BGINFO - A Posh Recreation
Recently I have been building a lot of Windows Servers in different environments - one
I used to work in a open plan office, where there were if you left your desk to grab some printing/coffee or to dash to the loo or something without locking your workstation. You would come back to the whole office knowing you are a cross dressing ape loving chav who just emailed the department and that girl you had a crush on and was making progress with an invite to a Silvio Berlusconi style Bunga Bunga party at your desk! Poof instant credibility deletion!! Ta guys!!! Piss the Grumpy Admin off!!!
This one morning last year, I get to work feeling ill, and not too good! A dedicated and very grumpy Admin to work through the beginnings of Man Flu – got to share them germs around you know! The more users off ill the lest likley that are to break something that I have to fix right???.
I had to go over to the other room/loo or something like that, I can’t remember. And without second thought or any compassion from them, me leaving my workstation unlocked, I was fair game!
They emailed the whole team, and my line manager at the time, that I would be buying them all cakes! Not only that my line manager forced me to put a £1 in the “beer” fund for the up coming Xmas party! This while feeling ill and complaining about their lack of compassion for this ill and now very Grump Admin, drove me to a Grumpy state of such CBA that I spent the next hour cradling my coffee and doing what any lazy admin would do!
AUTOMATE the lock-workstation process… with yes you guessed it! Powershell!
I always have a USB stick on my ID lanyard, I often have it pliugged in, so i’m physically attached to my laptop! BING!
What if there was a way of constantly checking if my usb stick is in my laptop, and if it isn’t – lock the workstation. Right to google. I didn’t find any complete code that would do what I wanted it to do! So did the next best thing, cut and paste and tweaked other bits of code to get it to do what I want it to do.
if usb stick in computer then don’t lock screen – if it isn’t lock the bloody thing – no more “fines” for me… cakes, well cakes won’t ever be stopped, my expanding waist line will attest to that!
First challenge was can I use a Powershell function to lock my workstation. Once again Google came to my aid, and solved the answer with the below code snippet!
Function Lock-WorkStation {
$signature = @”
[DllImport(“user32.dll”, SetLastError = true)]
public static extern bool LockWorkStation();
“@$LockWorkStation = Add-Type -memberDefinition $signature -name “Win32LockWorkStation” -namespace Win32Functions -passthru
$LockWorkStation::LockWorkStation() | Out-Null
}
I lifted this function without tweaking, I tested it and it to my shock – locked my workstation! Snippet added to the code bank and this is the
first function for my new security system for my workstation – I am determined never to be caught out again!
Next challange – How do I tell if there is USB drive present?
Well google help me find this line of code, which did the trick – there is never any point in reinventing the wheel when someone else who no doubt is smarter than you have already solved the problem!
Get-WmiObject -Class Win32_LogicalDisk | Where-Object {($_.DriveType -eq 2) -and ($_.DeviceID -ne “A:”)}
This is great, it even takes in to account the type of drive and the checks if it is an usb floopy drive. (checking for the A:, yes I think there could be an issue if you have two usb floppy drives aka a B: – but if this is your usage case, you have bigger problems than locking a workstation – usb floppy drive seriously!!!)
DriveType – what is this I hear you screaming out! For this we have to go to MSDN and look up the win32_logicaldisk class,
which will explain everything that is returned when we do a get-wmiobject on that class.
https://msdn.microsoft.com/en-us/library/aa394173%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396
As you can see listed under type is the following table :-
0 Unknown
1 No Root Directory
2 Removable Disk
3 Local Disk
4 Network Drive
5 Compact Disc
6 RAM Disk
As you can see, usb drives are type 2 – removable disk – this is great we have a detection method! How can we use that, well I guess we will have to write some code logic in PowerShell to handle that – yuck original code! dam you pastebin! Why didn’t you have what I needed! Makes me grumpy!
First lets put the output of the above in to a variable – as we will need that, how can we use it well if there no usb of type 2 enumerated in the system then that variable will be empty – and if there is then it won’t be
This is a switch!!! so we can use the following code block to encapsulate our actions on a usb stick being there or not
while($USBDrive_Present)
{}
else
{}
Excellent so far – next I have to keep refreshing $USBDrive_Present to keep the loop going
So again rather then create a function or anything, as I am a lazy coder, I just recopy the checking code again into the
right execution and add in a call to the lock-worksation function.
So my code now looks like this
Function CheckFor-USBDrive () {
# Gets the USB logical drive
$USBDrive_Present = Get-WmiObject -Class Win32_LogicalDisk | Where-Object {($_.DriveType -eq 2) -and ($_.DeviceID -ne “A:”)}# If a USB drive is present
while($USBDrive_Present) {# Recheck for USB flash drive, then continue while loop if applicable
$USBDrive_Present = Get-WmiObject -Class Win32_LogicalDisk | Where-Object {($_.DriveType -eq 2) -and ($_.DeviceID -ne “A:”)}
}
Lock-WorkStation
}
This works great! But once it has locked the workstation once, i would have to relaunch the CheckFor-USBDrive function
after it has locked my workstation. Ah ok then we can create another function and just make that a loop and all will be
good!
function secure-station {
while(1){
CheckFor-USBDrive
}}
Then all I need to do is load in my ps1 script with these functions, and then call secure-station – and then use my USB key as a requirement to have the screen unlocked. Login without any usb keys and it will automatically lock your workstation. Forget to push Windows Key + L and remove your USB stick which is attached to your lanyard, your workstation will automatically lock!
My fine problems are solved – you can use your own launch method, on start-up, via a short-cut etc to launch it when you first login. Very quick and simple additional layer of security that will save you from being that shame of the office email system saying your in love with the cleaner from downstairs.
Enjoy, here is the full code, use and abuse… and yes, it is bad code, it was a quick and dirty solution, and could do with cleaning up but I’m a lazy and grumpy admin so I won’t bother!
# DESCRIPTION: Locker – run constantly in the background it will always checks for the presence of a USB stick.
# if There is no USB stick (type 2) presence then the workstation locksFunction Lock-WorkStation {
$signature = @”
[DllImport(“user32.dll”, SetLastError = true)]
public static extern bool LockWorkStation();
“@$LockWorkStation = Add-Type -memberDefinition $signature -name “Win32LockWorkStation” -namespace Win32Functions -passthru
$LockWorkStation::LockWorkStation() | Out-Null
}Function CheckFor-USBDrive () {
# Gets the USB logical drive
$USBDrive_Present = Get-WmiObject -Class Win32_LogicalDisk | Where-Object {($_.DriveType -eq 2) -and ($_.DeviceID ne “A:”)}# If a USB drive is present
while($USBDrive_Present) {# Recheck for USB flash drive, then continue while loop if applicable
$USBDrive_Present = Get-WmiObject -Class Win32_LogicalDisk | Where-Object {($_.DriveType -eq 2) -and ($_.DeviceID -ne “A:”)}
}
Lock-WorkStation
}function secure-station {
while(1){
CheckFor-USBDrive
}}
secure-station
Hazzy