Use BitLocker to encrypt external storage drives - Part 2

Network Administration - In part two of this article series, I will show you how to enforce BitLocker security in a more consistent way using group policy settings.

>> Using BitLocker to encrypt external storage drives - Part 1

The default settings in Windows 7 allow users to decide whether to encrypt and when to encrypt data on external drives. In the second part of this article series, I will show you how to enforce BitLocker security in a more consistent way using group policy settings.

In part one, I showed you how to use BitLocker manually to encrypt the contents of a USB drive. Although the procedure that we introduced in the previous section worked quite well, there are still many other options. Imagine if your company has a lot of sensitive information on data files. Ideally, you will definitely want to protect all that data safely. In fact, however, there are many employees in your company where their job requires access to certain data, even when they cannot connect to the corporate network.

One more thing to assume for the situation here is that your employees can leave their USB somewhere and inside that USB contains a lot of customer data, then the encryption is captured. must have. BitLocker to Go can provide the type of encryption you need now, but the encryption method that we introduced you in Part 1 of this series requires users to encrypt their USB storage drives themselves. they.

Obviously we can't put this encryption job into the hands of users and trust they will do this well. To be more feasible, we need to find another method. Windows 7 and Windows Server 2008 R2 have group policy settings that we can use to control how and when to use BitLocker encryption.

The Group Policy Object Editor contains quite a few Group Policy settings related to BitLocker encryption, but there is a directory that contains BitLocker encryption settings for external storage devices. You can access this folder at the Computer Configuration Administrative Templates Windows Components BitLocker Drive Encryption Removable Data Drives . You can see the group policy settings inside this folder in Figure A.

Use BitLocker to encrypt external storage drives - Part 2 Picture 1
Figure A: All settings related to external storage encryption are stored in the Removable Data Drives folder

Control the use of BitLocker on external storage drives

Setting up the first Group Policy I want to introduce is setting the ' Control Use of BitLocker on Removable Drives '. As its name implies, this setting allows you to control whether users are allowed to encrypt external storage devices with BitLocker.

Most simply, disabling this setting will prevent users from encrypting external storage devices, while they will be able to use BitLocker to encrypt them if you do not do anything.

If you choose to disable group policy settings, there are two other options that can be set. The first of these two options is to allow users to use BitLocker protection on external storage devices. Obviously this option is a bit cumbersome, but the reason why Microsoft offers it is because it allows you to control this setting and the next setting that we will introduce when group policy setting is clicked. active.

The second setting allows users to defer and decrypt BitLocker protection on external storage devices. In other words, you can control allowing users to turn off BitLocker for external storage devices.

Configure smart card usage on external storage drives

This group policy setting allows you to control the use of smart cards as a mechanism for authenticating users in accessing BitLocker encrypted content. If the decision to activate this Group Policy setting, there will be a sub-option that you can use to request the use of a smart card. If you select this option, users will only be able to access BitLocker-encrypted content using the smart card authentication process.

Deny 'Write' access to external storage drives not protected by BitLocker

The ' Deny Write Access to Removable Drives Not Protected By BitLocker ' setting is one of the important Group Policy settings related to external storage encryption. When this setting is enabled, Windows will check for external storage devices connected to the computer to see if BitLocker encryption is enabled. If BitLocker is not enabled on the device, then it will be processed in ' read only ' status. Users only receive ' write ' access if BitLocker is enabled on the device. This way, you can prevent users from recording data and unencrypted external storage devices.

When you enable this group policy setting, you are also given the ' write ' level access lock option for the device that is configured in another organization. This option can also help you prevent the use of unattended external storage devices.

Imagine if you want to ensure that only authenticated (authorized) users can write data to external storage devices, and any data written to those devices is encode. Now assume that a certain employee in your company wants to copy your customer list to USB. If one of your stated goals is to prevent writing data to external storage devices in an unencrypted format, you have now enabled the ' Deny Write Access to Removable Drives setting. Not Protected By BitLocker '.

That will allow you to have some level of protection, but it can also allow users to enable BitLocker on their home computer, USB encryption, and then bring the encrypted drive to the office and write data up. Activating the ' Do Not Allow Write Access to Devices Configured in Another Organization ' option will allow Windows to find out where an external storage device comes from. If the device is encrypted by another organization, BitLocker will deny ' write ' access to them.

Allows access to external storage devices protected by BitLocker from previous Windows versions

Some people claim that this option is named yet not satisfactory. The truth is that Windows doesn't really care what version of Windows is used to format an external storage device. Instead, this option allows you to control whether to allow users to unlock formatted BitLocker encrypted storage devices with the FAT file system.

If this setting is enabled, there will be another option you can enable to prevent the BitLocker to Go Reader from installing into the storage volumes that have been formatted with the FAT file system.

Configure using a password for an external storage device

This is one of the most understandable settings. It allows you to control whether or not to require the use of a password to unlock the contents of external storage devices. Assuming that you want to protect the password for these external storage devices, you will then have the option to control the length and requirements of the password level calculation.

Conclude

The group policy settings we introduced to you are aimed at controlling how BitLocker will be used with external storage devices. Although one of the problems with data encryption is that if the encryption keys are lost, then your data will not be decrypted. So in Part 3 of this series, I will show you a technique that can avoid this problem by saving the encryption keys in Active Directory.