Recently at work, the need to remove access to USB devices has cropped up. Students continue to bring in Flash games, portable apps and all other potential threats which need to be limited and, when alternative provisions are made for transferring documents, removed altogether.
During the research into this a lot of reading I came across referred to registry changes in order to make this happen. Immediately though this caused me concern as it required a restart in order to kick in any on/off functionality, slowing down the whole process down. Other GPO options would not provide the versatility of an instant change of state and some solutions require knowing the Hardware ID of the device. With the sheer amount of different types of USB Drives that come into the school again this would be unmanageable.
For a while now though we have been using the free software USB Drive Letter Manager (USBDLM available here) in order to mount Drive letters consistently in order to apply software restriction policies to any exe's that may be brought in. USBDLM is Freeware for private and educational (schools, colleges, universities) use only. I felt that this software may be worth investigating as to whether it could provide an answer as it works by configuring an ini file and then restarting the service it installs to load the new settings. With my past experience of scripting, rewriting or replacing the ini file wouldn't be an issue and restarting the service would not be a problem either and this would provide a definite on/off situation. The only unknown was whether USBDLM could manipulate USB Drives in such a way as to remove them, as well as the many other functions it can perform. As I said, we were using it for only a fraction of its potential in consistently mounting drives to the same letters. Here's an example of the usual ini file:
With the use of the USBDLM help file, I was able to find an option that allows me to remove a USB drive letter associated with a device. More importantly there is also the option to specify the type of USB device to apply this to so by adding 'REMOVEABLE' to the ini, any other USB based device can be spared from being affected. Here is the revised ini file:
When put in the appropriate place and the service restarted, this configuration now removes any access to the USB drive, without the need to restart the machine or force any GP updates. With the device plugged in you can watch it disappear!
Now with a bit of vbscript, we can get the process automated of replacing the ini file and renaming it appropriately, as well as restarting the service. An on and off version of the vbscript have been set up and are stored on the netlogon share along with both ini files. The following is the 'On' script version:
strComputer = "."
Set WshShell = CreateObject("WScript.Shell")
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Const OverwriteExisting = TRUE
Set objFSO = CreateObject("Scripting.FileSystemObject")
objFSO.CopyFile"\\scscurr01\netlogon\software\USB\USBDLM.INI", WshShell.ExpandEnvironmentStrings("%ProgramFiles%\USBDLM\"), OverwriteExisting
strService = " 'usbdlm' "
Set colListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name =" & strService & " ")
For Each objService in colListOfServices
objService.StopService()
WSCript.Sleep 1500
objService.StartService()
Next
Set WshShell = CreateObject("WScript.Shell")
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Const OverwriteExisting = TRUE
Set objFSO = CreateObject("Scripting.FileSystemObject")
objFSO.CopyFile"\\scscurr01\netlogon\software\USB\USBDLM.INI", WshShell.ExpandEnvironmentStrings("%ProgramFiles%\USBDLM\"), OverwriteExisting
strService = " 'usbdlm' "
Set colListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name =" & strService & " ")
For Each objService in colListOfServices
objService.StopService()
WSCript.Sleep 1500
objService.StartService()
Next
This is the 'Off' version:
strComputer = "."
Const OverwriteExisting = TRUE
Set WshShell = CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objWMIService = GetObject("winmgmts:" & "!\\" & strComputer & "\root\cimv2")
Set colFiles = objWMIService.ExecQuery _
("Select * from Cim_Datafile where Name = " _
& "'c:\\Program Files\\USBDLM\\USBDLM.ini'")
For Each objFile in colFiles
objFile.delete
objFSO.CopyFile"\\scscurr01\netlogon\software\USB\USBDLM_off.INI", WshShell.ExpandEnvironmentStrings("%ProgramFiles%\USBDLM\"), OverwriteExisting
Next
Set colFiles1 = objWMIService.ExecQuery _
("Select * from Cim_Datafile where Name = " _
& "'c:\\Program Files\\USBDLM\\USBDLM_off.ini'")
For Each objFile in colFiles1
objFile.Rename("c:\Program Files\USBDLM\USBDLM.ini")
Next
strService = " 'usbdlm' "
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name =" & strService & " ")
For Each objService in colListOfServices
objService.StopService()
WSCript.Sleep 1500
objService.StartService()
Next
Const OverwriteExisting = TRUE
Set WshShell = CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objWMIService = GetObject("winmgmts:" & "!\\" & strComputer & "\root\cimv2")
Set colFiles = objWMIService.ExecQuery _
("Select * from Cim_Datafile where Name = " _
& "'c:\\Program Files\\USBDLM\\USBDLM.ini'")
For Each objFile in colFiles
objFile.delete
objFSO.CopyFile"\\scscurr01\netlogon\software\USB\USBDLM_off.INI", WshShell.ExpandEnvironmentStrings("%ProgramFiles%\USBDLM\"), OverwriteExisting
Next
Set colFiles1 = objWMIService.ExecQuery _
("Select * from Cim_Datafile where Name = " _
& "'c:\\Program Files\\USBDLM\\USBDLM_off.ini'")
For Each objFile in colFiles1
objFile.Rename("c:\Program Files\USBDLM\USBDLM.ini")
Next
strService = " 'usbdlm' "
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name =" & strService & " ")
For Each objService in colListOfServices
objService.StopService()
WSCript.Sleep 1500
objService.StartService()
Next
The evolution of this is put this into a hta similiar to that of the Control Flash that is in the Scripts section. Currently I'm working on a way of querying AD to populate from a drop-down list and OU then the computers in that OU, providing granular control over each machine or all at once. I'll post it when it is complete but hope this helps in the meantime!
Update: The HTA that promises control over the workstation is now available here on the HTA pages of the website. Use the ini examples on this page to set up your on/off files and place them in an appropriate network share. The HTA does require some configuration of paths and OU's to get working.
No comments:
Post a Comment