Leave a comment

USB devices, malware and System Center


March 19, 2016 – If you are already familiar with secRMM, you can skip the secRMM introduction and go directly to the new secRMM features, by clicking here.

An introduction to secRMM, “Data Loss Prevention” and “Endpoint Protection”

secRMM is a utility for what the computer industry calls “Data Loss Prevention” (DLP for short). DLP software protects against internal threats by preventing employees from taking data. Data loss can occur by copying files to the Internet, through a network connection or by utilizing “removable storage devices”. Removable storage devices include thumb/flash drives, external hard drives, SD-Cards and mobile devices. secRMM addresses the removable storage device security hole by controlling and monitoring files being copied to any external storage device.

secRMM provides the perfect tool to securely manage data assets while at the same time permitting productivity with the use of removable “plug-and-play” storage. secRMM’s simple authorization policy rules allow you to control the who, what, where, when and how of data copied to removable storage devices. In addition, secRMM’s detailed monitoring provides advanced forensic analysis to combat unlawful and/or unauthorized disclosure of sensitive information.

With respect to DLP software, it is very important to have effective policy rules (to set the controls) with the addition of monitoring logs that record what users are doing (relative to DLP operations). secRMM performs both of these functions (prevention and recording) very well. secRMM calls the prevention part “authorization” and the recording part “auditing”. These are both common computer terms. DLP functions get associated with an even grander computer term called “Endpoint Protection” (EP for short). EP is security software that runs on the computer (either a workstation or a server). The job of EP is to protect the endpoint from bad things happening to the computer. EP software is typically a suite of programs/utilities that together protect the computer from the various threats that would jeopardize it from functioning properly and/or jeopardize the organizations data.

Microsoft offers a powerful EP solution and many organizations around the world are using Microsoft’s EP software. It can be managed and administered by another Microsoft product called Microsoft System Center (SC). SC is a collection of Microsoft programs that the computer administrators use to keep their computer environment functioning. This can sometimes be challenging when there are thousands or tens of thousands of computers running. Microsoft SC makes it possible to manage such a large amount of computers. secRMM completes Microsoft’s endpoint protection strategy (antimalware, firewall, software updates) by adding DLP.

Back to DLP, EP and secRMM. Microsoft’s EP solution is comprised of patching software, firewall software, antimalware software and “rights management software” (RMS for short). Other competing products to Microsoft’s EP suite of software usually also contain a DLP portion for the removable storage devices. Since secRMM is integrated into SC, combining Microsoft’s SC and EP software with secRMM is very cost effective since organizations already own Microsoft SC and EP software.

secRMM “BlockProgramsOnDevice” and “ScanDevice”

The above paragraphs describe the background about secRMM. This blog is really about 2 functions that secRMM provides that are not really functions of DLP but are important for the security of your organization. secRMM implements these two functions with 2 rules. The rules are named “BlockProgramsOnDevice” and “ScanDevice”.


BlockProgramsOnDevice” will prevent the end-user from executing any code from the removable storage device. Code here means any: exe, com, cmd, bat, vbs, js, ps1 or pl file. This feature is important because it prevents the execution of malware from the outside world (i.e. coming from the removable storage). Bringing malware into an organization from removable storage is one of the main criticisms about removable storage. Because this is such an issue, many organizations do not allow the use of removable storage. This is unfortunate because removable storage is convenient and easy to use which makes workers more productive. The “BlockProgamsOnDevice” function of secRMM eliminates the risk malware programs from running.


ScanDevice” is another secRMM rule that helps defend against malware from getting into an organization from removable storage. With the “ScanDevice” rule active, when a removable storage device is connected to the workstation or server computer, secRMM calls Microsoft’s antimalware program (part of Microsoft’s EP suite or now free with the OS) to scan for malware on the removable storage device. If a malware program is discovered on the removable storage device, it will be identified and even quarantined.


In closing, Microsoft provides a very elegant way of using USB drives and mobile devices. With the secRMM utility, you can keep tabs on what is going on and even apply security policy (rules) to the devices and users. This is easily accomplished with the System Center Configuration Manager (SCCM) secRMM Console Extension. If you do not have SCCM in your environment, secRMM can be centrally managed using Active Directory Group Policy Objects (AD GPO). Both SCCM and AD GPO have both computer and user policies.

Thanks for reading!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: