Scripting

Hi Everybody.

I am in the same problem, and maybe i'm on the way to resolve it.

First: Changing registry key

When we apply the modification on the registry key, it works, but:

- if the device is connected, the changes applies on reconecting the device again.
- if the machine is restarted and the device is reconnected, it will be possible to access it (access on first logon plugin), until the device is reconected again.

Microsoft says we must remove permissions directly on
%windir%\inf\usbstor.inf   and
%windir%\inf\usbstor.PNF
to especified users.

In PowerShell exist "Get-ACL" and "Set-ACL" commands,

the first one, list the existent permissions of the file

the second one, applies the permissions.

i am stucked in this point, because i want to apply to "all users" but "NT Authority\System" is wich KACE uses to run scripts,
so if i apply a blocking permission, then will be not possible to restore permissions again... isnt?


by the way, the app "SUBINACL" doesnt work on Windows 10, sadly.

i paste the help of Powershell Set-ACL command to share with you.

Thanks A Lot, Community, in advance.

- - - - - - - - - - - - - - - - - - - - - - 

PS C:\Windows\system32> get-help Set-Acl -Examples
NOMBRE
    Set-Acl
    
SINOPSIS
    Changes the security descriptor of a specified item, such as a file or a registry key.
 

  
    Example 1: Copy a security descriptor from one file to another
    
    $DogACL = Get-Acl -Path "C:\Dog.txt"
    Set-Acl -Path "C:\Cat.txt" -AclObject $DogACL
    
    These commands copy the values from the security descriptor of the Dog.txt file to the security descriptor of the Cat.txt file. When the commands complete, the security descriptors of the Dog.txt and Cat.txt files are identical.
    
    The first command uses the `Get-Acl` cmdlet to get the security descriptor of the Dog.txt file. The assignment operator (`=`) stores the security descriptor in the value of the $DogACL variable.
    
    The second command uses `Set-Acl` to change the values in the ACL of Cat.txt to the values in `$DogACL`.
    The value of the Path parameter is the path to the Cat.txt file. The value of the AclObject parameter is the model ACL, in this case, the ACL of Dog.txt  as saved in the `$DogACL` variable. 

Example 2: Use the pipeline operator to pass a descriptor --
    
    Get-Acl -Path "C:\Dog.txt" | Set-Acl -Path "C:\Cat.txt"
    
    This command is almost the same as the command in the previous example, except that it uses a pipeline operator (`|`) to send the security descriptor from a `Get-Acl` command to a `Set-Acl` command.
    
    The first command uses the `Get-Acl` cmdlet to get the security descriptor of the Dog.txt file. The pipeline operator (`|`) passes an object that represents the Dog.txt security descriptor to the `Set-Acl` cmdlet.
    
    The second command uses `Set-Acl` to apply the security descriptor of Dog.txt to Cat.txt. When the command completes, the ACLs of the Dog.txt and Cat.txt files are identical.

 Example 3: Apply a security descriptor to multiple files ---
    
    $NewAcl = Get-Acl File0.txt
    Get-ChildItem -Path "C:\temp" -Recurse -Include "*.txt" -Force | Set-Acl -AclObject $NewAcl
    
    These commands apply the security descriptors in the File0.txt file to all text files in the `C:\Temp` directory and all of its subdirectories.
    
    The first command gets the security descriptor of the File0.txt file in the current directory and uses the assignment operator (`=`) to store it in the `$NewACL` variable.
    
    The first command in the pipeline uses the Get-ChildItem cmdlet to get all of the text files in the `C:\Temp` directory. The Recurse parameter extends the command to all subdirectories of `C:\temp`. The Include parameter limits the files retrieved to those with the `.txt` file name extension. The Force parameter gets hidden files, which would otherwise be excluded. (You cannot use `c:\temp\ .txt`, because the Recurse * parameter works on directories, not on files.)
    
    The pipeline operator (`|`) sends the objects representing the retrieved files to the `Set-Acl` cmdlet, which applies the security descriptor in the AclObject parameter to all of the files in the pipeline.
    
    In practice, it is best to use the WhatIf parameter with all `Set-Acl` commands that can affect more than one item. In this case, the second command in the pipeline would be `Set-Acl -AclObject $NewAcl -WhatIf`. This command lists the files that would be affected by the command. After reviewing the result, you can run the command again without the WhatIf parameter.   

Example 4: Disable inheritance and preserve inherited access rules
    
    $NewAcl = Get-Acl -Path "C:\Pets\Dog.txt"
    $isProtected = $true
    $preserveInheritance = $true
    $NewAcl.SetAccessRuleProtection($isProtected, $preserveInheritance)
    Set-Acl -Path "C:\Pets\Dog.txt" -AclObject $NewAcl
    
    These commands is will disable access inheritance from parent folders, while still preserving the existing inherited access rules.
    
    The first command uses the `Get-Acl` cmdlet to get the security descriptor of the Dog.txt file.
    
    Next, variables are created to convert the inherited access rules to explicit access rules. To protect the access rules associated with this from inheritance, set the `$isProtected` variable to `$true`.to allow inheritance, set `$isProtected` to `$false`. For more information, see set access rule protection (/dotnet/api/system.security.accesscontrol.objectsecurity.setaccessruleprotection). The `$preserveInheritance` variable set to `$true` to preserve inherited access rules; false to remove inherited access rules. Then the access rule protection is updated using the SetAccessRuleProtection() method.
    
    The last command uses `Set-Acl` to apply the security descriptor of to Dog.txt. When the command completes, the ACLs of the Dog.txt that were inherited from the Pets folder will be applied directly to Dog.txt, and new access policies added to Pets will not change the access to Dog.txt.

Example 5: Grant Administrators Full Control of the file ---
    
    $NewAcl = Get-Acl -Path "C:\Pets\Dog.txt"
    # Set properties
    $identity = "BUILTIN\Administrators"
    $fileSystemRights = "FullControl"
    $type = "Allow"
    # Create new rule
    $fileSystemAccessRuleArgumentList = $identity, $fileSystemRights, $type
    $fileSystemAccessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $fileSystemAccessRuleArgumentList
    # Apply new rule
    $NewAcl.SetAccessRule($fileSystemAccessRule)
    Set-Acl -Path "C:\Pets\Dog.txt" -AclObject $NewAcl
    
    This command will grant the BUILTIN\Administrators group Full control of the Dog.txt file.
    
    The first command uses the `Get-Acl` cmdlet to get the security descriptor of the Dog.txt file.
    
    Next variables are created to grant the BUILTIN\Administrators group full control of the Dog.txt file. The `$identity` variable set to the name of a user account (/dotnet/api/system.security.accesscontrol.filesystemaccessrule.-ctor). The `$fileSystemRights` variable set to FullControl, and can be any one of  the FileSystemRights (/dotnet/api/system.security.accesscontrol.filesystemrights)values that specifies the type of operation associated with the access rule. The `$type` variable set to "Allow" to specifies whether to allow or deny the operation. The `$fileSystemAccessRuleArgumentList` variable is an  argument list is to be passed when making the new FileSystemAccessRule object. Then a new FileSystemAccessRule object is created, and the  FileSystemAccessRule object is passed to the SetAccessRule() method, adds the new access rule.
        The last command uses `Set-Acl` to apply the security descriptor of to Dog.txt. When the command completes, the BUILTIN\Administrators group will have full control of the Dog.txt.

Well after a bit of digging, and confirmation from our KACE trainer that we can't do it, I did find this:

https://technet.microsoft.com/en-us/library/cc731387(v=ws.10).aspx

If anyone happens to need the ability to block USB but allow specific devices this will work the best as it allows more precise control where as the USB Enable/Disable in the K1000 is just a blank block of the USBSTOR in the registry so it blocks anything that uses that to load such as flash drives, cameras or external HDDs.

Hope this helps others.