Windows 7: Securing Removable Drives
With the proliferation of removable storage devices such as USB flash drives, organizations have become increasingly concerned about the safety of their data.
What's to prevent a user from copying sensitive information from their work computers onto a flash drive and removing it from the premises, in violation of policy? And if users are allowed to use flash drives, what happens if they lose them? Is there any way to safeguard the data stored on these drives when they fall into the wrong hands?
Microsoft Windows 7 provides a solution to both these problems. First, if your Active Directory Domain Services (AD DS) infrastructure is running on Windows Server 2008 or later, you can use Group Policy to prevent users from installing flash drives and other USB removable storage devices on their computers. And if your client computers are running Windows 7, you can use BitLocker To Go to encrypt any data stored on such devices.
Here are tips on how the new operating system can be set to block installation and on how to manage encryption if you allow drive use.
The normal experience in Windows 7 when a user plugs a flash drive into a computer is that a balloon notification appears above the system tray (Figure 1).
Figure 1: Typical installation of a USB flash drive
Administrators who want to block automatic installation of USB storage devices on computers can do so by enabling the Prevent Installation of Removable Devices policy that is found at: Computer Configuration > Policies > Administrative Templates > System > Devices Installation > Device Installation Restrictions.
The prevent installation policy is available in AD DS domains running on Server 2008 or later and can be applied to client computers running Windows Vista or later (Figure 2).
Figure 2: Using Group Policy to prevent installation of USB removable storage devices
When the policy setting is applied to a computer running Windows 7 and the user of the computer plugs a flash drive into the computer, one of two things will happen. If the computer recognized the drive before the policy was applied, the drive will still be recognized and will not be blocked. If, however, the flash drive has never been plugged into the computer, Windows will attempt to install the device and then will display a balloon notification indicating that installation was blocked by policy (Figure 3).
Figure 3: Windows cannot install the flash drive because Group Policy is preventing it
One caution before you enable this policy: If you later decide to disable the policy setting to allow use of USB removable storage devices, any device previously blocked from use will not automatically be recognized by the system. Instead, the Devices And Printers window will display any previously blocked device as an “unspecified mass storage device.”
To get a blocked device to work properly, the user will need to right-click on the listed device and select Troubleshoot (Figure 4).
Figure 4: Troubleshooting a USB removable storage device that won't automatically install
Doing this runs the Devices and Printers troubleshooter, which after examining the device will prompt the user to install the appropriate driver (Figure 5).
Figure 5: Troubleshooting an unrecognized mass storage device
Once the driver has been installed, the device will be properly recognized in the Devices and Printers window (Figure 6).
Figure 6: The device has been properly recognized
To avoid this hassle, be sure to carefully plan before implementing this policy setting in your domain.
Encrypting Removable Devices
Windows 7 now provides an additional capability that can help organizations safeguard their data should they decide to allow use of flash drives and other USB removable storage devices. This new feature, BitLocker To Go, extends the BitLocker Drive Encryption first introduced in Windows Vista to include removable drives, rather than just fixed disks.
To see how this works, start by plugging a flash drive into your computer and making sure it is recognized and that drivers are installed. Then click the Start button, type “bitlocker” in the search box, and click Manage BitLocker from the search results. (This approach is faster than browsing Control Panel – really.) Now the BitLocker Drive Encryption window opens (Figure 7).
Figure 7: Configuring BitLocker and BitLocker To Go
To encrypt the flash drive, click Turn On BitLocker. Once BitLocker initializes the drive, you will be prompted to select the method to be used for unlocking the encrypted drive, which can be either a password or a smartcard. You will then be prompted to either save or print the recover key for the drive, which is needed to recover data should the password be forgotten or the smartcard lost. The drive is then encrypted, which can take several minutes or longer depending on drive size.
When the encrypted flash drive is removed and then re-inserted into the computer, the user is prompted to supply the decryption password or smartcard (Figure 8).
Figure 8: A password must be supplied to decrypt the flash drive once it has been encrypted
The encrypted flash drive also contains an application called BitLocker To Go Reader (bitlockertogo.exe) so that if you plug the drive into a computer running Windows Vista (or even Windows XP), you can open encrypted files stored on the drive (Figure 9). If you copy the files to your computer, the local versions of these files will be decrypted so you can modify them. The files on the flash drive will remain encrypted, however.
Figure 9: Using BitLocker To Go Reader on a Windows XP computer
Administrators can also configure BitLocker To Go using Group Policy. The policy settings for doing so are found at: Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives.
For example, you can use the Choose How BitLocker-Protected Removable Drives Can Be Recovered feature to set several recovery policies:
• whether data recovery agents can be used;
• whether users are allowed or required to generate a 48-digit recovery password and/or 256-bit recovery keys;
• whether recovery information should be stored in AD DS;
• whether to back up either the recovery password and key package or just the password (Figure 10).
Figure 10: Using Group Policy to specify how removable drives protected using BitLocker can be recovered