB drives and mobile devices).  secRMM is very easy to implement in that it can operate on a standalone Windows computer (even XP!) or can be centrally managed for thousands of computers (using MECM/SCCM/ConfigMgr, Intune, Active Directory GPOs or WinRM).  It can be configured to have security policies for computers and/or groups of users.

secRMM is developed by Squadra Technologies.  Squadra Technologies is a Microsoft “Independent Software Developer” (ISV) and a member of the “Microsoft Intelligent Security Association” (MISA).

Watch the video: https://youtu.be/uxdVerkXCsM

Article details: secRMM generates security events related to USB removable storage activity.  So how does a security/system administrator go about analyzing the security events that secRMM generates?  secRMM comes with several pre-written reports and also comes with an Excel Add-In.  In this blog, we will use the secRMM Excel Add-In to create an Excel Pivot Table to easily see what end-users are doing with removable storage.

The documentation for installing the secRMM Excel Add-In is found at:
https://www.squadratechnologies.com/StaticContent/ProductDownload/secRMM/Excel/2010/Application%20Files/secRMMExcelWorkbook_9_11_12_0/secRMMExcelAddInAdministratorGuide.pdf

Once it is installed, you point Excel to the secRMM data by using the ‘Data source’ section on the secRMM Ribbon tab within Excel.  This is shown in the screenshot below.

Once you have selected the secRMM data’s ‘Data source’, you can now click the ‘Get existing data’ button on the same secRMM Ribbon tab and the fetching of data will begin.  Below is an example of the secRMM security events in Excel.  Before moving to the next step below, with your mouse, click the Excel cell 1A. This will be the upper left most cell where the secRMM data resides and it is also the red title bar that the secRMM Excel Add-In used to show you the data source (i.e. where you pulled the secRMM security events from).

Once the secRMM security events are populated into Excel, you can now use the Excel Pivot Table to analyze the security data.  To create the Excel Pivot Table, click the Insert tab in Excel, click the ‘Pivot Table’ button, then select the ‘From Table/Range’ as shown in the screenshot below.

Use the default values that Excel gives you to create the Pivot Table as shown in the screenshot below. Note that the ‘Table/Range’ value will be different in your environment since this value depends on how many rows were returned.

An empty Excel Pivot Table will be created on a new Excel Worksheet as shown in the screenshot below.

On the right side of the Pivot Table Worksheet, there is a list of the secRMM properties.  You can select the secRMM properties that you are interested in analyzing.  A very common scenario will be to select the secRMM properties in the following order:

1. User
2. Model
3. Serial Number

The Excel Pivot Table easily shows you which end-user(s) have used a particular removable storage device(s).

Closing: We hope you find this secRMM feature useful for your environment(s).  Please let us know what you think or if you have a specific requirement for your environment.  You can get more details about secRMM by visiting https://www.squadratechnologies.com.

USB security: Microsoft Zero Trust

03/24/2022 – Product/company overview: secRMM is a Windows security solution that audits and controls access to removable storage devices (i.e. USB drives and mobile devices).  secRMM is very easy to implement in that it can operate on a standalone Windows computer (even XP!) or can be centrally managed for thousands of computers (using SCCM/ConfigMgr, Intune, Active Directory GPOs or WinRM).  It can be configured to have security policies for computers and/or groups of users. 

secRMM is developed by Squadra Technologies.  Squadra Technologies is a Microsoft “Independent Software Developer” (ISV) and a member of the “Microsoft Intelligent Security Association” (MISA).

Article details: “Microsoft Endpoint Manager” (MEM) is very focused on achieving “zero trust” on the endpoint (where your end-users are working).  Here is the Microsoft URL on “zero trust”.  This of course is a really good thing.  MEM is an umbrella term which (at the product level) means using “Microsoft ConfigMgr” (SCCM/ConfigMgr) and/or “Microsoft Intune”.  ConfigMgr is mostly an on-premises product and Intune is mostly a cloud product. 

One of MEMs Zero Trust recommendations is to use “multi-factor authentication” (MFA) when accessing a resource.  In this short blog, we want to describe how to achieve this when an end-user wants to use a “removable storage” device (i.e., commonly called a USB thumb drive). 

At Squadra Technologies, we like to use the term “authorization via authentication”.  We use this term because the moment the thumb drive is mounted to the Windows operating system, we no longer “trust” who is currently signed into Windows. 

So, before we “authorize” the thumb drive to the end-user, they must use an “authentication” method.  In secRMM, this means using biometrics (i.e., fingerprint scan) and/or smart card (the user must specify their associated PIN/secret) and/or using the “Microsoft Authenticator mobile app” to scan a dynamic “Qr Code” (where the backend is performed using Azure Verifiable Credentials).

When a mobile device (phone, tablet) is mounted via USB cable, we also offer a mode where secRMM will check in Microsoft Intune if the mobile device being mounted is in one of two states: enrolled or compliant (within Intune).  There is also a secRMM mobile app where the user must login using this app with 5 minutes and they must specify the same UserID/Password that is currently logged into the Windows operating system.

These secRMM features can be configured by both MEM products (again ConfigMgr and Intune), AD GPO and/or using WinRM.  These secRMM features can be applied to computer groups and/or user groups.

The progress and state when the end-user is interacting with secRMM’s “authorization via authentication” features are logged into the Windows event log and these Windows event log events can be forwarded to one of many external collectors that secRMM supports.  These are ConfigMgr (via status messages), syslog, SNMP, email, Azure log (Azure Sentinel), Windows event forwarding (to standalone SQL).  secRMM has very detailed reports which can be used with the event data.

Closing: We hope you find this secRMM Zero Trust explanation useful for your environment(s).  Please let us know what you think or if you have a specific requirement for your environment.  You can get more details about secRMM by visiting https://www.squadratechnologies.com.

USB security: Should you eject (and now also disable) during mount?

03/15/2022 – Product overview: secRMM is a Windows security solution that audits and controls access to removable storage devices (i.e. USB drives and mobile devices).  secRMM is very easy to implement in that it can operate on a standalone Windows computer (even XP!) or can be centrally managed for thousands of computers (using SCCM, Intune, Active Directory GPOs or WinRM).  It can be configured to have security policies for computers and/or groups of users.

Article details: When your end-users are using removable storage to perform their work, you might configure secRMM to eject any removable storage device that is not whitelisted by the secRMM policy you have defined in your environment.  When secRMM ejects a device, it is done when the Windows operating system first identifies the device via the plug-and-play service.  When the eject occurs, secRMM displays a message to the user and writes a security event to the event log.

In the latest release of secRMM (version 9.11.10.0), you can also tell secRMM to disable the device during the eject process.  This new feature is likely only for heightened/classified environments where perhaps the ability to copy classified information to a removable storage device could threaten national security.

secRMM disabled the CD/DVD device

If you do decide to disable the removable storage device, you can also tell secRMM to disable it either indefinitely or for a period of time.  If you indefinately disable the device, an administrator would need to manually re-enable it. If you specify a period of time, secRMM will automatically re-enable the device after the period of time passes. For both events (i.e. disabling and re-enabling), secRMM will write a warning event into the event log so you can track what is happening.

Lastly, secRMM can be configured to allow the removable storage device to always mount to Windows but to fail “writing files” to the device.  This gives the end-user the ability to read from (but not write to) the device.

Closing: We hope you find this new secRMM feature useful for your environment(s).  Please let us know what you think or if you have a specific requirement for your environment.  You can get more details about secRMM by visiting https://www.squadratechnologies.com.

USB security: New Encryption Report

02/25/2022 – Product overview: secRMM is a Windows security solution that audits and controls access to removable storage devices (i.e. USB drives and mobile devices).  secRMM is very easy to implement in that it can operate on a standalone Windows computer (even XP!) or can be centrally managed for thousands of computers (using SCCM, Intune, Active Directory GPOs or WinRM).  It can be configured to have security policies for computers and/or groups of users.

Article details: When your end-users are using removable storage to perform their work, it is nice to get a report which shows the encryption status of the removable storage devices the end-users are using.  secRMM supports both software and hardware encryption devices.  Below is the new secRMM Encryption report.  secRMM comes with many other reports which give you a clear picture of your security environment as it relates to removable storage devices.

click image to view in another tab

Closing: We hope you find this new secRMM report useful for your environment(s).  Please let us know what you think or if you have a specific requirement for your environment.  You can get more details about secRMM by visiting https://www.squadratechnologies.com.

USB security: Finger print authentication for removable storage authorization!

11/07/2021 – Product overview: secRMM is a Windows security solution that audits and controls access to removable storage devices (i.e. USB drives and mobile devices).  secRMM is very easy to implement in that it can operate on a standalone Windows computer (even XP!) or can be centrally managed for thousands of computers.  It can be configured to have security policies for computers and/or groups of users.

Video: https://www.youtube.com/watch?v=4m4syW1_5f0

Article details: Security uses authentication (prove who you are) and authorization (what can you access…permissions).  secRMM has policy properties that combine the two.  In this blog, we will show you this with a new secRMM property called “RequireFingerPrint”.  This is a checkbox property (i.e. on or off). 

With this property, secRMM will give you access to a removable storage device after you provide a finger print scan (of the user who is logged into the Windows computer).  You use the Microsoft “Windows Hello” (i.e. Control Panel->User Accounts->Windows Hello Fingerprint) to associate a finger print to a userId.
Below are the screenshots that appear (in the order shown) when the user plugs in a removable storage device.

Finger print prompt 1

Finger print prompt 2

The first prompt asks the user to click Yes or No.  Which ever button they click, their answer is logged into the event log.

If they did click the Yes button, then secRMM activates the finger print scanner and waits for the results.  If the user cancels the finger print scan, this is also logged into the event log.

Below is a screenshot of the 2 events that get logged for a successful finger print scan.

Closing: We hope you find this new secRMM feature useful for your environment(s).  Please let us know what you think or if you have a specific requirement for your environment.  You can get more details about secRMM by visiting https://www.squadratechnologies.com.

USB security: From Dashboard/Charts to specifics/details with a single mouse click!

10/07/2021 –

Video: https://www.youtube.com/watch?v=j_YTEtE_Dl4

Product overview: secRMM is a Windows security solution that audits and controls access to removable storage devices (i.e. USB drives and mobile devices).  secRMM is very easy to implement in that it can operate on a standalone Windows computer (even XP!) or can be centrally managed for thousands of computers.  It can be configured to have security policies for computers and/or groups of users.

Article details: Since secRMM is a security tool, it comes with a real-time Dashboard (i.e. Charts).  These charts automatically refresh themselves at a configurable time.  So, if you want to monitor removable storage events in real-time, the Dashboard/charts are very useful.  But suppose one or more of the charts shows that there is an incident happening, the next thing you would like to know (as a security administrator) are the specific details of why the chart is showing activity.  The secRMM Charts feature now contains a “Details” button next to each Chart that will show you the events that represent the Chart data.  The “Details” button ties together the real-time Dashboard/Charts with the secRMM Excel AddIn.  Once you click the “details” button for a Chart, it will continue to update the secRMM Excel Addin until you close it.  The secRMM Excel AddIn can also be used independent of hooking up with the real-time Dashboard. 

This feature (i.e. Charts and Excel AddIn) is available as a standalone program or directly within the SCCM Console.  The 2 screenshots below are showing the SCCM Console integration.

Closing: We hope you find this new secRMM feature useful for your environment(s).  Please let us know what you think or if you have a specific requirement for your environment.  You can get more details about secRMM by visiting https://www.squadratechnologies.com.