Home
  •  

secRMM AllowRMSFilesOnly

Squadra.secRMM.AllowRMSFilesOnly (Rule)

An attempt was made to copy a file to a 'Removable Media' device where the file being copied was not Microsoft RMS protected.

Knowledge Base article:

Summary

This rule generates an alert because the following condition is true: 1. An attempt was made to copy a file(s) to a "Removable Media" device when the file being copies was not protected by Microsoft RMS and the secRMM "AllowRMSFilesOnly" property was defined on the computer.

Configuration

Before copying the file to removable media, protect the file using Microsoft RMS. You can also remove the secRMM "AllowRMSFilesOnly" property on the computer where this alert occurred.

Causes

Copying files that are not protected by Microsoft RMS to a "Removable Media" device is not allowed on the computer because the secRMM "AllowRMSFilesOnly" property is currently set on the computer.

Resolutions

Protect the file using Microsoft RMS and/or clear the secRMM "AllowRMSFilesOnly" property.

Additional

External

Squadra Technologies web site

Element properties:

TargetSquadra.secRMM.Event
CategoryAlert
EnabledTrue
Alert GenerateTrue
Alert SeverityError
Alert PriorityHigh
RemotableTrue
Alert Message
Removable Media Allow RMS Files Only - secRMM
Event Description: {0}
Event LogsecRMM

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource Microsoft.Windows.EventProvider Default
Alert WriteAction System.Health.GenerateAlert Default
WriteToDB WriteAction Microsoft.SystemCenter.CollectEvent Default
WriteToDW WriteAction Microsoft.SystemCenter.DataWarehouse.PublishEventData Default

Source Code:

<Rule ID="Squadra.secRMM.AllowRMSFilesOnly" Enabled="true" Target="Squadra.secRMM.Event" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>Alert</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>secRMM</LogName>

      <Expression>

        <SimpleExpression>

          <ValueExpression>

            <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

          </ValueExpression>

          <Operator>Equal</Operator>

          <ValueExpression>

            <Value Type="UnsignedInteger">515</Value>

          </ValueExpression>

        </SimpleExpression>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">

      <Priority>2</Priority>

      <Severity>2</Severity>

      <AlertName/>

      <AlertDescription/>

      <AlertOwner/>

      <AlertMessageId>$MPElement[Name="Squadra.secRMM.AllowRMSFilesOnly.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/EventDescription$</AlertParameter1>

      </AlertParameters>

      <Suppression/>

      <Custom1/>

      <Custom2/>

      <Custom3/>

      <Custom4/>

      <Custom5/>

      <Custom6/>

      <Custom7/>

      <Custom8/>

      <Custom9/>

      <Custom10/>

    </WriteAction>

    <WriteAction ID="WriteToDB" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>

    <WriteAction ID="WriteToDW" TypeID="DataWarehouse!Microsoft.SystemCenter.DataWarehouse.PublishEventData"/>

  </WriteActions>

</Rule>