Leave a comment

USB DLP in Azure, Hyper-V and RDP

secRMMRDP10February 15, 2016 – We are excited about secRMM version  This blog covers the new feature included in the latest secRMM release.  If you would rather watch a video over reading and looking at screenshots, please watch this YouTube video.

With release, secRMM supports Microsoft Azure, Hyper-V and “RDP sessions to physical machines”.  The importance of this is that you can protect your data from leaving your domain on removable storage devices (USB thumb drives, mobile devices, external hard drives, SD-Cards, etc.) whether the user is at a physical computer, working in a virtual machine (VM) or remote session.  Since the removable storage devices are so fast and convenient, workers have been using them for decades to move files around, especially large files.  It is likely that your organization allows these devices today.  Unfortunately, without a “Data Loss Prevention” (DLP) utility like secRMM, you have no idea of the who, what, when, where or how your data, your users and these convenient devices are being used.  Now add to that, mobile devices!

With secRMM, at a minimum, you will get very detailed auditing of every write transaction, online/offline event and much more.  If you are not yet familiar with the base security aspects of what secRMM provides, please take the short time to review the secRMM video library.

Now, a brief introduction about Microsoft’s product “Remote Desktop”.  This technology allows you to access a Windows computers screen, keyboard, mouse (and other resources as well…what this blog it getting to) remotely.

We use the term “RDP client” for the computer that is running the “Remote Desktop Connection” program (i.e. mstsc.exe).  RDP stands for Remote Desktop Protocol.  Microsoft added some very nice technology to the RDP client which allows you to virtualize your physical [storage] devices within the RDP session.  This is done by clicking the “Local Resources” tab, clicking the “More” button and then selecting the drives you want (plus the awesome ability to add drives that are not yet plugged into the USB port).


click to enlarge

In other words, the device on your physical computer will show up in Windows Explorer on the RDP server.  Here, RDP server is in reference to the computer that you tell the RDP client to connect to.  In the screen shots above, we are connecting to a Windows computer named SURFACEPRO4 (yes, a real Surface Pro 4!).

Now lets see what secRMM will tell us about our RDP session.  Please look at the text in the next two screen shots below.  We see the secRMM events generated on the computer where the RDP session was initiated (remember, this is what we call the RDP client).  The first event is telling you about a removable storage device that was plugged into the computer.


click to enlarge

The next screen shot is telling you that the removable storage device is also being accessed thru a RDP client on the RDP server computer named SURFACEPRO4.


click to enlarge

So far, as a security or IT administrator, we now know that two computers can write to this USB stick.  Good to know.  Here is what a write event from the physical computer looks like.


click to enlarge

Notice how secRMM even tells you what the full source file is!

So, what does secRMM tell us on the RDP server side (i.e. the SURFACEPRO4 computer)?  Here is the corresponding device ONLINE event:


click to enlarge

We highlighted some interesting data.  Notice that the drive letter is prefixed by the name of the computer where the USB drive is physically connected.  In fact, secRMM tells you exactly this (and more for Azure and Hyper-V) in the “Additional Info” row.  This is consistent with how Windows Explorer shows the device to the RDP server (please see screen shot below).


click to enlarge

A write transaction on the RDP server looks like:


click to enlarge

As you can see, secRMM lets you know that the device “being written to” is virtual.

So lets finish up this blog by showing you what the online events look like for Hyper-V and it’s Cloud brother Azure.


click to enlarge


click to enlarge

In closing, Microsoft provides a very elegant way of sharing USB drives and mobile devices.  With the secRMM utility, you can keep tabs on what is going on and even apply security policy (rules) to the devices and users.  This is easily accomplished with the System Center Configuration Manager (SCCM) secRMM Console Extension.  If you do not have SCCM in your environment, secRMM can be centrally managed using Active Directory Group Policy Objects (AD GPO).  Both SCCM and AD GPO have both computer and user policies.  All the details about secRMM can be found at the secRMM documents library.  Thanks for reading our blog!

P.S., because I know I will get asked, for those of you using VMWare ESXi or VMWare Workstation, secRMM works natively within a VMWARE vm.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: