Squadra.secRMMCentral
9.9.0.0
Squadra.secRMMCentral
Microsoft.SystemCenter.DataWarehouse.Library
7.0.8432.0
31bf3856ad364e35
Microsoft.Windows.Library
7.5.8501.0
31bf3856ad364e35
System.Performance.Library
7.0.8432.0
31bf3856ad364e35
System.Library
7.5.8501.0
31bf3856ad364e35
Microsoft.SystemCenter.Library
7.0.8432.0
31bf3856ad364e35
System.Health.Library
7.0.8432.0
31bf3856ad364e35
Discovery
$Target/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMMCentralExists
SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\secRMMCentral
0
0
86400
$MPElement[Name="Squadra.secRMMCentral.Event"]$
$MPElement[Name="Windows!Microsoft.Windows.Computer"]/PrincipalName$
$Target/Property[Type="Windows!Microsoft.Windows.Computer"]/PrincipalName$
Values/secRMMCentralExists
Equal
true
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMMCentral
true
EventDisplayNumber
Equal
400
1
1
$MPElement[Name="Squadra.secRMM.RMMDeviceOnline.AlertMessage"]$
$Data/EventDescription$
$Data/LoggingComputer$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMMCentral
true
EventDisplayNumber
Equal
401
1
1
$MPElement[Name="Squadra.secRMM.FileWriteStart.AlertMessage"]$
$Data/EventDescription$
$Data/LoggingComputer$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMMCentral
true
EventDisplayNumber
Equal
402
1
1
$MPElement[Name="Squadra.secRMM.FileWritten.AlertMessage"]$
$Data/EventDescription$
$Data/LoggingComputer$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMMCentral
true
EventDisplayNumber
Equal
403
1
1
$MPElement[Name="Squadra.secRMM.RMMDeviceOffline.AlertMessage"]$
$Data/EventDescription$
$Data/LoggingComputer$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMMCentral
true
EventDisplayNumber
Equal
700
1
1
$MPElement[Name="Squadra.secRMM.PropertyChanged.AlertMessage"]$
$Data/EventDescription$
$Data/LoggingComputer$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMMCentral
true
EventDisplayNumber
Equal
701
1
1
$MPElement[Name="Squadra.secRMM.ConfigurationChanged.AlertMessage"]$
$Data/EventDescription$
$Data/LoggingComputer$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMMCentral
true
EventDisplayNumber
Equal
601
1
1
$MPElement[Name="Squadra.secRMM.InvalidLicense.AlertMessage"]$
$Data/EventDescription$
$Data/EventDisplayNumber$
$Data/LoggingComputer$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMMCentral
true
EventDisplayNumber
Equal
504
2
2
$MPElement[Name="Squadra.secRMM.AllowedDirectoriesAuthorizationFailure.AlertMessage"]$
$Data/EventDescription$
$Data/LoggingComputer$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMMCentral
true
EventDisplayNumber
Equal
505
2
2
$MPElement[Name="Squadra.secRMM.AllowedFileExtensionsAuthorizationFailure.AlertMessage"]$
$Data/EventDescription$
$Data/LoggingComputer$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMMCentral
true
EventDisplayNumber
Equal
506
2
2
$MPElement[Name="Squadra.secRMM.AllowedInternalIdAuthorizationFailureWrite.AlertMessage"]$
$Data/EventDescription$
$Data/LoggingComputer$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMMCentral
true
EventDisplayNumber
Equal
501
2
2
$MPElement[Name="Squadra.secRMM.ProgramAuthorizationFailure.AlertMessage"]$
$Data/EventDescription$
$Data/LoggingComputer$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMMCentral
true
EventDisplayNumber
Equal
502
2
2
$MPElement[Name="Squadra.secRMM.SerialNumberAuthorizationFailureWrite.AlertMessage"]$
$Data/EventDescription$
$Data/LoggingComputer$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMMCentral
true
EventDisplayNumber
Equal
500
2
2
$MPElement[Name="Squadra.secRMM.UserAuthorizationFailureWrite.AlertMessage"]$
$Data/EventDescription$
$Data/LoggingComputer$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMMCentral
true
EventDisplayNumber
Equal
503
2
2
$MPElement[Name="Squadra.secRMM.UnknownSourceFailure.AlertMessage"]$
$Data/EventDescription$
$Data/LoggingComputer$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMMCentral
true
EventDisplayNumber
Equal
508
2
2
$MPElement[Name="Squadra.secRMM.AllowedInternalIdAuthorizationFailureOnline.AlertMessage"]$
$Data/EventDescription$
$Data/LoggingComputer$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMMCentral
true
EventDisplayNumber
Equal
507
2
2
$MPElement[Name="Squadra.secRMM.SerialNumberAuthorizationFailureOnline.AlertMessage"]$
$Data/EventDescription$
$Data/LoggingComputer$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMMCentral
true
EventDisplayNumber
Equal
509
2
2
$MPElement[Name="Squadra.secRMM.UserAuthorizationFailureOnline.AlertMessage"]$
$Data/EventDescription$
$Data/LoggingComputer$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMMCentral
true
EventDisplayNumber
Equal
510
2
2
$MPElement[Name="Squadra.secRMM.BlockCdDvdWritesEventOnline.AlertMessage"]$
$Data/EventDescription$
$Data/LoggingComputer$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMMCentral
true
EventDisplayNumber
Equal
511
2
2
$MPElement[Name="Squadra.secRMM.BlockCdDvdWritesEventWrite.AlertMessage"]$
$Data/EventDescription$
$Data/LoggingComputer$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMMCentral
true
EventDisplayNumber
Equal
512
2
2
$MPElement[Name="Squadra.secRMM.AllowBitLockerOnlyEventOnline.AlertMessage"]$
$Data/EventDescription$
$Data/LoggingComputer$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMMCentral
true
EventDisplayNumber
Equal
513
2
2
$MPElement[Name="Squadra.secRMM.AllowBitLockerOnlyEventWrite.AlertMessage"]$
$Data/EventDescription$
$Data/LoggingComputer$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMMCentral
true
EventDisplayNumber
Equal
514
2
2
$MPElement[Name="Squadra.secRMM.BlockProgramsOnDevice.AlertMessage"]$
$Data/EventDescription$
$Data/LoggingComputer$
Alert
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMMCentral
true
EventDisplayNumber
Equal
515
2
2
$MPElement[Name="Squadra.secRMM.AllowRMSFilesOnly.AlertMessage"]$
$Data/EventDescription$
$Data/LoggingComputer$
Notification
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMMCentral
true
EventDisplayNumber
Equal
801
1
0
$MPElement[Name="Squadra.secRMM.SafeCopyPreApprovalRequest.AlertMessage"]$
$Data[Default='']/EventDescription$
$Data/LoggingComputer$
Notification
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
secRMMCentral
true
EventDisplayNumber
Equal
300
1
0
$MPElement[Name="Squadra.secRMM.External.AlertMessage"]$
$Data[Default='']/EventDescription$
$Data/LoggingComputer$
Custom
Error
true
Normal
Error
$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$
WinRM
true
Alert
255
Severity
Severity
Icon
Icon
Path
MonitoringObjectPath
Source
MonitoringObjectDisplayName
Maintenance Mode
MonitoringObjectInMaintenanceMode
Name
Name
Created
TimeRaised
Resolution State
ResolutionState
Age
Age
Type
Category
Owner
Owner
Priority
Priority
Latency
Latency
Description
Description
Connector
ConnectorId
Forwarding Status
ConnectorStatus
Class
Class
Time in State
TimeInState
Custom Field 1
CustomField1
Custom Field 2
CustomField2
Custom Field 3
CustomField3
Custom Field 4
CustomField4
Custom Field 5
CustomField5
Custom Field 6
CustomField6
Custom Field 7
CustomField7
Custom Field 8
CustomField8
Custom Field 9
CustomField9
Custom Field 10
CustomField10
Resolved By
ResolvedBy
Time Resolved
TimeResolved
Last State Change
TimeResolutionStateLastModified
Last Modified
LastModified
Last Modified By
LastModifiedBy
Management Group
ManagementGroup
Site
SiteName
Repeat Count
RepeatCount
Ticket ID
TicketId
Security for Removable Media (secRMM) Central Library
secRMM is a security product from Squadra Technologies which monitors and controls all 'Removable Media' activities in your data centers. Removable Media in this context is any USB removable storage device, removable external hard drives, smart phones, etc. This Operations Manager Management Pack will collect the secRMM events and create Operations Manager alerts. secRMMCentral is an add-on to secRMM. secRMMCentral collects secRMM events from various other computers and stores them in a central event log.
Removable Media Central Alerts
Alerts for Removable Media Devices. These alerts are from events generated by the secRMMCentral product.
secRMMCentral
Collects all secRMMCentral events and pulls them into Operations Manager as alerts.
secRMMCentralEvent Discovery
This discovery finds computers running the secRMMCentral product by looking in the computers registry for the secRMMCentral event log entry.
secRMM DeviceFileWriteStart
A file write operation to a 'Removable Media' device has started.
File Write to Removable Media Device started - secRMM
Event Description: {0}
secRMM DeviceFileWritten
A file was written to a 'Removable Media' device.
File Written to Removable Media Device - secRMM
Event Description: {0}
secRMM InvalidLicense
secRMM is installed but does not have a valid license.
Invalid or no license - secRMM
Event Description: {0}
secRMM ProgramAuthorizationFailure
A user attempted to write a file(s) to a 'Removable Media' device but was not authorized because the program used to perform the write operation was not authorized. The write attempt failed.
Removable Media Unauthorized Program Failure - secRMM
Event Description: {0}
secRMM Property Changed
A secRMM property was changed
secRMM Configuration Changed
A secRMM configuration was changed
Property Changed - secRMM
Event Description: {0}
Configuration Changed - secRMM
Event Description: {0}
secRMM DeviceOffline
A 'Removable Media' device has gone offline (i.e. removed from the computer).
Removable Media Device Offline - secRMM
Event Description: {0}
secRMM DeviceOnline
A 'Removable Media' device has come online (i.e. plugged into the computer).
Removable Media Device Online - secRMM
Event Description: {0}
secRMM SerialNumberAuthorizationFailureWrite
A user attempted to write a file(s) to a 'Removable Media' device but the Serial Number of the 'Removable Media' device was not authorized. The write attempt failed.
secRMM SerialNumberAuthorizationFailureOnline
A 'Removable Media' device was plugged into the computer but the Serial Number of the 'Removable Media' device was not authorized. Bringing the device online failed.
Removable Media Unauthorized Serial Number Failure (Write) - secRMM
Event Description: {0}
Removable Media Unauthorized Serial Number Failure (Online) - secRMM
Event Description: {0}
secRMM UnknownSourceFailure
A user attempted to write a file(s) to a 'Removable Media' device but the source file could not be determined. The write attempt failed.
Removable Media Unknown Source Failure - secRMM
Event Description: {0}
secRMM UserAuthorizationFailureWrite
A user attempted to write a file(s) to a 'Removable Media' device but was not authorized. The write attempt failed.
secRMM UserAuthorizationFailureOnline
A 'Removable Media' device was plugged into the computer but no user is logged in that is authorized to use the Removable Media. Bringing the device online failed.
secRMM BlockCdDvdWritesEventOnline
A CD/DVD disc was plugged into the computer but writing to CD/DVD is being blocked. Bringing the device online failed.
secRMM BlockCdDvdWritesEventWrite
An attempt was made to copy a file to a CD/DVD disc but writing to CD/DVD is being blocked.
secRMM AllowBitLockerOnlyEventOnline
A 'Removable Media' device was plugged into the computer but it was not BitLocker protected. Bringing the device online failed.
secRMM AllowBitLockerOnlyEventWrite
An attempt was made to copy a file to a 'Removable Media' device that is not BitLocker protected.
secRMM BlockProgramsOnDevice
An attempt was made to execute a program or macro from a 'Removable Media' device.
secRMM AllowRMSFilesOnly
An attempt was made to copy a file to a 'Removable Media' device where the file being copied was not Microsoft RMS protected.
Removable Media Unauthorized User Failure (Write) - secRMM
Event Description: {0}
Removable Media Unauthorized User Failure (Online) - secRMM
Event Description: {0}
Removable Media Block Cd/Dvd Failure (Online) - secRMM
Event Description: {0}
Removable Media Block Cd/Dvd Failure (Write) - secRMM
Event Description: {0}
Removable Media Allow BitLocker Only Failure (Online) - secRMM
Event Description: {0}
Removable Media Allow BitLocker Only Failure (Write) - secRMM
Event Description: {0}
Removable Media Block Programs On Device - secRMM
Event Description: {0}
Removable Media Allow RMS Files Only - secRMM
Event Description: {0}
secRMM AllowedDirectoriesAuthorizationFailure
A user attempted to write a file(s) to a 'Removable Media' device from a directory location that was not authorized. The write attempt failed.
Removable Media Unauthorized Allowed Directories Failure - secRMM
Event Description: {0}
secRMM AllowedFileExtensionsAuthorizationFailure
A user attempted to write a file(s) to a 'Removable Media' device but the file extension was not authorized. The write attempt failed.
Removable Media Unauthorized File Extensions Failure - secRMM
Event Description: {0}
secRMM AllowedInternalIdAuthorizationFailureWrite
A user attempted to write a file(s) to a 'Removable Media' device but the internal Id of the device was not authorized. The write attempt failed.
secRMM AllowedInternalIdAuthorizationFailureOnline
A 'Removable Media' device was plugged into the computer but the internal Id of the device was not authorized. Bringing the device online failed.
Removable Media Unauthorized Internal Id Failure (Write) - secRMM
Event Description: {0}
Removable Media Unauthorized Internal Id Failure (Online) - secRMM
Event Description: {0}
secRMM SafeCopy PreApproval
An end-user is requesting permission to use the secRMM SafeCopy program. An approver needs to satisfy the request.
secRMM SafeCopy PreApproval
Event Description: {0}
secRMM External Message
An external message generated for secRMM (ex: Log cleared).
secRMM External Message
Event Description: {0}
WinRM
WinRM service
Service is running
Service is not running
WinRM
Please see the alert context for details.
Summary
This management pack incorporates the secRMMCentral product from Squadra Technologies into Microsoft Operations Manager.
secRMM is a product that monitors and controls activity to Removable Media devices.
secRMM uses the security event log as well as its own event log to record the Removable Media online, offline and write activity.
secRMM also allows the ability to authorize access to Removable Media devices by user(s) and/or by program(s).
secRMMCentral uses Microsoft event forwarding technology to centralize all the secRMM events into one event log.
External
Squadra Technologies web site
Summary
This discovery uses the computers registry. It looks for the secRMMCentral event log registry key.
Configuration
Ensure the secRMMCentral product is installed on the computer where you want to monitor Removable Media activity.
Causes
Resolutions
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert when a Removable Media device is brought online (inserted into) the computer.
Configuration
.
Causes
The Removable Media device was brought online. Typically, this is done when a person physically inserts a USB stick or external hard drive into the computer.
Resolutions
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert when a file write to a Removable Media device starts.
Configuration
You may want to disable this rule if you have specific computers that use
Removable Media devices often. Disabling this rule for those computers
will minimize the alerts in the Operations Manager console.
Causes
A file write operation to a Removable Media device has started.
Resolutions
secRMM allows you to control who and what program can write to a Removable Media device for a particular computer.
Please read the secRMM Administrators Guide (see External link below) section "Enabling Authorization" to apply authorization control on
the Removable Media devices.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert when a file gets written to a Removable Media device.
Configuration
You may want to disable this rule if you have specific computers that use
Removable Media devices often. Disabling this rule for those computers
will minimize the alerts in the Operations Manager console.
Causes
A file was written to a Removable Media device.
Resolutions
secRMM allows you to control who and what program can write to a Removable Media device for a particular computer.
Please read the secRMM Administrators Guide (see External link below) section "Enabling Authorization" to apply authorization control on
the Removable Media devices.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert when a Removable Media device is taken offline (removed from) the computer.
Configuration
Causes
The Removable Media device was taken offline. Typically, this is done when a person physically removes a USB stick or external hard drive from the computer.
Resolutions
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because a secRMM Administrator changed a secRMM property.
secRMM properties affect authorization. secRMM authorization can be specified for users, programs and removable media serial numbers.
Configuration
N/A.
Causes
A secRMM Administrator changed a secRMM property on this computer. The alert will contain the property name, new value and possibly the old value if it existed previously
Resolutions
Be sure the administrator userid specified in the alert is a valid secRMM Administrator. If not, please contact your security department immediately.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because a secRMM Administrator changed a secRMM configuration.
secRMM configurations define the secRMM properties that are associated with a computer or user(s).
Configuration
N/A.
Causes
A secRMM Administrator changed a secRMM configuration on this computer. The alert will contain the configuration name (this is a userid/SID) and the name of the Administrator or program (AD or SCCM) that initiated the change.
Resolutions
Be sure the administrator userid specified in the alert is a valid secRMM Administrator. If not, please contact your security department immediately.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert when the computer running secRMM does not have a valid secRMM License file.
Configuration
Contact the secRMM system administrator for a valid secRMM license file.
Causes
There is no license file on the computer.
Resolutions
Copy a valid secRMM license file to the computer. The license file needs to be copied to the secRMM product directory.
By default, the secRMM product directory is \Program Files\secRMM.
Additional
Squadra Technologies generates the secRMM license files and distributes them to your company.
External
Squadra Technologies web site
Summary
This rule generates an alert because the following two conditions are true:
1. An attempt was made to perform a file write operation to a Removable Media device when there was a secRMM "AllowedDirectories" property defined on the computer.
2. An attempt was made to perform a file write operation to a Removable Media device where the source file being copied was not from a directoy in the "AllowedDirectories" property.
Configuration
Modify or remove the secRMM "AllowedDirectories" property on the computer where this alert occurred.
Causes
The source file being copied was in a directory that was not in the secRMM "AllowedDirectories" property.
Resolutions
If you want to allow the source file in the alert to be able to be written to the Removable Media device on the computer,
change the secRMM "AllowedDirectories" property to include directory where the file is located.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because the following two conditions are true:
1. An attempt was made to perform a file write operation to a Removable Media device when there was a secRMM "AllowedFileExtensions" property defined on the computer.
2. An attempt was made to perform a file write operation to a Removable Media device where the source file being copied had a file extension that was not in the "AllowedFileExtensions" property.
Configuration
Modify or remove the secRMM "AllowedFileExtensions" property on the computer where this alert occurred.
Causes
The source file being copied has a file extension that was not in the secRMM "AllowedFileExtensions" property.
Resolutions
If you want to allow the source file in the alert to be able to be written to the Removable Media device on the computer,
change the secRMM "AllowedFileExtension" property to include the file extension of the file.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because the following two conditions are true:
1. An attempt was made to perform a file write operation to a Removable Media device when there was a secRMM "AllowedInternalId" property defined on the computer.
2. An attempt was made to perform a file write operation to a Removable Media device where the devices internal Id did not match a value in the "AllowedInternalIds" property.
Configuration
Modify or remove the secRMM "AllowedInternalIds" property on the computer where this alert occurred.
Causes
The Removable Media device has an Internal Id that does not match the value of the secRMM "AllowedInternalIds" property.
Resolutions
If you want to allow the source file in the alert to be able to be written to the Removable Media device on the computer,
change the secRMM "AllowedInternalIds" property to include the internal Id of the Removable Media device.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because the following two conditions are true:
1. An attempt was made to perform a file write operation to a Removable Media device when there was a secRMM "AllowedPrograms" property defined on the computer.
2. An attempt was made to perform a file write operation to a Removable Media device when the program being used to perform the file write operation was not in the secRMM "AllowedPrograms" property.
Configuration
Modify or remove the secRMM "AllowedPrograms" property on the computer where this alert occurred.
Causes
The program being used to perform the file write operation was not in the secRMM "AllowedPrograms" property.
Resolutions
If you want to allow the program listed in the alert to be able to write to the Removable Media device on the computer,
change the secRMM "AllowedPrograms" property to include the program.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because the following two conditions are true:
1. An attempt was made to perform a file write operation to a Removable Media device when there was a secRMM "AllowedSerialNumbers" property defined on the computer.
2. An attempt was made to perform a file write operation to a Removable Media device and the Serial Number of the Removable Media device was not in the secRMM "AllowedSerialNumbers" property.
Configuration
Modify or remove the secRMM "AllowedSerialNumbers" property on the computer where this alert occurred.
Causes
The Removable Media device's Serial Number used to perform the file write operation was not in the secRMM "AllowedSerialNumbers" property.
Resolutions
If you want to allow write operations to a Removable Media device, its Serial Number must be included in the secRMM "AllowedSerialNumbers" property.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because the following two conditions are true:
1. An attempt was made to perform a file write operation to a Removable Media device when there was a secRMM "AllowedUsers" property defined on the computer.
2. An attempt was made to perform a file write operation to a Removable Media device when the user who performed the file write operation was not in the secRMM "AllowedUsers" property.
Configuration
Modify or remove the secRMM "AllowedUsers" property on the computer where this alert occurred.
Causes
The user who performed the file write operation was not in the secRMM "AllowedPrograms" property.
Resolutions
If you want to allow the user listed in the alert to be able to write to the Removable Media device on the computer,
change the secRMM "AllowedUsers" property to include the user.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because the following two conditions are true:
1. An attempt was made to perform a file write operation to a Removable Media device when the secRMM "FailWriteIfSourceFileUnknown" property defined on the computer was on (i.e. true, i.e. enabled).
2. An attempt was made to perform a file write operation to a Removable Media device and the source file of the write operation could not be determined.
Configuration
Disable the secRMM "FailWriteIfSourceFileUnknown" property on the computer where this alert occurred.
Causes
The source file of the write operation could not be determined by secRMM.
Resolutions
Have the user use a different program or command to perform the removable media write operation.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because the following two conditions are true:
1. An attempt was made to bring a Removable Media device online when there was a secRMM "AllowedInternalId" property defined on the computer which also contained the [EnforceWhenPluggedIn] attribute.
2. An attempt was made to bring a Removable Media device online and the Internal Id did not match a value in the "AllowedInternalIds" property.
Configuration
Modify or remove the secRMM "AllowedInternalIds" property on the computer where this alert occurred.
Causes
The Removable Media device has an Internal Id that does not match the value of the secRMM "AllowedInternalIds" property.
Resolutions
If you want to allow this Removable Media device to be used on this computer, its Internal Id must be included in the secRMM "AllowedInternalIds" property.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because the following two conditions are true:
1. An attempt was made to bring a Removable Media device online when there was a secRMM "AllowedSerialNumbers" property defined on the computer which also contained the [EnforceWhenPluggedIn] attribute.
2. An attempt was made to bring a Removable Media device online and the Serial Number of the Removable Media device was not in the secRMM "AllowedSerialNumbers" property.
Configuration
Modify or remove the secRMM "AllowedSerialNumbers" property on the computer where this alert occurred.
Causes
The Removable Media device's Serial Number was not in the secRMM "AllowedSerialNumbers" property.
Resolutions
If you want to allow this Removable Media device to be used on this computer, its Serial Number must be included in the secRMM "AllowedSerialNumbers" property.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because the following two conditions are true:
1. An attempt was made to bring a Removable Media device online when there was a secRMM "AllowedUsers" property defined on the computer which also contained the [EnforceWhenPluggedIn] attribute.
2. An attempt was made to bring a Removable Media device online and no user is currently logged in that matches a value in the "AllowedUsers" property.
Configuration
Modify or remove the secRMM "AllowedUsers" property on the computer where this alert occurred.
Causes
No userid in the secRMM "AllowedPrograms" property is currently logged into the computer.
Resolutions
A userid in the secRMM "AllowedUsers" property must be logged in before the Removable Media device can be used.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because the following condition is true:
1. An attempt was made to bring a CD/DVD disc online when there was a secRMM "BlockCdDvdWrites" property defined on the computer which also contained the [EnforceWhenPluggedIn] attribute.
Configuration
Modify or remove the secRMM "BlockCdDvdWrites" property on the computer where this alert occurred.
Causes
No CD or DVD discs are allowed to mount on the computer because the secRMM "BlockCdDvdWrites" property (with the [EnforceWhenPluggedIn] attribute) is currently set on the computer.
Resolutions
Clear the secRMM "BlockCdDvdWrites" property so that the CD/DVD disc will mount and be available in Windows.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because the following condition is true:
1. An attempt was made to copy a file to a CD/DVD disc when the secRMM "BlockCdDvdWrites" property was defined on the computer.
Configuration
Modify or remove the secRMM "BlockCdDvdWrites" property on the computer where this alert occurred.
Causes
Copy files to CD or DVD discs are not allowed on the computer because the secRMM "BlockCdDvdWrites" property is currently set on the computer.
Resolutions
Clear the secRMM "BlockCdDvdWrites" property so that the CD/DVD disc so the end-user can copy files to the CD/DVD disc.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because the following condition is true:
1. An attempt was made to mount a "Removable Media" device that is not BitLocker protected when the secRMM "AllowBitLockerOnly" property (with the [EnforceWhenPluggedIn] attribute) was defined on the computer.
Configuration
Modify or remove the secRMM "AllowBitLockerOnly" property on the computer where this alert occurred.
Causes
Mounting a "Removable Media" device that is not BitLocker protected is not allowed on the computer because the secRMM "AllowBitLockerOnly" property (with the [EnforceWhenPluggedIn] attribute) is currently set on the computer.
Resolutions
Clear the secRMM "AllowBitLockerOnly" property so that non-BitLocker protected devices can be used or use a BitLocker protected "Removable Media" device.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because the following condition is true:
1. An attempt was made to copy a file to a "Removable Media" device that is not BitLocker protected when the secRMM "AllowBitLockerOnly" property was defined on the computer.
Configuration
Modify or remove the secRMM "AllowBitLockerOnly" property on the computer where this alert occurred.
Causes
Copying file(s) to a "Removable Media" device that is not BitLocker protected is not allowed on the computer because the secRMM "AllowBitLockerOnly" property is currently set on the computer.
Resolutions
Clear the secRMM "AllowBitLockerOnly" property so that non-BitLocker protected devices can be used or use a BitLocker protected "Removable Media" device.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because the following condition is true:
1. An attempt was made to execute a program or macro from a "Removable Media" device when the secRMM "BlockProgramsOnDevice" property was defined on the computer.
Configuration
Modify or remove the secRMM "BlockProgramsOnDevice" property on the computer where this alert occurred.
Causes
Executing a program or macro from a "Removable Media" device is not allowed on the computer because the secRMM "BlockProgramsOnDevice" property is currently set on the computer.
Resolutions
Clear the secRMM "BlockProgramsOnDevice" property so that programs can be executed from the "Removable Media" device.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because the following condition is true:
1. An attempt was made to copy a file(s) to a "Removable Media" device when the file being copies was not protected by Microsoft RMS and the secRMM "AllowRMSFilesOnly" property was defined on the computer.
Configuration
Before copying the file to removable media, protect the file using Microsoft RMS. You can also remove the secRMM "AllowRMSFilesOnly" property on the computer where this alert occurred.
Causes
Copying files that are not protected by Microsoft RMS to a "Removable Media" device is not allowed on the computer because the secRMM "AllowRMSFilesOnly" property is currently set on the computer.
Resolutions
Protect the file using Microsoft RMS and/or clear the secRMM "AllowRMSFilesOnly" property.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because a user is attempting to use a removable media device and the secRMM "PreApproveSafeCopy" property is "on".
The is the key component of the "enforceable two man policy" implementation. Until an administrator approves this request,
the user cannot access the removable media device.
Configuration
Modify or remove the secRMM "PreApproveSafeCopy" property on the computer where this alert occurred.
Causes
The secRMM "enforceable two man policy" is in effect.
Resolutions
An administrator needs to use the secRMM SafeCopy Approver program to either approve or reject the users request to use the removable media.
Additional
External
Squadra Technologies web site
Summary
This rule generates an alert because an external event occurred which is related to secRMM.
An example of such an event is when the secRMM event log gets backed up by a scheduled task.
Configuration
This event is usually called in a script such as BackupSecRMMEventLog.cmd (in the secRMM AdminUtils subdirectory) via the WriteToNTEventLog API.
Causes
A secRMM external event occurred.
Resolutions
These events are typically informational and no resolution is required.
Additional
External
Squadra Technologies web site