Oct 20 2009

Securing Removable Drives in Windows 7

Policy setting and BitLocker encryption let IT set the parameters for removable drive use.

With the proliferation of removable storage devices such as USB flash drives, organizations have become more and more concerned about the safety of their data.

What's to prevent a user from copying sensitive information from their work computers onto a flash drive and removing it from the premises in violation of policy? And if users are allowed to use flash drives, what happens if they lose them? Is there any way to safeguard the data stored on these drives when they fall into the wrong hands?

Microsoft Windows 7 provides a solution to both these problems. First, if your Active Directory Domain Services (AD DS) infrastructure is running on Windows Server 2008 or later, you can use Group Policy to prevent users from installing flash drives and other USB removable storage devices on their computers. And if your client computers are running Windows 7, you can use BitLocker To Go to encrypt any data stored on such devices.

Here are tips on how the new operating system can be set to block installation and also on how to manage encryption if you allow drive use.

Preventing Installation

The normal experience in Windows 7 when a user plugs a flash drive into a computer is that a balloon notification appears above the system tray (Figure 1).

Figure 1: Typical installation of a USB flash drive

Administrators who want to block automatic installation of USB storage devices on computers can do so by enabling the Prevent Installation of Removable Devices policy that is found at: Computer Configuration\Policies\Administrative Templates\System\Devices Installation\Device Installation Restrictions.

The prevent installation policy is available in AD DS domains running on Server 2008 or later and can be applied to client computers running Windows Vista or later (Figure 2).

Figure 2: Using Group Policy to prevent installation of USB removable storage devices

When the policy setting is applied to a computer running Windows 7 and the user of the computer plugs a flash drive into the computer, one of two things will happen. If the computer was recognized by the drive before the policy was applied, the drive will still be recognized and the user will be able to use it. If, however, the flash drive had never been plugged into the computer, Windows will attempt to install the device and then will display a balloon notification indicating that installation was blocked by policy (Figure 3).

Figure 3: Windows cannot install the flash drive because Group Policy is preventing it.

Before you enable this policy to block users from using USB removable storage devices, you need to be aware of one thing. If you later decide to disable the policy setting to allow such devices, any devices previously blocked from use will not automatically be recognized on the computers. Instead, the Devices And Printers window will display the previously blocked devices as “unspecified mass storage devices.”

To get these devices to work properly, the user will need to right-click on the listed device and select Troubleshoot (Figure 4).

Figure 4: Troubleshooting a USB removable storage device that won't automatically install

Doing this runs the Devices and Printers troubleshooter, which after examining the device will prompt the user to install the appropriate driver (Figure 5).

Figure 5: Troubleshooting an unrecognized mass storage device

Once the driver has been installed, the device will be properly recognized in the Devices and Printers window (Figure 6).

Figure 6: The device has been properly recognized.

Because of this process, be sure to carefully plan before implementing this policy setting in your domain.

Encrypting Removable Devices

Windows 7 now provides an additional capability that can help organizations safeguard their data should they decide to allow use of flash drives and other USB removable storage devices. This new feature, BitLocker To Go, extends the BitLocker Drive Encryption first introduced in Windows Vista to include removable drives, rather than just fixed disks.

To see how this works, start by plugging a flash drive into your computer to make sure it is recognized and that drivers are installed. Then click the Start button, type “bitlocker” in the search box, and click Manage BitLocker from the search results. (This approach is faster than browsing Control Panel — really.) Now, the BitLocker Drive Encryption window opens (Figure 7).

Figure 7: Configuring BitLocker and BitLocker To Go

To encrypt the flash drive, the click Turn On BitLocker. Once BitLocker initializes the drive, the user is prompted to select the method to be used for unlocking the encrypted drive, which can be either a password or a smartcard. The user then prompted must save or print the recover key for the drive, which is needed to recover data should the password be forgotten or smartcard lost. The drive is then encrypted, which can take several minutes or longer depending on drive size.

When the encrypted flash drive is removed and then re-inserted into the computer, the user is prompted to supply the decryption password or smartcard (Figure 8).

Figure 8: A password must be supplied to decrypt the flash drive once it has been encrypted.

The encrypted flash drive also contains an application called BitLocker To Go Reader (bitlockertogo.exe) so that if you plug the drive into a computer running Windows Vista or even Windows XP, you can open encrypted files stored on the drive (Figure 9). If you copy the files to your computer, the local versions of these files will be decrypted so you can modify them. The files on the flash drive will remain encrypted, however.

Figure 9: Using BitLocker To Go Reader on a Windows XP computer

Administrators can also configure how BitLocker To Go works using Group Policy. The policy settings for doing so are found at: Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives.

For example, you can use the Choose How BitLocker-Protected Removable Drives Can Be Recovered feature to set several recovery policies:

  • whether data recovery agents can be used;
  • whether users are allowed or required to generate a 48-digit recovery passwords and/or 256-bit recovery keys;
  • whether recovery information should be stored in AD DS;
  • whether to back up either the recovery password and key package or just the password (Figure 10).

Figure 10: Using Group Policy to specify how removable drives protected using BitLocker can be recovered

Mitch Tulloch is a Microsoft Most Valuable Professional and lead author of the Windows 7 Resource Kit. Contact him through his website.

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.