Tactical Advice

Securing Removable Drives in Windows 7

Policy setting and BitLocker encryption let IT set the parameters for removable drive use.
This story appears in the September 2009 issue of BizTech Magazine.

With the proliferation of removable storage devices such as USB flash drives, organizations have become more and more concerned about the safety of their data.

What's to prevent a user from copying sensitive information from their work computers onto a flash drive and removing it from the premises in violation of policy? And if users are allowed to use flash drives, what happens if they lose them? Is there any way to safeguard the data stored on these drives when they fall into the wrong hands?

Microsoft Windows 7 provides a solution to both these problems. First, if your Active Directory Domain Services (AD DS) infrastructure is running on Windows Server 2008 or later, you can use Group Policy to prevent users from installing flash drives and other USB removable storage devices on their computers. And if your client computers are running Windows 7, you can use BitLocker To Go to encrypt any data stored on such devices.

Here are tips on how the new operating system can be set to block installation and also on how to manage encryption if you allow drive use.

Preventing Installation

The normal experience in Windows 7 when a user plugs a flash drive into a computer is that a balloon notification appears above the system tray (Figure 1).

Figure 1: Typical installation of a USB flash drive

Administrators who want to block automatic installation of USB storage devices on computers can do so by enabling the Prevent Installation of Removable Devices policy that is found at: Computer Configuration\Policies\Administrative Templates\System\Devices Installation\Device Installation Restrictions.

The prevent installation policy is available in AD DS domains running on Server 2008 or later and can be applied to client computers running Windows Vista or later (Figure 2).

Figure 2: Using Group Policy to prevent installation of USB removable storage devices

When the policy setting is applied to a computer running Windows 7 and the user of the computer plugs a flash drive into the computer, one of two things will happen. If the computer was recognized by the drive before the policy was applied, the drive will still be recognized and the user will be able to use it. If, however, the flash drive had never been plugged into the computer, Windows will attempt to install the device and then will display a balloon notification indicating that installation was blocked by policy (Figure 3).

Figure 3: Windows cannot install the flash drive because Group Policy is preventing it.

Before you enable this policy to block users from using USB removable storage devices, you need to be aware of one thing. If you later decide to disable the policy setting to allow such devices, any devices previously blocked from use will not automatically be recognized on the computers. Instead, the Devices And Printers window will display the previously blocked devices as “unspecified mass storage devices.”

To get these devices to work properly, the user will need to right-click on the listed device and select Troubleshoot (Figure 4).

Figure 4: Troubleshooting a USB removable storage device that won't automatically install

Doing this runs the Devices and Printers troubleshooter, which after examining the device will prompt the user to install the appropriate driver (Figure 5).

Figure 5: Troubleshooting an unrecognized mass storage device

Once the driver has been installed, the device will be properly recognized in the Devices and Printers window (Figure 6).

Figure 6: The device has been properly recognized.

Because of this process, be sure to carefully plan before implementing this policy setting in your domain.

Encrypting Removable Devices

Windows 7 now provides an additional capability that can help organizations safeguard their data should they decide to allow use of flash drives and other USB removable storage devices. This new feature, BitLocker To Go, extends the BitLocker Drive Encryption first introduced in Windows Vista to include removable drives, rather than just fixed disks.

To see how this works, start by plugging a flash drive into your computer to make sure it is recognized and that drivers are installed. Then click the Start button, type “bitlocker” in the search box, and click Manage BitLocker from the search results. (This approach is faster than browsing Control Panel — really.) Now, the BitLocker Drive Encryption window opens (Figure 7).

Figure 7: Configuring BitLocker and BitLocker To Go

To encrypt the flash drive, the click Turn On BitLocker. Once BitLocker initializes the drive, the user is prompted to select the method to be used for unlocking the encrypted drive, which can be either a password or a smartcard. The user then prompted must save or print the recover key for the drive, which is needed to recover data should the password be forgotten or smartcard lost. The drive is then encrypted, which can take several minutes or longer depending on drive size.

When the encrypted flash drive is removed and then re-inserted into the computer, the user is prompted to supply the decryption password or smartcard (Figure 8).

Figure 8: A password must be supplied to decrypt the flash drive once it has been encrypted.

The encrypted flash drive also contains an application called BitLocker To Go Reader (bitlockertogo.exe) so that if you plug the drive into a computer running Windows Vista or even Windows XP, you can open encrypted files stored on the drive (Figure 9). If you copy the files to your computer, the local versions of these files will be decrypted so you can modify them. The files on the flash drive will remain encrypted, however.

Figure 9: Using BitLocker To Go Reader on a Windows XP computer

Administrators can also configure how BitLocker To Go works using Group Policy. The policy settings for doing so are found at: Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives.

For example, you can use the Choose How BitLocker-Protected Removable Drives Can Be Recovered feature to set several recovery policies:

  • whether data recovery agents can be used;
  • whether users are allowed or required to generate a 48-digit recovery passwords and/or 256-bit recovery keys;
  • whether recovery information should be stored in AD DS;
  • whether to back up either the recovery password and key package or just the password (Figure 10).

Figure 10: Using Group Policy to specify how removable drives protected using BitLocker can be recovered

Mitch Tulloch is a Microsoft Most Valuable Professional and lead author of the Windows 7 Resource Kit. Contact him through his website.
Sign up for our e-newsletter

About the Author

Mitch Tulloch

Mitch Tulloch

Mitch Tulloch is a Microsoft Most Valuable Professional and lead author of the Windows 7 Resource Kit from Microsoft Press. You can follow him on Twitter at @MitchTulloch or friend him on Facebook at http://www.facebook.com/mitchtulloch.


Heartbleed: What Should Your... |
One of the biggest security vulnerabilities has almost every user and every industry...
Why Businesses Need a Next-G... |
Devices investigate patterns that could indicate malicious activity.
Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....


The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Businesses Must Step Careful... |
Slow and steady wins the race as businesses migrate IT operations to service providers,...
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...


Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Mobility: A Foundational Pie... |
Other technologies rely on mobile computing, which has the power to change lives, Lextech...
Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.

Hardware & Software

Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....
New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.