Squadra.secRMM
9.9.0.0
Squadra.secRMM
Microsoft.SystemCenter.DataWarehouse.Library
7.0.8432.0
31bf3856ad364e35
Microsoft.Windows.Library
7.5.8501.0
31bf3856ad364e35
System.Performance.Library
7.0.8432.0
31bf3856ad364e35
System.Library
7.5.8501.0
31bf3856ad364e35
Microsoft.SystemCenter.Library
7.0.8432.0
31bf3856ad364e35
System.Health.Library
7.0.8432.0
31bf3856ad364e35
Discovery
$Target/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMMExists
SYSTEM\CurrentControlSet\services\eventlog\secRMM
0
0
86400
$MPElement[Name="Squadra.secRMM.Event"]$
$MPElement[Name="Windows!Microsoft.Windows.Computer"]/PrincipalName$
$Target/Property[Type="Windows!Microsoft.Windows.Computer"]/PrincipalName$
Values/secRMMExists
Equal
true
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMM
EventDisplayNumber
Equal
400
1
1
$MPElement[Name="Squadra.secRMM.RMMDeviceOnline.AlertMessage"]$
$Data/EventDescription$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMM
EventDisplayNumber
Equal
401
1
1
$MPElement[Name="Squadra.secRMM.FileWriteStart.AlertMessage"]$
$Data/EventDescription$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMM
EventDisplayNumber
Equal
402
1
1
$MPElement[Name="Squadra.secRMM.FileWritten.AlertMessage"]$
$Data/EventDescription$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMM
EventDisplayNumber
Equal
403
1
1
$MPElement[Name="Squadra.secRMM.RMMDeviceOffline.AlertMessage"]$
$Data/EventDescription$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMM
EventDisplayNumber
Equal
700
1
1
$MPElement[Name="Squadra.secRMM.PropertyChanged.AlertMessage"]$
$Data/EventDescription$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMM
EventDisplayNumber
Equal
701
1
1
$MPElement[Name="Squadra.secRMM.ConfigurationChanged.AlertMessage"]$
$Data/EventDescription$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMM
EventDisplayNumber
Equal
601
1
1
$MPElement[Name="Squadra.secRMM.InvalidLicense.AlertMessage"]$
$Data/EventDescription$
$Data/EventDisplayNumber$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMM
EventDisplayNumber
Equal
504
2
2
$MPElement[Name="Squadra.secRMM.AllowedDirectoriesAuthorizationFailure.AlertMessage"]$
$Data/EventDescription$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMM
EventDisplayNumber
Equal
505
2
2
$MPElement[Name="Squadra.secRMM.AllowedFileExtensionsAuthorizationFailure.AlertMessage"]$
$Data/EventDescription$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMM
EventDisplayNumber
Equal
506
2
2
$MPElement[Name="Squadra.secRMM.AllowedInternalIdAuthorizationFailureWrite.AlertMessage"]$
$Data/EventDescription$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMM
EventDisplayNumber
Equal
501
2
2
$MPElement[Name="Squadra.secRMM.ProgramAuthorizationFailure.AlertMessage"]$
$Data/EventDescription$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMM
EventDisplayNumber
Equal
502
2
2
$MPElement[Name="Squadra.secRMM.SerialNumberAuthorizationFailureWrite.AlertMessage"]$
$Data/EventDescription$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMM
EventDisplayNumber
Equal
500
2
2
$MPElement[Name="Squadra.secRMM.UserAuthorizationFailureWrite.AlertMessage"]$
$Data/EventDescription$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMM
EventDisplayNumber
Equal
503
2
2
$MPElement[Name="Squadra.secRMM.UnknownSourceFailure.AlertMessage"]$
$Data/EventDescription$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMM
EventDisplayNumber
Equal
508
2
2
$MPElement[Name="Squadra.secRMM.AllowedInternalIdAuthorizationFailureOnline.AlertMessage"]$
$Data/EventDescription$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMM
EventDisplayNumber
Equal
507
2
2
$MPElement[Name="Squadra.secRMM.SerialNumberAuthorizationFailureOnline.AlertMessage"]$
$Data/EventDescription$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMM
EventDisplayNumber
Equal
509
2
2
$MPElement[Name="Squadra.secRMM.UserAuthorizationFailureOnline.AlertMessage"]$
$Data/EventDescription$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMM
EventDisplayNumber
Equal
510
2
2
$MPElement[Name="Squadra.secRMM.BlockCdDvdWritesEventOnline.AlertMessage"]$
$Data/EventDescription$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMM
EventDisplayNumber
Equal
511
2
2
$MPElement[Name="Squadra.secRMM.BlockCdDvdWritesEventWrite.AlertMessage"]$
$Data/EventDescription$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMM
EventDisplayNumber
Equal
512
2
2
$MPElement[Name="Squadra.secRMM.AllowBitLockerOnlyEventOnline.AlertMessage"]$
$Data/EventDescription$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMM
EventDisplayNumber
Equal
513
2
2
$MPElement[Name="Squadra.secRMM.AllowBitLockerOnlyEventWrite.AlertMessage"]$
$Data/EventDescription$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMM
EventDisplayNumber
Equal
514
2
2
$MPElement[Name="Squadra.secRMM.BlockProgramsOnDevice.AlertMessage"]$
$Data/EventDescription$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMM
EventDisplayNumber
Equal
515
2
2
$MPElement[Name="Squadra.secRMM.AllowRMSFilesOnly.AlertMessage"]$
$Data/EventDescription$
Notification
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMM
EventDisplayNumber
Equal
801
1
0
$MPElement[Name="Squadra.secRMM.SafeCopyPreApprovalRequest.AlertMessage"]$
$Data[Default='']/EventDescription$
Notification
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMM
EventDisplayNumber
Equal
300
1
0
$MPElement[Name="Squadra.secRMM.External.AlertMessage"]$
$Data[Default='']/EventDescription$
SecurityHealth
AuthorizePrograms.vbs
Null
Option Explicit
SetLocale("en-us")
Dim objArgs
Dim objSecRMM
Set objArgs = WScript.Arguments
Set objSecRMM = CreateObject("secRMMInterface")
If (objArgs(0) = "Null") Then
objSecRMM.SetProperty "AllowedPrograms", Null
WScript.Echo "secRMM Property AllowedPrograms has been cleared"
Else
objSecRMM.SetProperty "AllowedPrograms", objArgs(0)
WScript.Echo "secRMM Property AllowedPrograms has been set"
End If
300
SecurityHealth
SetAllowedSerialNumbers.vbs
Null
Option Explicit
SetLocale("en-us")
Dim objArgs
Dim objSecRMM
Set objArgs = WScript.Arguments
Set objSecRMM = CreateObject("secRMMInterface")
If (objArgs(0) = "Null") Then
objSecRMM.SetProperty "AllowedSerialNumbers", Null
WScript.Echo "secRMM Property AllowedSerialNumbers has been cleared"
Else
objSecRMM.SetProperty "AllowedSerialNumbers", objArgs(0)
WScript.Echo "secRMM Property AllowedSerialNumbers has been set"
End If
300
SecurityHealth
SetAllowedInternalIds.vbs
Null
Option Explicit
SetLocale("en-us")
Dim objArgs
Dim objSecRMM
Set objArgs = WScript.Arguments
Set objSecRMM = CreateObject("secRMMInterface")
If (objArgs(0) = "Null") Then
objSecRMM.SetProperty "AllowedInternalIds", Null
WScript.Echo "secRMM Property AllowedInternalIds has been cleared"
Else
objSecRMM.SetProperty "AllowedInternalIds", objArgs(0)
WScript.Echo "secRMM Property AllowedInternalIds has been set"
End If
300
SecurityHealth
SetAllowedUsers.vbs
Null
Option Explicit
SetLocale("en-us")
Dim objArgs
Dim objSecRMM
Set objArgs = WScript.Arguments
Set objSecRMM = CreateObject("secRMMInterface")
If (objArgs(0) = "Null") Then
objSecRMM.SetProperty "AllowedUsers", Null
WScript.Echo "secRMM Property AllowedUsers has been cleared"
Else
objSecRMM.SetProperty "AllowedUsers", objArgs(0)
WScript.Echo "secRMM Property AllowedUsers has been set"
End If
300
SecurityHealth
SetLockdownMode.vbs
Null
Option Explicit
SetLocale("en-us")
Dim objSecRMM
Set objSecRMM = CreateObject("secRMMInterface")
objSecRMM.SetProperty "AllowedSerialNumbers", "secRMM_is_locked_down"
WScript.Echo "secRMM has been set to lockdown mode. This is accomplished by setting the secRMM Property AllowedSerialNumbers to 'secRMM_is_locked_down' (i.e. Computer has been locked down for Removable Media write activity)."
300
SecurityHealth
SetMonitoringMode.vbs
Null
Option Explicit
SetLocale("en-us")
Dim objSecRMM
Set objSecRMM = CreateObject("secRMMInterface")
objSecRMM.SetProperty "AllowedUsers", Null
objSecRMM.SetProperty "AllowedPrograms", Null
objSecRMM.SetProperty "AllowedSerialNumbers", Null
objSecRMM.SetProperty "AllowedInternalIds", Null
WScript.Echo "secRMM has been set to monitoring mode (i.e. Removable Media write activity is allowed and being logged)."
300
Custom
Error
true
Normal
Error
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
Winmgmt
true
Res.Squadra.secRMM.ConsoleTask.SafeCopyApprover.Computer
ShellHandler
C:\Program Files\secRMM\AdminUtils
C:\Program Files\secRMM\AdminUtils\secRMMSafeCopyApprover.exe
$Target/Property[Type="Windows!Microsoft.Windows.Computer"]/NetbiosComputerName$
Res.Squadra.secRMM.ConsoleTask.SafeCopyApprover.Alert
ShellHandler
C:\Program Files\secRMM\AdminUtils
C:\Program Files\secRMM\AdminUtils\secRMMSafeCopyApprover.exe
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetbiosComputerName$
Alert
255
Severity
Severity
Icon
Icon
Path
MonitoringObjectPath
Source
MonitoringObjectDisplayName
Maintenance Mode
MonitoringObjectInMaintenanceMode
Name
Name
Created
TimeRaised
Resolution State
ResolutionState
Age
Age
Type
Category
Owner
Owner
Priority
Priority
Latency
Latency
Description
Description
Connector
ConnectorId
Forwarding Status
ConnectorStatus
Class
Class
Time in State
TimeInState
Custom Field 1
CustomField1
Custom Field 2
CustomField2
Custom Field 3
CustomField3
Custom Field 4
CustomField4
Custom Field 5
CustomField5
Custom Field 6
CustomField6
Custom Field 7
CustomField7
Custom Field 8
CustomField8
Custom Field 9
CustomField9
Custom Field 10
CustomField10
Resolved By
ResolvedBy
Time Resolved
TimeResolved
Last State Change
TimeResolutionStateLastModified
Last Modified
LastModified
Last Modified By
LastModifiedBy
Management Group
ManagementGroup
Site
SiteName
Repeat Count
RepeatCount
Ticket ID
TicketId
Security for Removable Media (secRMM) Library
secRMM is a security product from Squadra Technologies which monitors and controls all 'Removable Media' activities in your data centers. Removable Media in this context is any USB removable storage device, removable external hard drives, smart phones, etc. This Operations Manager Management Pack will collect the secRMM events and create Operations Manager alerts.
Removable Media Alerts
Alerts for Removable Media Devices. These alerts are from events generated by the secRMM product.
Authorize Programs
This opsmgr agent task allows you to set the secRMM "AllowedPrograms" property. The secRMM AllowedPrograms property tells secRMM which program(s) has the authority to write to a Removable Media Device. The secRMM AllowedPrograms property can also be used to completely disallow use of Removable Media. This is accomplished by specifying a value that will never match any program name within your environment. The value of the secRMM AllowedPrograms property is a semicolon separated list of programs. The format of the programs is the fully qualified path and file name (ex: C:\Program Files\MyApp\MyApp.exe).
Authorize Serial Numbers
This opsmgr agent task allows you to set the secRMM "AllowedSerialNumbers" property. The secRMM AllowedSerialNumbers property tells secRMM which SerialNumber(s) are allowed to be written to. The secRMM AllowedSerialNumbers property can also be used to completely disallow use of Removable Media. This is accomplished by specifying a value that will never match any SerialNumbers within your environment. The value of the secRMM AllowedSerialNumbers property is a semicolon separated list of SerialNumbers.
Authorize Internal Ids
This opsmgr agent task allows you to set the secRMM "AllowedInternalIds" property. The secRMM AllowedInternalIds property tells secRMM which Internal Id(s) are allowed to be written to. The secRMM AllowedInternalIds property can be used to limit Removable Media use to particular make and models of Removable Media devices. The value of the secRMM AllowedInternalIds property is a semicolon separated list of Internal Ids (typically composed of VIDs and PIDs).
Authorize Users
This opsmgr agent task allows you to set the secRMM "AllowedUsers" property. The secRMM AllowedUsers property tells secRMM who has the authority to write to a Removable Media Device. The secRMM AllowedUsers property can also be used to completely disallow use of Removable Media (same functionality as the secRMM Lockdown agent task). This is accomplished by specifying a value that will never match any userid within your environment. The value of the secRMM AllowedUsers property is a semicolon separated list of userids. The format of the userids is domainName\userid
secRMM Lockdown mode
This opsmgr agent task allows you to set secRMM into lockdown mode. secRMM lockdown mode prevents write activity to Removable Media devices on the computer.
secRMM Monitoring mode
This opsmgr agent task allows you to set secRMM into monitoring mode. secRMM monitoring mode allows write activity to Removable Media devices on the computer. All write activity to Removable Media devices is monitored/audited (i.e. logged to the event log).
secRMM
Collects all secRMM events from the workstations and servers and pulls them into Operations Manager as alerts.
secRMMEvent Discovery
This discovery finds computers running the secRMM product by looking in the computers registry for the secRMM event log entry.
secRMM DeviceFileWriteStart
A file write operation to a 'Removable Media' device has started.
File Write to Removable Media Device started - secRMM
Event Description: {0}
secRMM DeviceFileWritten
A file was written to a 'Removable Media' device.
File Written to Removable Media Device - secRMM
Event Description: {0}
secRMM InvalidLicense
secRMM is installed but does not have a valid license.
Invalid or no license - secRMM
Event Description: {0}
secRMM ProgramAuthorizationFailure
A user attempted to write a file(s) to a 'Removable Media' device but was not authorized because the program used to perform the write operation was not authorized. The write attempt failed.
Removable Media Unauthorized Program Failure - secRMM
Event Description: {0}
secRMM Property Changed
A secRMM property was changed
secRMM Configuration Changed
A secRMM configuration was changed
Property Changed - secRMM
Event Description: {0}
Configuration Changed - secRMM
Event Description: {0}
secRMM DeviceOffline
A 'Removable Media' device has gone offline (i.e. removed from the computer).
Removable Media Device Offline - secRMM
Event Description: {0}
secRMM DeviceOnline
A 'Removable Media' device has come online (i.e. plugged into the computer).
Removable Media Device Online - secRMM
Event Description: {0}
secRMM SerialNumberAuthorizationFailureWrite
A user attempted to write a file(s) to a 'Removable Media' device but the Serial Number of the 'Removable Media' device was not authorized. The write attempt failed.
secRMM SerialNumberAuthorizationFailureOnline
A 'Removable Media' device was plugged into the computer but the Serial Number of the 'Removable Media' device was not authorized. Bringing the device online failed.
Removable Media Unauthorized Serial Number Failure (Write) - secRMM
Event Description: {0}
Removable Media Unauthorized Serial Number Failure (Online) - secRMM
Event Description: {0}
secRMM UnknownSourceFailure
A user attempted to write a file(s) to a 'Removable Media' device but the source file could not be determined. The write attempt failed.
Removable Media Unknown Source Failure - secRMM
Event Description: {0}
secRMM UserAuthorizationFailureWrite
A user attempted to write a file(s) to a 'Removable Media' device but was not authorized. The write attempt failed.
secRMM UserAuthorizationFailureOnline
A 'Removable Media' device was plugged into the computer but no user is logged in that is authorized to use the Removable Media. Bringing the device online failed.
secRMM BlockCdDvdWritesEventOnline
A CD/DVD disc was plugged into the computer but writing to CD/DVD is being blocked. Bringing the device online failed.
secRMM BlockCdDvdWritesEventWrite
An attempt was made to copy a file to a CD/DVD disc but writing to CD/DVD is being blocked.
secRMM AllowBitLockerOnlyEventOnline
A 'Removable Media' device was plugged into the computer but it was not BitLocker protected. Bringing the device online failed.
secRMM AllowBitLockerOnlyEventWrite
An attempt was made to copy a file to a 'Removable Media' device that is not BitLocker protected.
secRMM BlockProgramsOnDevice
An attempt was made to execute a program or macro from a 'Removable Media' device.
secRMM AllowRMSFilesOnly
An attempt was made to copy a file to a 'Removable Media' device where the file being copied was not Microsoft RMS protected.
Removable Media Unauthorized User Failure (Write) - secRMM
Event Description: {0}
Removable Media Unauthorized User Failure (Online) - secRMM
Event Description: {0}
Removable Media Block Cd/Dvd Failure (Online) - secRMM
Event Description: {0}
Removable Media Block Cd/Dvd Failure (Write) - secRMM
Event Description: {0}
Removable Media Allow BitLocker Only Failure (Online) - secRMM
Event Description: {0}
Removable Media Allow BitLocker Only Failure (Write) - secRMM
Event Description: {0}
Removable Media Block Programs On Device - secRMM
Event Description: {0}
Removable Media Allow RMS Files Only - secRMM
Event Description: {0}
secRMM AllowedDirectoriesAuthorizationFailure
A user attempted to write a file(s) to a 'Removable Media' device from a directory location that was not authorized. The write attempt failed.
Removable Media Unauthorized Allowed Directories Failure - secRMM
Event Description: {0}
secRMM AllowedFileExtensionsAuthorizationFailure
A user attempted to write a file(s) to a 'Removable Media' device but the file extension was not authorized. The write attempt failed.
Removable Media Unauthorized File Extensions Failure - secRMM
Event Description: {0}
secRMM AllowedInternalIdAuthorizationFailureWrite
A user attempted to write a file(s) to a 'Removable Media' device but the internal Id of the device was not authorized. The write attempt failed.
secRMM AllowedInternalIdAuthorizationFailureOnline
A 'Removable Media' device was plugged into the computer but the internal Id of the device was not authorized. Bringing the device online failed.
Removable Media Unauthorized Internal Id Failure (Write) - secRMM
Event Description: {0}
Removable Media Unauthorized Internal Id Failure (Online) - secRMM
Event Description: {0}
secRMM SafeCopy PreApproval
An end-user is requesting permission to use the secRMM SafeCopy program. An approver needs to satisfy the request.
secRMM SafeCopy PreApproval
Event Description: {0}
secRMM External Message
An external message generated for secRMM (ex: Log cleared).
secRMM External Message
Event Description: {0}
WMI
WMI service
Service is running
Service is not running
WMI
Please see the alert context for details.
secRMM SafeCopy Approver
The secRMM SafeCopy program is a GUI application for end-users. SafeCopy allows end-users to copy files from the local drives and/or network drives to a removable media device. The program supports a two man policy. The two man policy requires an Administrator to approve the use of SafeCopy before the end-user can begin using the program. The SafeCopy Approver program is the program the Administrator uses to approve the end-users use of SafeCopy.
secRMM SafeCopy Approver
The secRMM SafeCopy program is a GUI application for end-users. SafeCopy allows end-users to copy files from the local drives and/or network drives to a removable media device. The program supports a two man policy. The two man policy requires an Administrator to approve the use of SafeCopy before the end-user can begin using the program. The SafeCopy Approver program is the program the Administrator uses to approve the end-users use of SafeCopy.
Summary
This management pack incorporates the secRMM product from Squadra Technologies into Microsoft Operations Manager.
secRMM is a product that monitors and controls activity to Removable Media devices.
secRMM uses the security event log as well as its own event log to record the Removable Media online, offline and write activity.
secRMM also allows the ability to authorize access to Removable Media devices by user(s) and/or by program(s).
External
Squadra Technologies web site
Summary
This discovery uses the computers registry. It looks for the secRMM event log registry key.
Configuration
Ensure the secRMM product is installed on the computer where you want to monitor Removable Media activity.
Causes
Resolutions
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert when a Removable Media device is brought online (inserted into) the computer.
Configuration
.
Causes
The Removable Media device was brought online. Typically, this is done when a person physically inserts a USB stick or external hard drive into the computer.
Resolutions
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert when a file write to a Removable Media device starts.
Configuration
You may want to disable this rule if you have specific computers that use
Removable Media devices often. Disabling this rule for those computers
will minimize the alerts in the Operations Manager console.
Causes
A file write operation to a Removable Media device has started.
Resolutions
secRMM allows you to control who and what program can write to a Removable Media device for a particular computer.
Please read the secRMM Administrators Guide (see External link below) section "Enabling Authorization" to apply authorization control on
the Removable Media devices.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert when a file gets written to a Removable Media device.
Configuration
You may want to disable this rule if you have specific computers that use
Removable Media devices often. Disabling this rule for those computers
will minimize the alerts in the Operations Manager console.
Causes
A file was written to a Removable Media device.
Resolutions
secRMM allows you to control who and what program can write to a Removable Media device for a particular computer.
Please read the secRMM Administrators Guide (see External link below) section "Enabling Authorization" to apply authorization control on
the Removable Media devices.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert when a Removable Media device is taken offline (removed from) the computer.
Configuration
Causes
The Removable Media device was taken offline. Typically, this is done when a person physically removes a USB stick or external hard drive from the computer.
Resolutions
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because a secRMM Administrator changed a secRMM property.
secRMM properties affect authorization. secRMM authorization can be specified for users, programs and removable media serial numbers.
Configuration
N/A.
Causes
A secRMM Administrator changed a secRMM property on this computer. The alert will contain the property name, new value and possibly the old value if it existed previously
Resolutions
Be sure the administrator userid specified in the alert is a valid secRMM Administrator. If not, please contact your security department immediately.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because a secRMM Administrator changed a secRMM configuration.
secRMM configurations define the secRMM properties that are associated with a computer or user(s).
Configuration
N/A.
Causes
A secRMM Administrator changed a secRMM configuration on this computer. The alert will contain the configuration name (this is a userid/SID) and the name of the Administrator or program (AD or SCCM) that initiated the change.
Resolutions
Be sure the administrator userid specified in the alert is a valid secRMM Administrator. If not, please contact your security department immediately.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert when the computer running secRMM does not have a valid secRMM License file.
Configuration
Contact the secRMM system administrator for a valid secRMM license file.
Causes
There is no license file on the computer.
Resolutions
Copy a valid secRMM license file to the computer. The license file needs to be copied to the secRMM product directory.
By default, the secRMM product directory is \Program Files\secRMM.
Additional
Squadra Technologies generates the secRMM license files and distributes them to your company.
External
Squadra Technologies web site
Summary
This rule generates an alert because the following two conditions are true:
1. An attempt was made to perform a file write operation to a Removable Media device when there was a secRMM "AllowedDirectories" property defined on the computer.
2. An attempt was made to perform a file write operation to a Removable Media device where the source file being copied was not from a directoy in the "AllowedDirectories" property.
Configuration
Modify or remove the secRMM "AllowedDirectories" property on the computer where this alert occurred.
Causes
The source file being copied was in a directory that was not in the secRMM "AllowedDirectories" property.
Resolutions
If you want to allow the source file in the alert to be able to be written to the Removable Media device on the computer,
change the secRMM "AllowedDirectories" property to include directory where the file is located.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because the following two conditions are true:
1. An attempt was made to perform a file write operation to a Removable Media device when there was a secRMM "AllowedFileExtensions" property defined on the computer.
2. An attempt was made to perform a file write operation to a Removable Media device where the source file being copied had a file extension that was not in the "AllowedFileExtensions" property.
Configuration
Modify or remove the secRMM "AllowedFileExtensions" property on the computer where this alert occurred.
Causes
The source file being copied has a file extension that was not in the secRMM "AllowedFileExtensions" property.
Resolutions
If you want to allow the source file in the alert to be able to be written to the Removable Media device on the computer,
change the secRMM "AllowedFileExtension" property to include the file extension of the file.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because the following two conditions are true:
1. An attempt was made to perform a file write operation to a Removable Media device when there was a secRMM "AllowedInternalId" property defined on the computer.
2. An attempt was made to perform a file write operation to a Removable Media device where the devices internal Id did not match a value in the "AllowedInternalIds" property.
Configuration
Modify or remove the secRMM "AllowedInternalIds" property on the computer where this alert occurred.
Causes
The Removable Media device has an Internal Id that does not match the value of the secRMM "AllowedInternalIds" property.
Resolutions
If you want to allow the source file in the alert to be able to be written to the Removable Media device on the computer,
change the secRMM "AllowedInternalIds" property to include the internal Id of the Removable Media device.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because the following two conditions are true:
1. An attempt was made to perform a file write operation to a Removable Media device when there was a secRMM "AllowedPrograms" property defined on the computer.
2. An attempt was made to perform a file write operation to a Removable Media device when the program being used to perform the file write operation was not in the secRMM "AllowedPrograms" property.
Configuration
Modify or remove the secRMM "AllowedPrograms" property on the computer where this alert occurred.
Causes
The program being used to perform the file write operation was not in the secRMM "AllowedPrograms" property.
Resolutions
If you want to allow the program listed in the alert to be able to write to the Removable Media device on the computer,
change the secRMM "AllowedPrograms" property to include the program.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because the following two conditions are true:
1. An attempt was made to perform a file write operation to a Removable Media device when there was a secRMM "AllowedSerialNumbers" property defined on the computer.
2. An attempt was made to perform a file write operation to a Removable Media device and the Serial Number of the Removable Media device was not in the secRMM "AllowedSerialNumbers" property.
Configuration
Modify or remove the secRMM "AllowedSerialNumbers" property on the computer where this alert occurred.
Causes
The Removable Media device's Serial Number used to perform the file write operation was not in the secRMM "AllowedSerialNumbers" property.
Resolutions
If you want to allow write operations to a Removable Media device, its Serial Number must be included in the secRMM "AllowedSerialNumbers" property.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because the following two conditions are true:
1. An attempt was made to perform a file write operation to a Removable Media device when there was a secRMM "AllowedUsers" property defined on the computer.
2. An attempt was made to perform a file write operation to a Removable Media device when the user who performed the file write operation was not in the secRMM "AllowedUsers" property.
Configuration
Modify or remove the secRMM "AllowedUsers" property on the computer where this alert occurred.
Causes
The user who performed the file write operation was not in the secRMM "AllowedPrograms" property.
Resolutions
If you want to allow the user listed in the alert to be able to write to the Removable Media device on the computer,
change the secRMM "AllowedUsers" property to include the user.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because the following two conditions are true:
1. An attempt was made to perform a file write operation to a Removable Media device when the secRMM "FailWriteIfSourceFileUnknown" property defined on the computer was on (i.e. true, i.e. enabled).
2. An attempt was made to perform a file write operation to a Removable Media device and the source file of the write operation could not be determined.
Configuration
Disable the secRMM "FailWriteIfSourceFileUnknown" property on the computer where this alert occurred.
Causes
The source file of the write operation could not be determined by secRMM.
Resolutions
Have the user use a different program or command to perform the removable media write operation.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because the following two conditions are true:
1. An attempt was made to bring a Removable Media device online when there was a secRMM "AllowedInternalId" property defined on the computer which also contained the [EnforceWhenPluggedIn] attribute.
2. An attempt was made to bring a Removable Media device online and the Internal Id did not match a value in the "AllowedInternalIds" property.
Configuration
Modify or remove the secRMM "AllowedInternalIds" property on the computer where this alert occurred.
Causes
The Removable Media device has an Internal Id that does not match the value of the secRMM "AllowedInternalIds" property.
Resolutions
If you want to allow this Removable Media device to be used on this computer, its Internal Id must be included in the secRMM "AllowedInternalIds" property.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because the following two conditions are true:
1. An attempt was made to bring a Removable Media device online when there was a secRMM "AllowedSerialNumbers" property defined on the computer which also contained the [EnforceWhenPluggedIn] attribute.
2. An attempt was made to bring a Removable Media device online and the Serial Number of the Removable Media device was not in the secRMM "AllowedSerialNumbers" property.
Configuration
Modify or remove the secRMM "AllowedSerialNumbers" property on the computer where this alert occurred.
Causes
The Removable Media device's Serial Number was not in the secRMM "AllowedSerialNumbers" property.
Resolutions
If you want to allow this Removable Media device to be used on this computer, its Serial Number must be included in the secRMM "AllowedSerialNumbers" property.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because the following two conditions are true:
1. An attempt was made to bring a Removable Media device online when there was a secRMM "AllowedUsers" property defined on the computer which also contained the [EnforceWhenPluggedIn] attribute.
2. An attempt was made to bring a Removable Media device online and no user is currently logged in that matches a value in the "AllowedUsers" property.
Configuration
Modify or remove the secRMM "AllowedUsers" property on the computer where this alert occurred.
Causes
No userid in the secRMM "AllowedPrograms" property is currently logged into the computer.
Resolutions
A userid in the secRMM "AllowedUsers" property must be logged in before the Removable Media device can be used.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because the following condition is true:
1. An attempt was made to bring a CD/DVD disc online when there was a secRMM "BlockCdDvdWrites" property defined on the computer which also contained the [EnforceWhenPluggedIn] attribute.
Configuration
Modify or remove the secRMM "BlockCdDvdWrites" property on the computer where this alert occurred.
Causes
No CD or DVD discs are allowed to mount on the computer because the secRMM "BlockCdDvdWrites" property (with the [EnforceWhenPluggedIn] attribute) is currently set on the computer.
Resolutions
Clear the secRMM "BlockCdDvdWrites" property so that the CD/DVD disc will mount and be available in Windows.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because the following condition is true:
1. An attempt was made to copy a file to a CD/DVD disc when the secRMM "BlockCdDvdWrites" property was defined on the computer.
Configuration
Modify or remove the secRMM "BlockCdDvdWrites" property on the computer where this alert occurred.
Causes
Copy files to CD or DVD discs are not allowed on the computer because the secRMM "BlockCdDvdWrites" property is currently set on the computer.
Resolutions
Clear the secRMM "BlockCdDvdWrites" property so that the CD/DVD disc so the end-user can copy files to the CD/DVD disc.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because the following condition is true:
1. An attempt was made to mount a "Removable Media" device that is not BitLocker protected when the secRMM "AllowBitLockerOnly" property (with the [EnforceWhenPluggedIn] attribute) was defined on the computer.
Configuration
Modify or remove the secRMM "AllowBitLockerOnly" property on the computer where this alert occurred.
Causes
Mounting a "Removable Media" device that is not BitLocker protected is not allowed on the computer because the secRMM "AllowBitLockerOnly" property (with the [EnforceWhenPluggedIn] attribute) is currently set on the computer.
Resolutions
Clear the secRMM "AllowBitLockerOnly" property so that non-BitLocker protected devices can be used or use a BitLocker protected "Removable Media" device.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because the following condition is true:
1. An attempt was made to copy a file to a "Removable Media" device that is not BitLocker protected when the secRMM "AllowBitLockerOnly" property was defined on the computer.
Configuration
Modify or remove the secRMM "AllowBitLockerOnly" property on the computer where this alert occurred.
Causes
Copying file(s) to a "Removable Media" device that is not BitLocker protected is not allowed on the computer because the secRMM "AllowBitLockerOnly" property is currently set on the computer.
Resolutions
Clear the secRMM "AllowBitLockerOnly" property so that non-BitLocker protected devices can be used or use a BitLocker protected "Removable Media" device.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because the following condition is true:
1. An attempt was made to execute a program or macro from a "Removable Media" device when the secRMM "BlockProgramsOnDevice" property was defined on the computer.
Configuration
Modify or remove the secRMM "BlockProgramsOnDevice" property on the computer where this alert occurred.
Causes
Executing a program or macro from a "Removable Media" device is not allowed on the computer because the secRMM "BlockProgramsOnDevice" property is currently set on the computer.
Resolutions
Clear the secRMM "BlockProgramsOnDevice" property so that programs can be executed from the "Removable Media" device.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because the following condition is true:
1. An attempt was made to copy a file(s) to a "Removable Media" device when the file being copies was not protected by Microsoft RMS and the secRMM "AllowRMSFilesOnly" property was defined on the computer.
Configuration
Before copying the file to removable media, protect the file using Microsoft RMS. You can also remove the secRMM "AllowRMSFilesOnly" property on the computer where this alert occurred.
Causes
Copying files that are not protected by Microsoft RMS to a "Removable Media" device is not allowed on the computer because the secRMM "AllowRMSFilesOnly" property is currently set on the computer.
Resolutions
Protect the file using Microsoft RMS and/or clear the secRMM "AllowRMSFilesOnly" property.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because a user is attempting to use a removable media device and the secRMM "PreApproveSafeCopy" property is "on".
The is the key component of the "enforceable two man policy" implementation. Until an administrator approves this request,
the user cannot access the removable media device.
Configuration
Modify or remove the secRMM "PreApproveSafeCopy" property on the computer where this alert occurred.
Causes
The secRMM "enforceable two man policy" is in effect.
Resolutions
An administrator needs to use the secRMM SafeCopy Approver program to either approve or reject the users request to use the removable media.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because an external event occurred which is related to secRMM.
An example of such an event is when the secRMM event log gets backed up by a scheduled task.
Configuration
This event is usually called in a script such as BackupSecRMMEventLog.cmd (in the secRMM AdminUtils subdirectory) via the WriteToNTEventLog API.
Causes
A secRMM external event occurred.
Resolutions
These events are typically informational and no resolution is required.
Additional
External
Squadra Technologies web site