Using BitLocker to Encrypt Removable Media (Part 2)

by [Published on 22 April 2010 / Last Updated on 22 April 2010]

How to enforce BitLocker security in a more uniform manner through the use of group policy settings.

If you would like to read the first part in this article series please go to

Introduction

The default settings in Windows 7 allow users to decide if and when they want to encrypt data on removable devices. This article explains how you can enforce BitLocker security in a more uniform manner through the use of group policy settings.

In the first part of this article series, I showed you how you could manually use BitLocker to encrypt the contents of a USB flash drive. Although the procedure that I showed you last time works well enough, it tends to leave a lot to chance. Imagine for instance that your company keeps a lot of sensitive information on file. Ideally, you would probably like to prevent any of that data from ever walking out the door. In reality though, you may have employees whose job functions require them to have certain data available, even when they are not connected to the network.

Since the last thing that you want is for an employee to misplace a USB drive filled with personal information about all of the organization’s customers, encryption is an absolute must. BitLocker to Go can definitely provide the type of encryption that you need, but the encryption method that I demonstrated in the first part of the series requires users to manually encrypt their own USB flash drives.

Obviously, we can’t just put encryption into the user’s hands and trust them to do it (especially when so much is at stake). Fortunately, we do not have to. Windows 7 and Windows Server 2008 R2 include group policy settings that you can use to control how and when BitLocker encryption is used.

The Group Policy Object Editor contains quite a few different group policy settings related to BitLocker encryption, but there is an entire folder containing the settings pertaining to BitLocker encryption of removable media. You can access this folder at Computer Configuration \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Removable Data Drives. You can see the available group policy settings within this folder in Figure A.


Figure A:
All of the settings related to BitLocker encryption of removable media are stored in the Removable Data Drives folder

Control Use of BitLocker on Removable Drives

The first group policy setting that I want to show you is the Control Use of BitLocker on Removable Drives setting. As the name implies, this setting allows you to control whether or not users are allowed to encrypt removable media with BitLocker.

At its simplest, disabling this setting prevents users from encrypting removable media, whereas users can use BitLocker to encrypt removable media if you do nothing at all. There is a little bit more to it though.

If you do choose to enable this group policy setting, then there are two options that you can set. The first of these options allows you to choose whether or not you want to allow users to apply BitLocker protection on removable data drives. Obviously, this option is a bit redundant, but the reason why Microsoft chose to include it was because it allows you to control this setting and the next setting that I am about to talk about independently when the group policy setting is enabled.

The second setting allows users to suspend and decrypt BitLocker protection on removable data drives. In other words, you can control whether or not you want to allow users to turn off BitLocker for a removable storage device.

Configure Use of Smart Cards on Removable Drives

This group policy setting allows you to control whether or not smart cards can be used as a mechanism for authenticating users for access to BitLocker encrypted content. If you do decide to enable this group policy setting, then there is a sub option that you can use to require the use of smart cards. If you choose this option, then users will only be able to access BitLocker encrypted content by using smart card based authentication.

Deny Write Access to Removable Drives Not Protected By BitLocker

The Deny Write Access to Removable Drives Not Protected By BitLocker setting is one of the more important group policy settings related to the encryption of removable media. When you enable this setting, then Windows will check every removable storage device that is inserted into the computer to see if BitLocker encryption is enabled. If BitLocker isn’t enabled on the drive, then the drive is treated as read only. Users are only given write access if BitLocker is enabled on the drive. That way, you can prevent users from writing data to unencrypted removable media.

When you enable this group policy setting, you are also given the option of blocking write access to devices configured in another organization. This option can go a long way in helping to prevent the unauthorized use of removable media.

Imagine for instance that you want to make sure that only authorized users write data to removable drives, and that any data written to removable drives is encrypted. Now suppose that a disgruntled employee decides that they want to copy your customer list to a USB flash drive. If one of your stated goals is to prevent data from being written to removable devices in an unencrypted format, then you would naturally enable the Deny Write Access to Removable Drives Not Protected By BitLocker setting.

That will give you some degree of protection, but it is still possible for a user to enable BitLocker on a home computer, encrypt a USB flash drive, and then bring the encrypted drive into the office and write data to it. Enabling the Do Not Allow Write Access to Devices Configured in Another Organization option allows Windows to look at where the removable storage device came from. If the device was encrypted by another organization, then BitLocker will deny write access to the device.

Allow Access to BitLocker Protected Removable Drives From Earlier Versions of Windows

I tend to think that this option is a bit misnamed. The reality is that Windows does not really care what version of Windows was used to format a removable drive. Instead, this option allows you to control whether or not you want to allow users to unlock BitLocker encrypted drives that have been formatted with the FAT file system.

If you enable this setting, there is another option that you can enable that will prevent the BitLocker to Go Reader from being installed onto drives that are formatted with the FAT file system.

Configure Use of Passwords for Removable Data Drives

This is one of the more self explanatory settings. It allows you to control whether or not you want to require the use of a password to unlock the contents of removable drives. Assuming that you do want to password protect removable drives, you have the option to control the password’s length and complexity requirements.

Conclusion

The group policy settings that I have shown you go a long way toward controlling how BitLocker is used with removable media. One of the problems with encrypting data however, is that if the encryption keys are lost, then the data cannot be decrypted. In Part 3, I will show you a technique for avoiding this problem by storing the encryption keys in the Active Directory.

If you would like to read the first part in this article series please go to

Featured Links