Enable/disable USB mass storage
USB mass storage devices can be a real danger and threat to a corporate network and its vital data; A 1 Gb USB stick can sometimes hold an entire company's vital data. Within minutes or even seconds an employee has all the files they need in order to start up their own business and take all the customers with them. Alternatively, what happens if a careless user accidentally compromises the network with an infected USB stick?
This package enables or disables USB mass storage devices on machine level as described in KB823732.
Warning: this package uses variables in places only supported as of WPKG 1.1.2
This package sets a variable SET_USBSTOR and defaults to "disable" meaning that the USBstor driver will be disabled by this package. However, you can define this variable on a specific host, profile, ... to contain "enable" which enables the USBstor driver on that particular host, profile, ... This way you can have this package included in a global profile and still have USB mass storage devices enabled on a few machines. Also, because of the check condition, simply changing this variable on a host/profile/... will trigger the package to run again on that specific host/profile/... at the next wpkg run without having to increase the revision and having to run it on all hosts.
<package id="setusbstor" name="Enable/Disable USB Mass Storage" revision="1" priority="1" reboot="false"> <variable name="SET_USBSTOR" value="disable" /> <!-- USBstor is disabled by default --> <check type="file" condition="exists" path="%SystemRoot%\usbstor-%SET_USBSTOR%.tmp" /> <install cmd='%comspec% /c "%SOFTWARE%\WindowsSettings\setUSBstor.cmd" %SET_USBSTOR%' /> <upgrade cmd='%comspec% /c "%SOFTWARE%\WindowsSettings\setUSBstor.cmd" %SET_USBSTOR%' /> </package>
setUSBstor.cmd batch file:
@echo off :: Retreive Windows Language :detect for /f "Skip=1 Tokens=3*" %%i in ('reg QUERY "hklm\system\controlset001\control\nls\language" /v Installlanguage') do set language=%%i :: Dutch - Belgium if "%language%" == "0813" ( set users=Gebruikers goto select ) :: Dutch - Netherlands if "%language%" == "0413" ( set users=Gebruikers goto select ) :: English - United States if "%language%" == "0409" ( set users=Users goto select ) :: German - Germany if "%language%" == "0407" ( set users=Benutzer goto select ) :: Polish - Poland if "%language%" == "0415" ( set users=Użytkownicy goto select ) :select if /I "%1" == "enable" goto enable_usbstor if /I "%1" == "disable" goto disable_usbstor echo Invalid commandline options echo. echo %0 - Enable or disable USB mass storage echo %0 enable - enable USB mass storage echo %0 disable - disable USB mass storage exit /b 1 :enable_usbstor echo Enabling USBstor driver :: Enable USBstor driver reg add HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR /v Start /t REG_DWORD /d 3 /f :: Enable permissions on USBstor driver cacls %SystemRoot%\inf\usbstor.inf /E /G %users%:R cacls %SystemRoot%\inf\usbstor.PNF /E /G %users%:R :: Leave state for WPKG to check on if exist %SystemRoot%\usbstor-disable.tmp del %SystemRoot%\usbstor-disable.tmp echo enable > %SystemRoot%\usbstor-enable.tmp goto end :disable_usbstor echo Disabling USBstor driver :: Disable USBstor driver reg add HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR /v Start /t REG_DWORD /d 4 /f :: Disable read permissions on USBstor driver cacls %SystemRoot%\inf\usbstor.inf /E /R %users% cacls %SystemRoot%\inf\usbstor.PNF /E /R %users% :: Leave state for WPKG to check on if exist %SystemRoot%\usbstor-enable.tmp del %SystemRoot%\usbstor-enable.tmp echo disable > %SystemRoot%\usbstor-disable.tmp goto end :end exit /b 0