Enable/disable USB mass storage

From WPKG | Open Source Software Deployment and Distribution
Jump to: navigation, search

USB mass storage devices can be a real danger and threat to a corporate network and its vital data; A 1 Gb USB stick can sometimes hold an entire company's vital data. Within minutes or even seconds an employee has all the files they need in order to start up their own business and take all the customers with them. Alternatively, what happens if a careless user accidentally compromises the network with an infected USB stick?

This package enables or disables USB mass storage devices on machine level as described in KB823732.

Warning: this package uses variables in places only supported as of WPKG 1.1.2

This package sets a variable SET_USBSTOR and defaults to "disable" meaning that the USBstor driver will be disabled by this package. However, you can define this variable on a specific host, profile, ... to contain "enable" which enables the USBstor driver on that particular host, profile, ... This way you can have this package included in a global profile and still have USB mass storage devices enabled on a few machines. Also, because of the check condition, simply changing this variable on a host/profile/... will trigger the package to run again on that specific host/profile/... at the next wpkg run without having to increase the revision and having to run it on all hosts.

<package id="setusbstor"
	 name="Enable/Disable USB Mass Storage"
	 revision="1"
	 priority="1"
	 reboot="false">

	<variable name="SET_USBSTOR" value="disable" /> <!-- USBstor is disabled by default -->

	<check type="file" condition="exists" path="%SystemRoot%\usbstor-%SET_USBSTOR%.tmp" />

	<install cmd='%comspec% /c "%SOFTWARE%\WindowsSettings\setUSBstor.cmd" %SET_USBSTOR%' />

	<upgrade cmd='%comspec% /c "%SOFTWARE%\WindowsSettings\setUSBstor.cmd" %SET_USBSTOR%' />
</package>

setUSBstor.cmd batch file:

@echo off
:: Retreive Windows Language
:detect
for /f "Skip=1 Tokens=3*" %%i in ('reg QUERY "hklm\system\controlset001\control\nls\language" /v Installlanguage') do set language=%%i

:: Dutch - Belgium
if "%language%" == "0813" (
   set users=Gebruikers
   goto select
)
:: Dutch - Netherlands
if "%language%" == "0413" (
   set users=Gebruikers
   goto select
)
:: English - United States
if "%language%" == "0409" (
   set users=Users
   goto select
)

:: German - Germany
if "%language%" == "0407" (
   set users=Benutzer
   goto select
)

:: Polish - Poland
if "%language%" == "0415" (
   set users=Użytkownicy
   goto select
)

:select
if /I "%1" == "enable" goto enable_usbstor
if /I "%1" == "disable" goto disable_usbstor

echo Invalid commandline options
echo.
echo %0 - Enable or disable USB mass storage
echo %0 enable  - enable USB mass storage
echo %0 disable - disable USB mass storage 
exit /b 1

:enable_usbstor
echo Enabling USBstor driver
:: Enable USBstor driver
reg add HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR /v Start /t REG_DWORD /d 3 /f
:: Enable permissions on USBstor driver
cacls %SystemRoot%\inf\usbstor.inf /E /G %users%:R
cacls %SystemRoot%\inf\usbstor.PNF /E /G %users%:R
:: Leave state for WPKG to check on
if exist %SystemRoot%\usbstor-disable.tmp del %SystemRoot%\usbstor-disable.tmp
echo enable > %SystemRoot%\usbstor-enable.tmp
goto end

:disable_usbstor
echo Disabling USBstor driver
:: Disable USBstor driver
reg add HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR /v Start /t REG_DWORD /d 4 /f
:: Disable read permissions on USBstor driver
cacls %SystemRoot%\inf\usbstor.inf /E /R %users%
cacls %SystemRoot%\inf\usbstor.PNF /E /R %users%
:: Leave state for WPKG to check on
if exist %SystemRoot%\usbstor-enable.tmp del %SystemRoot%\usbstor-enable.tmp
echo disable > %SystemRoot%\usbstor-disable.tmp
goto end

:end
exit /b 0