Installation
The PortBlocker-Setup.msi installer will deploy three key parts to the target workstation. The three parts consist of a Device Driver, Windows Service, and a Windows Application that the user can interact with. The installation will require local admin privileges to complete. Once PortBlocker is installed, all mass storage type devices will be blocked. Installation deployment can be done with a simple startup script, like the example below, or with third-party tools.
Registration
Registration is needed before devices can be whitelisted. When registration parameters are successfully passed to the installer, PortBlocker will automatically register after installation. The switches used for registration is as follows:
URL=<SafeConsoleConnectionToken>: the SafeConsole connection token
EULA=1: Accept the end user license agreement on behalf of the user
USER= <UniqueToken>: OPTIONAL, register the PortBlocker Install to a specific user already in SafeConsole.
UNINSTALL_PASSWORD=<UninstallPassword>: OPTIONAL, requires the password to be entered when attempting to uninstall PortBlocker. If a password is not defined during installation, the uninstall password will need to be obtained by contacting [email protected].
UNINSTALL_PASSWORD argument is for versions prior to PortBlocker 1.4 and SafeConsole 5.7. Uninstall Password is handled by SafeConsole in newer versions.
It is recommended that the SafeConsole Server is configured with both unique token and admin approval disabled. This will allow a simple registration process for the end user.
Requirements
Windows 10 and Windows 7
SafeConsole Connection Token, ex: https://server.safeconsolecloud.io/connect
Public server share to host installer, ex: \\nas\share\PortBlocker-Setup.msi
All the machines you wish to install PortBlocker on must be joined to the domain
Set-Up
The MSI installer can be tested using the following command to install:
msiexec /i \\Path\to\PortBlocker-Setup.msi URL=https://example.safeconsolecloud.io/connect EULA=1 ALLUSERS=1 /norestart
Note: Replace the path to the msi and your safeconsole connection token
Once you have verified that you can register PortBlocker using the above command you can push out the MSI to a group of computers using the below settings:
Download and install Microsoft Orca:
Microsoft guide for installing/using Orca utility: https://docs.microsoft.com/en-us/windows/desktop/msi/orca-exe
Once you have familiarized yourself with Orca you can begin adding your properties to the PortBlocker msi file. Open Orca and select ‘File -> Open’ and choose your msi file.
Enable Copy embedded streams during "Save As"
Click Tools -> Options -> Database -> Copy embedded streams during "Save As" -> Select Apply and click OKSelect ‘Transform -> New Transform’ in the menu bar
Navigate the ‘Property’ section in the left-hand column, this is where we will add our custom properties. Right-click in the section to the right and select ‘Add Row’
We will add two custom rows, one for the connection token and one for the EULA agreement.
Create the rows as shown in the example below, replacing the URL Value with your SafeConsole connection token. (Optionally, If you want to add unique user token, simply create another row with the property USER and the token as the value):
In the ‘File’ menu select ‘Save Transformed As’ and select the location you want to save the msi file to.
Set Up a GPO for deployment:
On your domain controller, run the ‘Group Policy Management’ tool
Select your domain and right-click, select ‘Create a GPO in this domain, and link it here…’
Make sure that this policy encompasses all of the users/computers that you want to deploy PortBlocker to. In this instance, we’re deploying to everyone in the domain so we create the GPO directly underneath the domain itself
Once you finish creating the group policy object right-click on it and select ‘Edit’
Navigate to ‘Computer Configuration -> Policies -> Software Settings -> Software Installation’
Right-click in the empty white box to the right-hand side and select ‘New -> Package’ and choose the location of your msi in the dialog
In the final dialog, select ‘Assigned’