Leave a comment

secRMM extends SCCM PowerShell Library

sccmpowershell

October 24, 2016 – secRMM has increased its PowerShell support.  There is a new secRMM PowerShell cmdlet to give you the same property granularity that is available from the secRMM Excel AddIn (as shown in the screen shot bblog22_4elow).

This means you have the most detailed forensic removable storage security data (including mobile devices as well as thumb drives, external hard drives, SD-Cards, etc.) to process any way you can image.

The secRMM Powershell cmdlet can operate standalone and can also be used with SCCM.  Since the secRMM SDK is included with the base secRMM install, just install secRMM and then go to directory: “C:\Program Files\secRMM\AdminUtils\SDK”.

Under the SDK directory is the Powershell directory.  There is a sample PowerShell script named GetSecRMMEvents.ps1 that shows you how to use the secRMM cmdlet.  For SCCM, it couldn’t be any easier.  Here is the PowerShell line of code that gets all the secRMM data from SCCM:

$secRMMEvents = secRMMEventData -SCCM

As you can see, the secRMM cmdlet is named secRMMEventData. This name is logical because the cmdlet can get the secRMM data from multiple sources: SCCM, the secRMM event log and/or the secRMMCentral event log. Once the data comes back to the PowerShell script (or the PowerShell pipeline), you have a secRMM object that contains the various properties (data) with which you can perform more logic or store however you see fit.  The secRMM object has an Output method that will convert the text to HTML, CSV or XML.

For details, please see the secRMM SDK Programmers Guide at http://squadratechnologies.com/StaticContent/ProductDownload/secRMM/9.4.0.0/secRMMSDKProgrammerGuide.pdf.

There are also secRMM PowerShell scripts in the secRMM SDK to get/set a secRMM property and to read/write to a mobile device.

secrmmpowershell

In the near future, we will be looking at ways to link together the secRMM data in SCCM with the Intune data.  We hope you found this information useful.  Thanks for reading!

 

 

Leave a comment

Block Office Macros on removable storage devices (including mobile)

blog22_0September 06, 2016 – secRMM has added another security rule which does not really fall into the Data Loss Prevention (DLP) category but more in the antimalware category.  The new rule is named “BlockOfficeMacrosOnDevice”.  As the name implies, secRMM will block opening any Microsoft Office document residing on a removable storage device that has a macro(s) embedded within it.

You can also view a YouTube video on this subject

Microsoft has been doing a great job of securing the Office suite, especially with Office 2016 (see MS Blog: New feature in Office 2016 can block macros and help prevent infection).  As you can see, they have a “Group Policy” that you can apply to your domain(s).  Microsoft has a Malware Protection Center where you can get more information about Office Macros at:
https://www.microsoft.com/en-us/security/portal/threat/macromalware.aspx.

What has still not been addressed (until now) is the handling of removable/plug-and-play storage devices.  We are talking about thumb drives, USB connected mobile devices, SD-Cards, external hard drives, CD/DVD, etc.  This is what the secRMM “BlockOfficeMacrosOnDevice” addresses.  You can apply this setting in multiple ways:

Active Directory Group Policy and/or
Microsoft System Center Configuration Manager (SCCM) and/or
On the individual computer by using the “Computer Management” MMC and/or
Script (Powershell, VBScript, JScript, CMD, etc.) – Yes, secRMM is 100% scriptable

Another good thing about the secRMM “BlockOfficeMacrosOnDevice” feature is that it supports Office 2016, 2013, 2010, 2007 and 2003.  It probably supports even older versions but we could not find an older version than 2003 to install and test with!

If you are concerned about Macro-based malware, now you can have this additional help by using secRMM.

The screenshots below will show you what we discussed above.

In the first 2 screenshots, we are just turning on the rule (we used the “Computer Management” MMC).  It is just a checkbox, on or off.  You must be an Administrator on the computer to be able to access the secRMM rules.

blog22_1

blog22_1a

The next 3 screen shots show you what the end-user will experience when they go to open an Office document with a macro(s) embedded within it.  The first 2 screen shots are from explorer.  The third screen shot is if they try to use a command window.  Note that this blocking functionality will also apply if they first open the Office program and then do a File->Open operation from within the Office program.
blog22_1bblog22_2blog22_3

Now, as the IT and/or security Administrator, you will also be able to see in the event log that this condition has occurred (i.e. an end-user tried to open an Office document on a removable storage device and the Office document had a macro(s) embedded within it).

The screen shot below has a lot of information contained within it.  First, it tells you that a “BLOCK MACROS ON DEVICE ACTIVE” event occurred (in the secRMM event log, that is event id 514).  It tells you the user who tried to open the Office document (in the screen shot, this is CONTOSO\Angela).  Next, it tells you about the removable storage device.  Next, it tells you the program that tried to open the Office document.  In this case, it is Winword.exe.  The last line is kind of long but it is really the most detailed so we break it down below the screen shot.
blog22_4

Command Line: “C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE” /n “E:\Programs\OfficeMacros\2003\Word1Macro_2003.doc” /o “”,
Current Directory: E:\Programs\OfficeMacros\2003,
Office Macro(s): ThisDocument(Document:3), Module1(Code:14)

The text above logs what the “command line” looked like when Windows tried to open the Office document.  It also logs the “current directory”.  Lastly, it lists the macro information contained inside the Office document.  In the above event, we can see that inside this Word document, the “ThisDocument” VBA object has a macro of type “Document” and there are 3 lines of executable code.  There is also an object named Module1 which has a macro of type “Code” and there are 14 lines of code.

Below is a screen shot of the Word document used in our example with the Visual Basic Editor open so you can see why secRMM listed what it did.

blog22_5

If you get a secRMM event and the Additional Info line contains:
Description=Programmatic access to Visual Basic Project is not trusted.
this means that the Office program does not trust macros so secRMM could not parse the file for macros.  What?!!!  Right, it sounds crazy but secRMM is not doing anything out of the ordinary to obtain the information about the macros.  This message means there ARE macros but secRMM is not allowed to look at them.

We hope you found this information useful.
You can try secRMM for 30 days (fully functional).
Please visit the Squadra Technologies web site to download secRMM.
Thanks for reading!

Leave a comment

Apricorn secRMM freeware

Apricorn

07/25/2016

There is a youtube video showing you the workings of “Apricorn secRMM” at:
https://www.youtube.com/watch?v=duxoDxfsQoI

Apricorn is a removable storage hardware vendor that Squadra Technologies has had the privilege of partnering with over the last several years.  The two companies now have a jointly developed version of secRMM that is called “Apricorn secRMM” (internally named secRMM-lite so we may slip up and call it that too🙂 ).  “Apricorn secRMM” is free software offered by Apricorn and supported by Squadra Technologies.  “Apricorn secRMM” lets Apricorn customers configure their Windows workstations and servers to allow just Apricorn devices to be used by end-users.  This is a very powerful capability since it narrows down the removable storage devices allowed in your environment to only hardware encrypted, password protected devices!

Apricorn_InstallWelcome

“Apricorn secRMM” is a “limited functionality” version of the Squadra Technologies product secRMM.  “Apricorn secRMM” exposes the secRMM properties:

  1. AllowedInternalIds
  2. AllowedSerialNumbers
  3. SCCMConnection
  4. SNMP

The first two properties (AllowedInternalIds and AllowedSerialNumbers) constrain the Windows computer to only writing files to Apricorn devices that meet both properties.  Trying to write to any other type of removable storage device will fail.  The AllowedSerialNumbers can be left blank which will allow any Apricorn device.

The SCCMConnection property will allow integration into Microsoft System Center Configuration Manager (SCCM).  Note that “Apricorn secRMM” will also work with the secRMM Microsoft System Center Operations Manager (SCOM) Management Pack(s) as well.  For complete details on Microsoft System Center integration, please visit http://squadratechnologies.com/Products/secRMM/SystemCenter/secRMMSystemCenter.aspx.

The SNMP property will throw SNMP “Apricorn secRMM” traps to a SNMP trap receiver computer.

“Apricorn secRMM” generates audit events for all removable storage ONLINE and OFFLINE events.  Please note however that it will not generate file WRITE events (whether successful or unsuccessful).  To get file WRITE events (and the other secRMM events), you will need the secRMM full version.

When you first install “Apricorn secRMM”, you will have 30 days to trial the software.  During the 30 day trial, you will have the ability to toggle the software between the “Apricorn secRMM” version and the full version of secRMM.  This will help you decide if you can do without the additional functionality that the full version of secRMM provides (i.e. advanced auditing, additional authorization properties, user configurations, etc.).

Apricorn secRMM User Interface

If/when you decide that you would like to use the software (either “Apricorn secRMM” or the full version of secRMM) in your environment, please contact Squadra Technologies (sales@squadratechnologies.com) to obtain a license (either for free or to start a purchase).  If you decide that you want to purchase the full version of secRMM, you will need to tell Squadra Technologies how many computers you have in your environment that will run secRMM.  The number of computers dictates the purchase price.  The more computers, the less “per computer” price.

Squadra Technologies is very excited to be working more closely with Apricorn and Apricorn customers!  Please feel free to contact us (sales@squadratechnologies.com) anytime if you have questions about using “Apricorn secRMM” or the full version of secRMM.

Leave a comment

Use Microsoft Operations Management Suite (OMS) for DLP “plug-and-play” “Removable Storage” security assessments

NotableIssues

Click to enlarge

Microsoft Operations Management Suite (OMS) is an online portal product that gives you the ability to monitor security events across your IT environment, from on-premises data centers to the cloud. OMS is Microsoft’s next generation monitoring tool that is built from the power of System Center Operations Manager (SCOM). In fact, OMS can be configured to sit on top of your existing SCOM deployments.

Microsoft started building OMS solutions by first providing a “security and audit” solution. OMS lets you add “solutions” based on your monitoring requirements.

An OMS solution is:
1. a collection of related event queries,
2. alert-able actions
3. and user interface components
that make it very easy to extend your monitoring framework.

It is very easy to add a solution to your OMS portal because Microsoft packages up their OMS solutions and allow you to select them from the “OMS solutions gallery”. The OMS solutions gallery is like an online store where you pick what solutions you want. Examples of some of the solutions that Microsoft offers are: Active Directory Monitoring, Exchange Monitoring. Where Microsoft has really focused though is in the security monitoring space. The security solutions include such topics as: Malware, System Update and Configuration assessments.

SolutionsGallery3

Click to enlarge

Like SCOM and most all of the System Center products, Microsoft allows OMS to be extensible. This allows Independent Software Vendors (ISVs) like Squadra Technologies and corporations with in-house applications to build OMS solutions as well. OMS is a perfect tool to expose plug-and-play removable storage device events. Here, we are talking about USB thumb drives, external USB connected hard drives, SD-Cards and especially USB attached mobile devices. Squadra Technologies “Security Removable Media Manager” (secRMM) is Windows security software that monitors/audits and controls the use of “plug-and-play” removable storage devices. secRMM is tightly integrated into Microsoft System Center via SCCM, SCOM, Orchestrator and now OMS.

secRMMInOMS

Click to enlarge

The OMS secRMM solution is a perfect addition to the existing Microsoft OMS security solutions. Once the OMS solution gallery is open to ISVs, we will list the OMS secRMM solution in the OMS solution gallery.  For now, you can download it from here.

For more details about secRMM, please visit www.squadratechnologies.com.

Leave a comment

Using Microsoft RMS and DLP

AD RMS July 12, 2016 – secRMM is a utility for what the computer industry calls “Data Loss Prevention” (DLP). DLP software prevents people from taking data from organizations they work for. Data can be taken by copying it to the Internet or by copying it over a network connection or by using “removable storage devices”. Removable storage devices can be thumb/flash drives, external hard drives, SD-Cards and mobile devices. secRMM addresses the removable storage devices.

Another security computer term somewhat related to DLP is called “Information Rights Management” (IRM). As the words imply, organizations want to protect who can access information belonging to the organization. Microsoft has a technology called “Rights Management Services” (RMS) that implements IRM. Microsoft has cleverly done this within the actual file containing the information (data) itself.

secRMM has a rule related to Microsoft’s RMS called “EnableRMS”. This rule integrates secRMM with RMS.  There are 3 features that can be enabled.  At a high-level, the 3 features cover: monitoring, authorizing and protection.

EnableRMSDialog

The first (monitoring) logs the RMS template that is used to protect the file that is being copied to the removable storage devices (remember that removable storage here also means mobile devices).  secRMM needs to have the “RMS Server Connection Credentials” to retrieve this information.

RMSExcel402

The second (authorizing) is a simple checkbox (either on or off). When this checkbox is on, only files that are RMS protected can be copied to removable storage devices.

Excel515

The third (protection) will RMS protect a file that is being copied to the removable storage device if it is not already RMS protected.  You tell secRMM through the EnableRMS property which RMS template to use.  The available templates are listed and you select one of them.

By combining DLP and IRM, you have extra assurance that your organizations data is well protected.

Microsoft RMS is available as an on-premise service and also as an Azure (cloud) service.  To get more information on RMS, please see this Microsoft link to get started.

Thanks for reading!

Leave a comment

USB devices, malware and System Center

Defender

March 19, 2016 – If you are already familiar with secRMM, you can skip the secRMM introduction and go directly to the new secRMM features, by clicking here.

An introduction to secRMM, “Data Loss Prevention” and “Endpoint Protection”

secRMM is a utility for what the computer industry calls “Data Loss Prevention” (DLP for short). DLP software protects against internal threats by preventing employees from taking data. Data loss can occur by copying files to the Internet, through a network connection or by utilizing “removable storage devices”. Removable storage devices include thumb/flash drives, external hard drives, SD-Cards and mobile devices. secRMM addresses the removable storage device security hole by controlling and monitoring files being copied to any external storage device.

secRMM provides the perfect tool to securely manage data assets while at the same time permitting productivity with the use of removable “plug-and-play” storage. secRMM’s simple authorization policy rules allow you to control the who, what, where, when and how of data copied to removable storage devices. In addition, secRMM’s detailed monitoring provides advanced forensic analysis to combat unlawful and/or unauthorized disclosure of sensitive information.

With respect to DLP software, it is very important to have effective policy rules (to set the controls) with the addition of monitoring logs that record what users are doing (relative to DLP operations). secRMM performs both of these functions (prevention and recording) very well. secRMM calls the prevention part “authorization” and the recording part “auditing”. These are both common computer terms. DLP functions get associated with an even grander computer term called “Endpoint Protection” (EP for short). EP is security software that runs on the computer (either a workstation or a server). The job of EP is to protect the endpoint from bad things happening to the computer. EP software is typically a suite of programs/utilities that together protect the computer from the various threats that would jeopardize it from functioning properly and/or jeopardize the organizations data.

Microsoft offers a powerful EP solution and many organizations around the world are using Microsoft’s EP software. It can be managed and administered by another Microsoft product called Microsoft System Center (SC). SC is a collection of Microsoft programs that the computer administrators use to keep their computer environment functioning. This can sometimes be challenging when there are thousands or tens of thousands of computers running. Microsoft SC makes it possible to manage such a large amount of computers. secRMM completes Microsoft’s endpoint protection strategy (antimalware, firewall, software updates) by adding DLP.

Back to DLP, EP and secRMM. Microsoft’s EP solution is comprised of patching software, firewall software, antimalware software and “rights management software” (RMS for short). Other competing products to Microsoft’s EP suite of software usually also contain a DLP portion for the removable storage devices. Since secRMM is integrated into SC, combining Microsoft’s SC and EP software with secRMM is very cost effective since organizations already own Microsoft SC and EP software.

secRMM “BlockProgramsOnDevice” and “ScanDevice”

The above paragraphs describe the background about secRMM. This blog is really about 2 functions that secRMM provides that are not really functions of DLP but are important for the security of your organization. secRMM implements these two functions with 2 rules. The rules are named “BlockProgramsOnDevice” and “ScanDevice”.

ExplorerBlockPrograms

BlockProgramsOnDevice” will prevent the end-user from executing any code from the removable storage device. Code here means any: exe, com, cmd, bat, vbs, js, ps1 or pl file. This feature is important because it prevents the execution of malware from the outside world (i.e. coming from the removable storage). Bringing malware into an organization from removable storage is one of the main criticisms about removable storage. Because this is such an issue, many organizations do not allow the use of removable storage. This is unfortunate because removable storage is convenient and easy to use which makes workers more productive. The “BlockProgamsOnDevice” function of secRMM eliminates the risk malware programs from running.

ScanDevice_VirusFound

ScanDevice” is another secRMM rule that helps defend against malware from getting into an organization from removable storage. With the “ScanDevice” rule active, when a removable storage device is connected to the workstation or server computer, secRMM calls Microsoft’s antimalware program (part of Microsoft’s EP suite or now free with the OS) to scan for malware on the removable storage device. If a malware program is discovered on the removable storage device, it will be identified and even quarantined.

SCCMConsole1

In closing, Microsoft provides a very elegant way of using USB drives and mobile devices. With the secRMM utility, you can keep tabs on what is going on and even apply security policy (rules) to the devices and users. This is easily accomplished with the System Center Configuration Manager (SCCM) secRMM Console Extension. If you do not have SCCM in your environment, secRMM can be centrally managed using Active Directory Group Policy Objects (AD GPO). Both SCCM and AD GPO have both computer and user policies.

Thanks for reading!

Leave a comment

USB DLP in Azure, Hyper-V and RDP

secRMMRDP10February 15, 2016 – We are excited about secRMM version 8.0.0.0.  This blog covers the new feature included in the latest secRMM release.  If you would rather watch a video over reading and looking at screenshots, please watch this YouTube video.

With release 8.0.0.0, secRMM supports Microsoft Azure, Hyper-V and “RDP sessions to physical machines”.  The importance of this is that you can protect your data from leaving your domain on removable storage devices (USB thumb drives, mobile devices, external hard drives, SD-Cards, etc.) whether the user is at a physical computer, working in a virtual machine (VM) or remote session.  Since the removable storage devices are so fast and convenient, workers have been using them for decades to move files around, especially large files.  It is likely that your organization allows these devices today.  Unfortunately, without a “Data Loss Prevention” (DLP) utility like secRMM, you have no idea of the who, what, when, where or how your data, your users and these convenient devices are being used.  Now add to that, mobile devices!

With secRMM, at a minimum, you will get very detailed auditing of every write transaction, online/offline event and much more.  If you are not yet familiar with the base security aspects of what secRMM provides, please take the short time to review the secRMM video library.

Now, a brief introduction about Microsoft’s product “Remote Desktop”.  This technology allows you to access a Windows computers screen, keyboard, mouse (and other resources as well…what this blog it getting to) remotely.

We use the term “RDP client” for the computer that is running the “Remote Desktop Connection” program (i.e. mstsc.exe).  RDP stands for Remote Desktop Protocol.  Microsoft added some very nice technology to the RDP client which allows you to virtualize your physical [storage] devices within the RDP session.  This is done by clicking the “Local Resources” tab, clicking the “More” button and then selecting the drives you want (plus the awesome ability to add drives that are not yet plugged into the USB port).

secRMMRDP1

click to enlarge

In other words, the device on your physical computer will show up in Windows Explorer on the RDP server.  Here, RDP server is in reference to the computer that you tell the RDP client to connect to.  In the screen shots above, we are connecting to a Windows computer named SURFACEPRO4 (yes, a real Surface Pro 4!).

Now lets see what secRMM will tell us about our RDP session.  Please look at the text in the next two screen shots below.  We see the secRMM events generated on the computer where the RDP session was initiated (remember, this is what we call the RDP client).  The first event is telling you about a removable storage device that was plugged into the computer.

secRMMRDP2

click to enlarge

The next screen shot is telling you that the removable storage device is also being accessed thru a RDP client on the RDP server computer named SURFACEPRO4.

secRMMRDP3

click to enlarge

So far, as a security or IT administrator, we now know that two computers can write to this USB stick.  Good to know.  Here is what a write event from the physical computer looks like.

secRMMRDP4

click to enlarge

Notice how secRMM even tells you what the full source file is!

So, what does secRMM tell us on the RDP server side (i.e. the SURFACEPRO4 computer)?  Here is the corresponding device ONLINE event:

secRMMRDP5

click to enlarge

We highlighted some interesting data.  Notice that the drive letter is prefixed by the name of the computer where the USB drive is physically connected.  In fact, secRMM tells you exactly this (and more for Azure and Hyper-V) in the “Additional Info” row.  This is consistent with how Windows Explorer shows the device to the RDP server (please see screen shot below).

secRMMRDP6

click to enlarge

A write transaction on the RDP server looks like:

secRMMRDP7

click to enlarge

As you can see, secRMM lets you know that the device “being written to” is virtual.

So lets finish up this blog by showing you what the online events look like for Hyper-V and it’s Cloud brother Azure.

secRMMRDP8

click to enlarge

secRMMRDP9

click to enlarge

In closing, Microsoft provides a very elegant way of sharing USB drives and mobile devices.  With the secRMM utility, you can keep tabs on what is going on and even apply security policy (rules) to the devices and users.  This is easily accomplished with the System Center Configuration Manager (SCCM) secRMM Console Extension.  If you do not have SCCM in your environment, secRMM can be centrally managed using Active Directory Group Policy Objects (AD GPO).  Both SCCM and AD GPO have both computer and user policies.  All the details about secRMM can be found at the secRMM documents library.  Thanks for reading our blog!

P.S., because I know I will get asked, for those of you using VMWare ESXi or VMWare Workstation, secRMM works natively within a VMWARE vm.