Leave a comment

Use a Smartcard (DOD CAC card) to access a USB removable storage device

secRMM RequireSmartCard

Smart Card

03/25/2020 – Overview: secRMM is a Windows security solution that audits and controls access to removable storage devices.  secRMM is very easy to implement in that it can operate on a standalone Windows computer or can be centrally managed for thousands of computers.  It can be configured to have security policies for computers and/or groups of users.

As of secRMM version 9.9.24.0, secRMM has a security property (named RequireSmartCard) that requires the end-user to specify a Smartcard password before he can access a USB connected removable storage device.  This includes mobile devices and any other type of device that exposes storage to the Windows operating system.

Watch the youtube video at : https://www.youtube.com/watch?v=i8HUjUQpYkk.

If you are an IT person, you have probably heard the term “multi-factor authentication” (MFA).  The secRMM RequireSmartCard property is a classic example of MFA because when you turn it on (it is a simple checkbox), the end-user will then need 2 things to be able to access the USB removable storage:

1. A Windows userid/password
2. The password that is associated with the digital certificate on the Smart-Card

Note that a lot of the documentation you will see about Smartcards refers to the password as a PIN.  A PIN is the same as a password in that only the owner of the Smartcard should know it (the PIN/password).

While we are on MFA, you should know that secRMM offers another form of MFA for mobile devices.  That secRMM property is named RequireSmartPhoneLogin (although more accurately should be named RequireMobileDeviceLogin because it works just the same for tablets as well).  To implement RequireSmartPhoneLogin, the end-user’s mobile device needs the secRMM Login app which is in the Android, Apple, BlackBerry and Windows App stores (see https://www.squadratechnologies.com/Products/secRMM/secRMMSmartPhoneApps.aspx)

Back to RequireSmartCard, let’s look at what the end-user will see when they insert a removable storage device into their Windows computer.  In the screenshots below, you will notice that we are using a self-signed digital certificate to show you how the software works.  In production environments, you will have a certificate that comes from a “trusted certificate authority” (CA).  Trusted certificate authorities are companies (but can also be a server within your company) that are trusted and validated to issue security digital certificates to your company/organization.

The screenshot below just shows how to turn on RequireSmartCard.  Whether you are performing this on a standalone computer or centrally, it is just a checkbox to check.

secRMM RequireSmartCard

secRMM RequireSmartCard

Now, let’s see when the end-user plugs in a thumb drive into the computer.  The end-user gets prompted (Yes or No) to proceed with authenticating their access to the thumb drive with their Smartcard.

secRMM RequireSmartCard

secRMM RequireSmartCard

If they choose No, then the thumb drive is not available and a pop-up message is sent to the end-user (see screenshot below).  Note that this text is customizable for your environment.

secRMM RequireSmartCard

secRMM RequireSmartCard

As a security administrator, we would like to know what the end-user did, so an event is sent to the secRMM/security event log indicating the end-user clicked No as shown in the screenshot below.

secRMM RequireSmartCard

secRMM RequireSmartCard

In addition, we get an error in the secRMM/security event log indicating a more detailed event which includes the details of the device that the end-user tried to mount (as shown in the screenshot below).

secRMM RequireSmartCard

secRMM RequireSmartCard

Now, let’s look at the end-user’s experience when they click the Yes button.

secRMM RequireSmartCard

secRMM RequireSmartCard

secRMM RequireSmartCard

secRMM RequireSmartCard

Once the PIN is entered, then they can access the thumb drive as they normally do (probably using Windows Explorer).  What the security administrator sees are the following 2 screenshots below.

secRMM RequireSmartCard

secRMM RequireSmartCard

secRMM RequireSmartCard

secRMM RequireSmartCard

Since the Additional Smart Card Info is on a single line, we have expanded it below.  The values are the details about the security certificate on the Smartcard.

Additional Smart Card Info:
CertName:
SquadraRoot,
ContainerName: SquadraRoot-524f3017-2e9b-4cbd-a5-00974,
SerialNumber: ff1a97dc6dc1149b4e47bf356b06b072,
Issuer: SquadraRoot,
Subject: C=US, S=NV, L=Las Vegas, OU=Development, O=Squadra Technologies, CN=SquadraRoot,
Valid from: Saturday, January 1, 2000 12:00:00 AM,
Valid to: Thursday, January 1, 2099 12:00:00 AM
(Pacific Daylight Time [GMT-7])

We hope this secRMM feature helps you secure your environment when it comes to removable storage access by your end-users.  Please let us know if you have any questions.  You can reach us at:  support@squadratechnologies.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: