USB keys are the bane of many organizations. They represent at least two different kinds of threat. The first is that a user finds a USB key lying on the ground and decides that it would be a great idea to plug it into their work computer to see if it has any interesting stuff on it. You’ve probably heard the story about the security firm who was asked to do the penetration test on the credit union who scattered a number of USB thumb drives around the credit union’s car park. The USB thumb drives had Trojans hidden on them. Within a few days, 80% of the Trojans had phoned home, indicating that people at the credit union had picked them up off the ground and plugged them immediately into their computers.

The second type of threat is that they’ll be filled with important organizational data (so that someone can work on it from home – and let’s just assume for the point of this article that we’re cool with people walking out of the office with up to 64 GB of organizational data as whether or not that is wise is a whole different fish filled water boiling appliance) and they’ll lose it on the number 57 Tram to Moonee Ponds. Given the propensity of people to plug USB thumb drives that they find on the street into their computers, you can be pretty sure that if someone loses one of these things, someone else is going to say to himself “wow, I wonder what is on this?” and plug it straight into the nearest computer.

So USB thumb drives are a bane. Some organizations hate them so much they have gone to the length of filling USB slots with epoxy to ensure that USB thumb drives cannot be connected to workstations.

Windows Server 2008 (classic) allows you to selectively “white list” USB devices. That is, as an administrator, you can block all USB storage devices except those that you’ve manually approved. Manual approval involves entering the device ID into Active Directory. The fun level involved in setting that up and maintaining it diminishes as the number of devices increases.

Windows Server 2008 R2 (and Windows 7) give you a new option. With BitLocker to go you can encrypt USB thumb drives (you could do this with Vista SP1, but it was a little messy using the USB devices on other computers). An encryptable USB drive by itself doesn’t stop people plugging the USB thumb drive they found in the lavatory at the pub into their work computer, nor does it stop someone plugging a non-encrypted USB drive into their computer, copying over data and then losing the USB drive on the way home in the tram. Windows Server 2008 R2 does allow you to block people from connecting non-bitlocker-encrypted USB drives to their Windows 7 computers. You can only access a BitLocker-To-Go encrypted USB drive if you have a password. This stops people plugging the USB drives they find on the street into their computer (even if it is BitLocker encrypted, they won’t have the password (you can also block BitLocker encrypted devices that come from outside your organization)) and it stops people who find the USB stick that your user has accidentally lost on the number 57 tram to Moonee Ponds from getting any useful data out of it (as they won’t have the required password).

To set this up you need to do a couple of things.

  1. Obtain the USB devices that you are going to distribute to your users and encrypt them using BitLocker, making sure that you note down each device’s password.
  2. Configure the policies in the Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives node

These policies allow you complete control over how BitLocker works with removable drives. The downside is that all of the policies require Windows 7 or Windows Server 2008 R2 as the minimum operating system that they can be applied to.