We are excited about secRMM version 220.127.116.11!
This blog covers the two new features included in the latest secRMM release.
If you don’t yet know much about secRMM, it is Microsoft security software focused on securing and auditing removable “plug-and-play” storage media. This includes mobile devices, usb flash drives (including hardware encrypted devices), external hard drives, SD-Cards, etc. secRMM is different from other DLP solutions because it does not come with a complete security framework. Microsoft already provides the framework and technologies to help secRMM do its job. secRMM is integrated into Microsoft System Center: Configuration Manager (SCCM), Operations Manager (SCOM) and Orchestrator. secRMM supports Microsoft BitLocker and we will soon be releasing integration with Microsoft AD/Azure Rights Management Services (RMS). If you have SCCM in your environment, you know that Microsoft has a category of software called “Endpoint Protection”. Microsoft “Endpoint Protection” includes antimalware and firewall software. When you add endpoint DLP via secRMM, you end up with the equivalent of what you would buy from a security framework vendor. Microsoft also markets the
“Microsoft Enterprise Mobility Suite” (EMS). EMS is the combination of SCCM and Microsoft Intune. EMS falls under a category of software the industry calls Mobile Device Management (MDM). Within the MDM umbrella, there are software solutions called Mobile Content Management (MCM). secRMM is a perfect fit for EMS’s->MDM->MCM! 🙂 Given all that, if your environment is only running Microsoft Windows workstations (i.e. no backend Microsoft framework), secRMM can be installed on a Windows computer and be 100% functional. This is because secRMM only requires two base Windows components: the “Computer Management” console (i.e. the MMC) and the Windows event log.
Now, onto the two new secRMM features.
First, secRMM 18.104.22.168 contains a new rule named “BlockProgramsOnDevice”. This rule (as its name implies) prevents programs (exe, com, cmd, bat, ps1, vbs, js, pl) from executing off of a removable plug-and-play storage device (USB drives and mobile devices). This feature is implemented in many antimalware software solutions. secRMM differentiates itself from antimalware by additionally recording the event (what program and who was running it) into the event log.
Second, the secRMM mobile app titled “Windows Active Directory Login” is now published in the Microsoft Windows Store. In addition, this app is also available in the Apple IOS App Store, the BlackBerry Mobile App World and the Google Play Store. You can conveniently access all the app stores from the Squadra Technologies web site.
“Windows Active Directory Login” mobile app explained:
First, this is an optional feature of secRMM. As an IT administrator, you can enable or disable the secRMM rule “RequireSmartPhoneLogin” (yes, it should really be named “RequireMobileDeviceLogin”…we will try to change this in the next release) using a simple checkbox. When “RequireSmartPhoneLogin” is checked and a mobile device is mounted to the Windows Operating System, secRMM will intercept the mobile device mount and verify if the end user has used the “Windows Active Directory Login” app within the last 5 minutes. If this condition is true, it will use the userid and password typed in from the app and perform an Active Directory (or local) login. If the credentials supplied in the app are valid (i.e. the userid and password combination work), secRMM will next check to see that those credentials are the same credentials that are currently active on the Windows computer where the mobile device was mounted. If the above tests all succeed, the mobile device is mounted to the Windows computer as a storage device. If any of the above tests fail, the mobile device is unmounted and a failure event is logged into the secRMM event log.
The “Windows Active Directory Login” mobile app puts your mobile devices on par with the “classic” USB hardware encryption solutions from the perspective that you are forced to authenticate before the device will mount. The nice thing about the app is that it uses the same Windows domain/local user account, whereas hardware encryption devices require their own password. While perhaps trivial, the end-user does need to remember yet another password and the Active Directory password policies are enforced.
See the screenshot above of a failed event due to improper credentials using the mobile app.
If you look at the last line of the event log screenshot, you will see that the userid specified in the app was “contoso\angela”. However, at the time of the mobile device mount, users contoso\administrator and local user w82\wdkremoteuser where logged into the Windows workstation (see second to last line in the event text). Since neither of the user accounts that are currently logged into the Windows workstation match the credentials specified in the app (i.e. contoso\angela), the mobile device is not allowed to mount. Notice in the event text, last line, it tells you that the mobile device had a “forced unmount”.
We hope you find these two features useful in your security toolbox!