Leave a comment

USB devices, malware and System Center


March 19, 2016 – If you are already familiar with secRMM, you can skip the secRMM introduction and go directly to the new secRMM features, by clicking here.

An introduction to secRMM, “Data Loss Prevention” and “Endpoint Protection”

secRMM is a utility for what the computer industry calls “Data Loss Prevention” (DLP for short). DLP software protects against internal threats by preventing employees from taking data. Data loss can occur by copying files to the Internet, through a network connection or by utilizing “removable storage devices”. Removable storage devices include thumb/flash drives, external hard drives, SD-Cards and mobile devices. secRMM addresses the removable storage device security hole by controlling and monitoring files being copied to any external storage device.

secRMM provides the perfect tool to securely manage data assets while at the same time permitting productivity with the use of removable “plug-and-play” storage. secRMM’s simple authorization policy rules allow you to control the who, what, where, when and how of data copied to removable storage devices. In addition, secRMM’s detailed monitoring provides advanced forensic analysis to combat unlawful and/or unauthorized disclosure of sensitive information.

With respect to DLP software, it is very important to have effective policy rules (to set the controls) with the addition of monitoring logs that record what users are doing (relative to DLP operations). secRMM performs both of these functions (prevention and recording) very well. secRMM calls the prevention part “authorization” and the recording part “auditing”. These are both common computer terms. DLP functions get associated with an even grander computer term called “Endpoint Protection” (EP for short). EP is security software that runs on the computer (either a workstation or a server). The job of EP is to protect the endpoint from bad things happening to the computer. EP software is typically a suite of programs/utilities that together protect the computer from the various threats that would jeopardize it from functioning properly and/or jeopardize the organizations data.

Microsoft offers a powerful EP solution and many organizations around the world are using Microsoft’s EP software. It can be managed and administered by another Microsoft product called Microsoft System Center (SC). SC is a collection of Microsoft programs that the computer administrators use to keep their computer environment functioning. This can sometimes be challenging when there are thousands or tens of thousands of computers running. Microsoft SC makes it possible to manage such a large amount of computers. secRMM completes Microsoft’s endpoint protection strategy (antimalware, firewall, software updates) by adding DLP.

Back to DLP, EP and secRMM. Microsoft’s EP solution is comprised of patching software, firewall software, antimalware software and “rights management software” (RMS for short). Other competing products to Microsoft’s EP suite of software usually also contain a DLP portion for the removable storage devices. Since secRMM is integrated into SC, combining Microsoft’s SC and EP software with secRMM is very cost effective since organizations already own Microsoft SC and EP software.

secRMM “BlockProgramsOnDevice” and “ScanDevice”

The above paragraphs describe the background about secRMM. This blog is really about 2 functions that secRMM provides that are not really functions of DLP but are important for the security of your organization. secRMM implements these two functions with 2 rules. The rules are named “BlockProgramsOnDevice” and “ScanDevice”.


BlockProgramsOnDevice” will prevent the end-user from executing any code from the removable storage device. Code here means any: exe, com, cmd, bat, vbs, js, ps1 or pl file. This feature is important because it prevents the execution of malware from the outside world (i.e. coming from the removable storage). Bringing malware into an organization from removable storage is one of the main criticisms about removable storage. Because this is such an issue, many organizations do not allow the use of removable storage. This is unfortunate because removable storage is convenient and easy to use which makes workers more productive. The “BlockProgamsOnDevice” function of secRMM eliminates the risk malware programs from running.


ScanDevice” is another secRMM rule that helps defend against malware from getting into an organization from removable storage. With the “ScanDevice” rule active, when a removable storage device is connected to the workstation or server computer, secRMM calls Microsoft’s antimalware program (part of Microsoft’s EP suite or now free with the OS) to scan for malware on the removable storage device. If a malware program is discovered on the removable storage device, it will be identified and even quarantined.


In closing, Microsoft provides a very elegant way of using USB drives and mobile devices. With the secRMM utility, you can keep tabs on what is going on and even apply security policy (rules) to the devices and users. This is easily accomplished with the System Center Configuration Manager (SCCM) secRMM Console Extension. If you do not have SCCM in your environment, secRMM can be centrally managed using Active Directory Group Policy Objects (AD GPO). Both SCCM and AD GPO have both computer and user policies.

Thanks for reading!

Leave a comment

USB DLP in Azure, Hyper-V and RDP

secRMMRDP10February 15, 2016 – We are excited about secRMM version  This blog covers the new feature included in the latest secRMM release.  If you would rather watch a video over reading and looking at screenshots, please watch this YouTube video.

With release, secRMM supports Microsoft Azure, Hyper-V and “RDP sessions to physical machines”.  The importance of this is that you can protect your data from leaving your domain on removable storage devices (USB thumb drives, mobile devices, external hard drives, SD-Cards, etc.) whether the user is at a physical computer, working in a virtual machine (VM) or remote session.  Since the removable storage devices are so fast and convenient, workers have been using them for decades to move files around, especially large files.  It is likely that your organization allows these devices today.  Unfortunately, without a “Data Loss Prevention” (DLP) utility like secRMM, you have no idea of the who, what, when, where or how your data, your users and these convenient devices are being used.  Now add to that, mobile devices!

With secRMM, at a minimum, you will get very detailed auditing of every write transaction, online/offline event and much more.  If you are not yet familiar with the base security aspects of what secRMM provides, please take the short time to review the secRMM video library.

Now, a brief introduction about Microsoft’s product “Remote Desktop”.  This technology allows you to access a Windows computers screen, keyboard, mouse (and other resources as well…what this blog it getting to) remotely.

We use the term “RDP client” for the computer that is running the “Remote Desktop Connection” program (i.e. mstsc.exe).  RDP stands for Remote Desktop Protocol.  Microsoft added some very nice technology to the RDP client which allows you to virtualize your physical [storage] devices within the RDP session.  This is done by clicking the “Local Resources” tab, clicking the “More” button and then selecting the drives you want (plus the awesome ability to add drives that are not yet plugged into the USB port).


click to enlarge

In other words, the device on your physical computer will show up in Windows Explorer on the RDP server.  Here, RDP server is in reference to the computer that you tell the RDP client to connect to.  In the screen shots above, we are connecting to a Windows computer named SURFACEPRO4 (yes, a real Surface Pro 4!).

Now lets see what secRMM will tell us about our RDP session.  Please look at the text in the next two screen shots below.  We see the secRMM events generated on the computer where the RDP session was initiated (remember, this is what we call the RDP client).  The first event is telling you about a removable storage device that was plugged into the computer.


click to enlarge

The next screen shot is telling you that the removable storage device is also being accessed thru a RDP client on the RDP server computer named SURFACEPRO4.


click to enlarge

So far, as a security or IT administrator, we now know that two computers can write to this USB stick.  Good to know.  Here is what a write event from the physical computer looks like.


click to enlarge

Notice how secRMM even tells you what the full source file is!

So, what does secRMM tell us on the RDP server side (i.e. the SURFACEPRO4 computer)?  Here is the corresponding device ONLINE event:


click to enlarge

We highlighted some interesting data.  Notice that the drive letter is prefixed by the name of the computer where the USB drive is physically connected.  In fact, secRMM tells you exactly this (and more for Azure and Hyper-V) in the “Additional Info” row.  This is consistent with how Windows Explorer shows the device to the RDP server (please see screen shot below).


click to enlarge

A write transaction on the RDP server looks like:


click to enlarge

As you can see, secRMM lets you know that the device “being written to” is virtual.

So lets finish up this blog by showing you what the online events look like for Hyper-V and it’s Cloud brother Azure.


click to enlarge


click to enlarge

In closing, Microsoft provides a very elegant way of sharing USB drives and mobile devices.  With the secRMM utility, you can keep tabs on what is going on and even apply security policy (rules) to the devices and users.  This is easily accomplished with the System Center Configuration Manager (SCCM) secRMM Console Extension.  If you do not have SCCM in your environment, secRMM can be centrally managed using Active Directory Group Policy Objects (AD GPO).  Both SCCM and AD GPO have both computer and user policies.  All the details about secRMM can be found at the secRMM documents library.  Thanks for reading our blog!

P.S., because I know I will get asked, for those of you using VMWare ESXi or VMWare Workstation, secRMM works natively within a VMWARE vm.

Leave a comment


We are excited about secRMM version!
This blog covers the two new features included in the latest secRMM release.

If you don’t yet know much about secRMM, it is Microsoft security software focused on securing and auditing removable “plug-and-play” storage media. This includes mobile devices, usb flash drives (including hardware encrypted devices), external hard drives, SD-Cards, etc. secRMM is different from other DLP solutions because it does not come with a complete security framework. Microsoft already provides the framework and technologies to help secRMM do its job. secRMM is integrated into Microsoft System Center: Configuration Manager (SCCM), Operations Manager (SCOM) and Orchestrator. secRMM supports Microsoft BitLocker and we will soon be releasing integration with Microsoft AD/Azure Rights Management Services (RMS). If you have SCCM in your environment, you know that Microsoft has a category of software called “Endpoint Protection”. Microsoft “Endpoint Protection” includes antimalware and firewall software. When you add endpoint DLP via secRMM, you end up with the equivalent of what you would buy from a security framework vendor. Microsoft also markets the
“Microsoft Enterprise Mobility Suite” (EMS). EMS is the combination of SCCM and Microsoft Intune. EMS falls under a category of software the industry calls Mobile Device Management (MDM). Within the MDM umbrella, there are software solutions called Mobile Content Management (MCM). secRMM is a perfect fit for EMS’s->MDM->MCM! 🙂 Given all that, if your environment is only running Microsoft Windows workstations (i.e. no backend Microsoft framework), secRMM can be installed on a Windows computer and be 100% functional. This is because secRMM only requires two base Windows components: the “Computer Management” console (i.e. the MMC) and the Windows event log.

Now, onto the two new secRMM features.

First, secRMM contains a new rule named “BlockProgramsOnDevice”. This rule (as its name implies) prevents programs (exe, com, cmd, bat, ps1, vbs, js, pl) from executing off of a removable plug-and-play storage device (USB drives and mobile devices). This feature is implemented in many antimalware software solutions. secRMM differentiates itself from antimalware by additionally recording the event (what program and who was running it) into the event log.

secRMM Event Id 514


Second, the secRMM mobile app titled “Windows Active Directory Login” is now published in the Microsoft Windows Store. In addition, this app is also available in the Apple IOS App Store, the BlackBerry Mobile App World and the Google Play Store. You can conveniently access all the app stores from the Squadra Technologies web site.

secRMM mobile app

secRMM Active Directory Login mobile app

“Windows Active Directory Login” mobile app explained:

First, this is an optional feature of secRMM. As an IT administrator, you can enable or disable the secRMM rule “RequireSmartPhoneLogin” (yes, it should really be named “RequireMobileDeviceLogin”…we will try to change this in the next release) using a simple checkbox. When “RequireSmartPhoneLogin” is checked and a mobile device is mounted to the Windows Operating System, secRMM will intercept the mobile device mount and verify if the end user has used the “Windows Active Directory Login” app within the last 5 minutes. If this condition is true, it will use the userid and password typed in from the app and perform an Active Directory (or local) login. If the credentials supplied in the app are valid (i.e. the userid and password combination work), secRMM will next check to see that those credentials are the same credentials that are currently active on the Windows computer where the mobile device was mounted. If the above tests all succeed, the mobile device is mounted to the Windows computer as a storage device. If any of the above tests fail, the mobile device is unmounted and a failure event is logged into the secRMM event log.
The “Windows Active Directory Login” mobile app puts your mobile devices on par with the “classic” USB hardware encryption solutions from the perspective that you are forced to authenticate before the device will mount. The nice thing about the app is that it uses the same Windows domain/local user account, whereas hardware encryption devices require their own password. While perhaps trivial, the end-user does need to remember yet another password and the Active Directory password policies are enforced.

secRMM mobile device online failure event

secRMM mobile device online failure event

See the screenshot above of a failed event due to improper credentials using the mobile app.

If you look at the last line of the event log screenshot, you will see that the userid specified in the app was “contoso\angela”. However, at the time of the mobile device mount, users contoso\administrator and local user w82\wdkremoteuser where logged into the Windows workstation (see second to last line in the event text). Since neither of the user accounts that are currently logged into the Windows workstation match the credentials specified in the app (i.e. contoso\angela), the mobile device is not allowed to mount. Notice in the event text, last line, it tells you that the mobile device had a “forced unmount”.

We hope you find these two features useful in your security toolbox!

1 Comment

SCCM with 100% USB/Mobile Device storage security

SCCM Console

SCCM Console

Security Removable Media Manager (secRMM) is Windows security software that audits and authorizes write activity to storage devices that connect using the USB port.  This includes smart phones, tablets, flash drives (including hardware and/or software encryption), external hard drives, SD-Cards, and CD/DVD.  secRMM fits into a category of software commonly referred to as “Data Loss Prevention” (DLP).  secRMM completes Microsoft’s endpoint protection strategy (antimalware, firewall, software updates) by adding DLP.

secRMM Excel AddIn

secRMM Excel AddIn

secRMM version 7.0 provides more integration points with Microsoft System Center  Configuration Manager 2012 (SCCM).  Prior to version 7.0, secRMM offered the SCCM Console Extension that allowed centralized policy management/configuration.  The new secRMM features in version 7.0 tie in with the Console Extension and allow you to work with secRMM without ever having to leave the SCCM console!

The new features are:

1. secRMM SCCM status messages
2. secRMM SCCM reports
3. secRMM Excel AddIn to view the SCCM status messages

The SCCM integration is a big step forward for secRMM but it is not the end of the Microsoft System Center integration story.  secRMM is also integrated into Microsoft System Center Operations Manager (SCOM).  secRMM has a complete

SCCM report for secRMM

SCCM report for secRMM

SCOM Management Pack that includes: alerts, tasks and reports.  In fact, if you are using the security reporting database within SCOM (called Audit and Collection Services: ACS), secRMM has reports for ACS.  secRMM has reports for the SCOM Data Warehouse as well.

A free two week trial of secRMM is available at Squadra Technologies.  For documentation on the secRMM SCCM integration, please read the secRMM SCCM 2012 Administrator Guide.

Leave a comment

USB encryption hardware and secRMM

Many organizations either choose or are required to use hardware encryption technology to provide a layer of security for removing sensitive files from their network through removable media.

secRMM works seamlessly with these technologies to generate security events which inform the system administrator:

  • the encrypted device has been mounted,
  • whether authorization was granted,
  • all successful and failed write events,
  • when the device goes offline.
  • all administrative changes to the removable media security policies

No longer do organizations have to rely on company policies and procedures to limit the use of the USB port.
Instead, they can actively manage, secure, and audit it internally with secRMM.

Squadra Technologies has partnered with the following hardware encryption companies below.
These companies see the synergy between their hardware solutions and the secRMM software.
1. Apricorn
2. DataLocker
3. Imation
4. Kanguru

secRMM Benefits…

  • Whitelist specific encrypted devices by the vendor ID (VID) and/or product ID (PID).
  • By whitelisting only the preferred encrypted device (company device) secRMM thereby prevents the writing of data onto any other type of removable media device.
  • Provides security to prevent the mounting and data transfer to devices beyond the classic USB, including but not limited to; BlackBerry, apple, Windows, and Android.
  • Captures the complete path of the source file being copied onto the encrypted device. (i.e.- knowledge of the exact file that has been written and where it came from).
  • Logs failed attempts at data transfers through the USB, providing the who, what, where and when of the attempted transfer.

    A free two week trial of secRMM is available at Squadra Technologies.

Leave a comment

BlackBerry OS 10 USB security

 BlackBerry OS 10 support

secRMM now provides USB security for BlackBerry OS 10 devices with the release of secRMM version  BlackBerry devices are famous for their security coverage.  You can read more about BlackBerry security at http://us.blackberry.com/business/blackberry-advantage.html.  secRMM now extends this security coverage so that all activity pertaining to files copied to the device are recorded into the Windows Security Event log.  In addition to the verbose event logging, secRMM also provides security rules (policies) that you can set for each Windows system or users.  These security rules are simple to configure yet are extremely powerful when it comes to protecting sensitive data files within your domain.  As an example, secRMM lets you define the domain locations where files can be copied from.  Any other locations are blocked.  This feature does not require any modifications to the domain (i.e. Active Directory schema, NTFS, NAP, etc.)


Click image to view larger.

The BlackBerry integration completes the secRMM mobile device coverage.  secRMM now has support for the 4 major mobile device platforms: BlackBerry, Android, Apple and Windows.  secRMM is unique in the fact that it provides the same functions for “classic USB” storage devices (i.e. USB storage devices that get assigned a drive letter by the Windows Operating System) as it does for mobile devices.  This becomes a significant cost savings since competing solutions implement classic USB and mobile security as separate products.

For enterprise customers who want to securely allow BlackBerry device USB connections so workers can effectively copy files to their devices, we highly recommend you consider using secRMM and implementing the following BlackBerry knowledge base article: http://www.blackberry.com/btsc/KB33859.

A free two week trial of secRMM is available at Squadra Technologies.


Click image to view larger.

Leave a comment

Securing Cd/Dvds with secRMM


secRMM secures when end-users write files to Cd/Dvds (we will just call it a disc in this article) just the same as when they use a flash drive or mobile device. The Windows operating system offers two different ways to write to discs. You can read a Microsoft description at http://windows.microsoft.com/en-us/windows/which-cd-dvd-format#1TC=windows-7. When you insert a blank disc, Windows will display a dialog asking how you want to use the disc (see screen shot). secRMM will apply security rules to either method chosen. It is up to the security or IT administrator how the security will work on disc.

There are two secRMM properties (rules) that apply to discs. The first one is set to on by default and is called “MonitorCDROMAndDVD”. As its name implies, it tells secRMM whether to monitor the disc while it is insCD/DVD secRMM Propertyerted into the Windows computer (the property is set to on) or not to monitor the disc while it is inserted into the Windows computer (the property is not set). When “MonitorCDROMAndDVD” is on, secRMM records the ONLINE/OFFLINE events, the WRITE events and any AUTHORIZATION failure events that might occur. This is exactly how secRMM handles any removable storage such as flash drives, external hard drives and all mobile devices.

The second secRMM property related to discs is the “BlockCDROMAndDVDWrites” property. As its name implies, writing to any disc will be blocked (i.e. not allowed). The benefit of using the “BlockCDROMAndDVDWrites” property

CD2 as opposed to disallowing discs via Active Directory Group Policy is that secRMM will log the write violation which tells you who the violator was (userid), what file they were trying to copy (the source file), where they were trying to copy it to (the target file which will be somewhere on the disc), what program they were using (explorer in this case), the time they attempted the write, and what computer the user was logged into. All of this information is logged into the security event log and the secRMM event log.

If you are not interested in recording disc write violations but just want to prevent users from mounting writable discs, you can also enable the “Enforce when device is plugged in.” setting. When “Enforce when device is plugged in.” is on, as soon as the end-user inserts the disc into the drive, Windows will eject the disc. secRMM will log an ONLINE error which indicates the disc was forcibly un-mounted (see screen shot).


secRMM is all about enabling productivity by allowing end-users to use removable storage while still protecting and securing the corporations data assets. As you can see, this applies to Cd/Dvds as well.

You can see a YouTube video on this subject at https://www.youtube.com/watch?v=7Ec3MD47-ws.

A free two week trial of secRMM is available at Squadra Technologies.