‫ Using BitLocker to Encrypt Removable Media (Section 2)

Date: 2012/01/18
The default settings in Windows 7 allow users to decide if and when they want to encrypt data on removable devices. This article explains how you can enforce BitLocker security in a more uniform manner through the use of group policy settings.
In the first part of this article series, I showed you how you could manually use BitLocker to encrypt the contents of a USB flash drive. Although the procedure that I showed you last time works well enough, it tends to leave a lot to chance. Imagine for instance that your company keeps a lot of sensitive information on file. Ideally, you would probably like to prevent any of that data from ever walking out the door. In reality though, you may have employees whose job functions require them to have certain data available, even when they are not connected to the network.
Since the last thing that you want is for an employee to misplace a USB drive filled with personal information about all of the organization’s customers, encryption is an absolute must. BitLocker to Go can definitely provide the type of encryption that you need, but the encryption method that I demonstrated in the first part of the series requires users to manually encrypt their own USB flash drives.
Obviously, we can’t just put encryption into the user’s hands and trust them to do it. Fortunately, we do not have to. Windows 7 and Windows Server 2008 R2 include group policy settings that you can use to control how and when BitLocker encryption is used.
The Group Policy Object Editor contains quite a few different group policy settings related to BitLocker encryption, but there is an entire folder containing the settings pertaining to BitLocker encryption of removable media. You can access this folder at Computer Configuration \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Removable Data Drives.
Control Use of BitLocker on Removable Drives
The first group policy setting that I want to show you is the Control Use of BitLocker on Removable Drives setting. As the name implies, this setting allows you to control whether or not users are allowed to encrypt removable media with BitLocker.
At its simplest, disabling this setting prevents users from encrypting removable media, whereas users can use BitLocker to encrypt removable media if you do nothing at all.
If you do choose to enable this group policy setting, then there are two options that you can set. The first of these options allows you to choose whether or not you want to allow users to apply BitLocker protection on removable data drives. Obviously, this option is a bit redundant, but the reason why Microsoft chose to include it was because it allows you to control this setting and the next setting that I am about to talk about independently when the group policy setting is enabled.
The second setting allows users to suspend and decrypt BitLocker protection on removable data drives. In other words, you can control whether or not you want to allow users to turn off BitLocker for a removable storage device.
Configure Use of Smart Cards on Removable Drives
This group policy setting allows you to control whether or not smart cards can be used as a mechanism for authenticating users for access to BitLocker encrypted content. If you do decide to enable this group policy setting, then there is a sub option that you can use to require the use of smart cards. If you choose this option, then users will only be able to access BitLocker encrypted content by using smart card based authentication.
Deny Write Access to Removable Drives Not Protected By BitLocker
The Deny Write Access to Removable Drives Not Protected By BitLocker setting is one of the more important group policy settings related to the encryption of removable media. When you enable this setting, then Windows will check every removable storage device that is inserted into the computer to see if BitLocker encryption is enabled. If BitLocker isn’t enabled on the drive, then the drive is treated as read only. Users are only given write access if BitLocker is enabled on the drive. That way, you can prevent users from writing data to unencrypted removable media.
That will give you some degree of protection, but it is still possible for a user to enable BitLocker on a home computer, encrypt a USB flash drive, and then bring the encrypted drive into the office and write data to it. Enabling the Do Not Allow Write Access to Devices Configured in Another Organization option allows Windows to look at where the removable storage device came from. If the device was encrypted by another organization, then BitLocker will deny write access to the device.
Configure Use of Passwords for Removable Data Drives
This is one of the more self explanatory settings. It allows you to control whether or not you want to require the use of a password to unlock the contents of removable drives. Assuming that you do want to password protect removable drives, you have the option to control the password’s length and complexity requirements.

One of the problems with encrypting data is that if the encryption keys are lost, then the data cannot be decrypted. In Part 3, I will show you a technique for avoiding this problem by storing the encryption keys in the Active Directory.




بدون نظر
شما برای نظر دادن باید وارد شوید


تاریخ ایجاد: 18 مرداد 1393



امتیاز شما
تعداد امتیازها:0