DataLocker PortBlocker

Mass Deployment 1.0



Installation

The PortBlocker EXE installer will deploy three key parts to the target workstation.  The three parts consist of a Device Driver, Windows Service, and a Windows Application that the user can interact with. Installation will require local admin privileges to complete the process, and is recommended to run as the system account. When calling the installer the /S switch can be used for a silent installation on new installs. Once PortBlocker is installed, all mass storage type devices will be blocked. Installation deployment can be done with a simple login script, like the example below, or with third party tools. It is important that Windows 7 deployments are validated against Microsoft Security Advisory 3033929 to allow the Driver, which is Signed by a SHA256 certificate, to be recognized.


Registration

After installation, the user will be prompted to register their PortBlocker instance to SafeConsole.  Registration is needed before devices can be whitelisted. It is recommended that the SafeConsole Server be configured with both unique token and admin approval disabled. This will allow a simple registration process for the end user.  By default, PortBlocker will look for the registry value “Default Token” at the following keys:


64bit Computers

HKLM\SOFTWARE\WOW6432Node\DataLocker\PortBlocker

HKCU\SOFTWARE\WOW6432Node\DataLocker\PortBlocker


32bit Computers

HKLM\SOFTWARE\DataLocker\PortBlocker

HKCU\SOFTWARE\DataLocker\PortBlocker


Use a REG_SZ value to insert the default token in URL form. The default token is unique to your SafeConsole server. 


Example: 

reg add "HKLM\SOFTWARE\WOW6432Node\DataLocker\PortBlocker" /v "Default Token" /t REG_SZ /d https://server.safeconsolecloud.io/connect


With the default token in place, users will need to accept the license conditions and click connect. This will populate their endpoint to the SafeConsole server. If connected to Active Directory during registration, the endpoint will be placed into the policy which corresponds to where the computer resides in the AD structure. The PortBlocker policy can be updated using SafeConsole as needed. 


Example

This batch script can be enabled by going to Group Policy -> Computer Configuration -> Windows Settings -> Scripts -> Startup. User login scripts are also possible. 


:: Location of exe, such as a public network share
set "installer=\\server\deploy\portblocker.exe"

:: Install Location, default entered 
set install64="C:\Program Files (x86)\DataLocker\PortBlocker\client\PortBlocker.exe"
set install32="C:\Program Files\DataLocker\PortBlocker\client\PortBlocker.exe"

:: SafeConsole Connection URL
set safeConsoleURL=https://server.safeconsolecloud.io/connect

::Default Token
Echo N | reg add "HKLM\SOFTWARE\DataLocker\PortBlocker" /v "Default Token" /t REG_SZ /d %safeConsoleURL% > Nul
Echo N | reg add "HKLM\SOFTWARE\WOW6432Node\DataLocker\PortBlocker" /v "Default Token" /t REG_SZ /d %safeConsoleURL% > Nul

::Install
IF EXIST %install64% goto end
IF EXIST %install32% goto end
start /wait %installer% /S
:end