Force USB encryption Windows and Mac
-
This really doesn't seem hard. The insurance agency seems to just want some mechanisms to make breaking policy harder. From GPOs, to glue in the USB ports, to confiscating rogue devices.
The computer itself can't do the checking as Dustin pointed out, it has to mount and use the drive before it can know, so the computer has to be "after the fact". The computer can complain about what you've done, but it can't enforce. it's like a judge, not like a cop.
Any "cop enforcement" mechanism has to be before the USB goes into the computer or at least before the port is enabled.
-
@scottalanmiller that I can agree with.
This is all pre-device connection. There is no realistic way to prevent breaking the policy. Because users...
-
@DustinB3403 said in Force USB encryption Windows and Mac:
@scottalanmiller that I can agree with.
This is all pre-device connection. There is no realistic way to prevent breaking the policy. Because users...
No way to absolutely stop them, no. But there are reasonable "technical solutions" to make it less likely. From confiscating rogue drives to disabling ports unless enabled on a use by use basis.
-
@Dashrender said in Force USB encryption Windows and Mac:
@dbeato said in Force USB encryption Windows and Mac:
@Dashrender said in Force USB encryption Windows and Mac:
@dbeato said in Force USB encryption Windows and Mac:
On the technical aspect of the request it should be easy to enforce in an Microsoft AD Enviroment as below:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj679890(v=ws.11).
https://docs.microsoft.com/en-us/previous-versions/dotnet/articles/bb530324(v=msdn.10)#grouppolicydeviceinstall_topic3cThe challenge is on Mac with FireVault. I will look into what I have with Sophos as I use them for this. However you policy should be enough.
While i agree that a policy SHOULD be enough - they specifically said - technical.
FYI - No AD in this environment.
You can still enforce via local group policy for Windows.
yep... though I would/should use something like Salt or some other agent based solution to push out changes for this if for no other reason than consistency.
We did it with USB drives that are encrypted on the drive. So you could mix those two. I have one of these personally:
https://www.amazon.com/Corsair-CMFPLA3B-16GB-Padlock-Flash-Drive/dp/B06XNQH822/ref=dp_ob_title_ce
But there are a ton of options like that. The company bought FIPS 140-2 compliant ones, you can decide that or not.Keep in mind this was what I did for Linux, not sure what the Windows guys did. But what I did was leverage USBGuard and when we handed out an encrypted drive we added it to the drive list that was pushed out to all of the systems. Only those USB devices were able to be used on the systems.
However @dbeato pointed this out earlier and you could most likely do the same thing. I just don't know how to add the USB device serial number in Windows (if it was Fedora or RHEL I'd love to help you lol).
-
I do know they also used Kingston DataTravelers. So if you didn't want to have to type the pin on the USB drive, you could just plug that model in and there was a small piece of software that ran and you could type in the password. It worked on both Linux and Windows.
Here's the link to the Kingston site with the encrypted ones:
https://www.kingston.com/en/usb-flash-drives?use=data security -
@DustinB3403 said in Force USB encryption Windows and Mac:
@Dashrender said in Force USB encryption Windows and Mac:
No, An insurance company wants us to have a technical solution in place that when a USB drive is inserted into a computer, that the drive is only usable if the drive is encrypted.
You would have no way to do this.
You can setup encrypted volumes on USB drives you control, but there would be know way to do this for every USB drive.
You buy the drives with the encryption already built in and only allow those drives serial numbers. This is a commonly done thing in higher security departments. Whether it's actually needed here or not is different, but it's completely doable.
-
Late to the party here, but...
To me, it sounds like they don't want data going from the computer, into a portable storage device, that isn't encrypted... which could be stolen or data taken off by anyone somewhere else.
There are policies to make it so that you cannot write to a USB storage device that isn't encrypted. It will be readonly. This seems exactly what they want, and super easily doable with group policy and bitlocker.
-
@Obsolesce said in Force USB encryption Windows and Mac:
There are policies to make it so that you cannot write to a USB storage device that isn't encrypted.
No there are not.
There are policies to make it so that you cannot write to a USB storage device that isn't encrypted with BitLocker. That is not the same thing.
But the matters not since this is a mixed environment of macOS & Windows.
-
@JaredBusch said in Force USB encryption Windows and Mac:
No there are not.
... Yes.
Bitlocker IS encryption. You can prevent write access to USB drives that are not encrypted with Bitlocker. That fits the requirements for Windows as a solution 100%.
Another solution for Macs will be required. It's not uncommon to have multiple solutions in place to cover different platforms...
-
@Obsolesce said in Force USB encryption Windows and Mac:
@JaredBusch said in Force USB encryption Windows and Mac:
No there are not.
... Yes.
Bitlocker IS encryption. You can prevent write access to USB drives that are not encrypted with Bitlocker. That fits the requirements for Windows as a solution 100%.
No, there are not. Read the English again.
There is no possible way to have a policy that can know if a drive is encrypted. Yes, there is a policy that lets you know if a drive is encrypted specifically with bitlocker. But it does not and cannot know if a drive is encrypted in another method, because it is encrypted obviously.
-
@Obsolesce said in Force USB encryption Windows and Mac:
Another solution for Macs will be required. It's not uncommon to have multiple solutions in place to cover different platforms
That is useless as it means the encrypted media is useless between macOS and Windows.
-
@JaredBusch said in Force USB encryption Windows and Mac:
@Obsolesce said in Force USB encryption Windows and Mac:
@JaredBusch said in Force USB encryption Windows and Mac:
No there are not.
... Yes.
Bitlocker IS encryption. You can prevent write access to USB drives that are not encrypted with Bitlocker. That fits the requirements for Windows as a solution 100%.
No, there are not. Read the English again.
There is no possible way to have a policy that can know if a drive is encrypted. Yes, there is a policy that lets you know if a drive is encrypted specifically with bitlocker. But it does not and cannot know if a drive is encrypted in another method, because it is encrypted obviously.
Pay attention here...
If the drive is not encrypted with BitLocker, write access is denied. That's what the policy says. If the drive is encrypted with something else, great, that also meets the requirement. If the device is not encrypted, write access is denied. So it doesn't matter if it's encrypted by something other than BitLocker.
-
@JaredBusch said in Force USB encryption Windows and Mac:
@Obsolesce said in Force USB encryption Windows and Mac:
Another solution for Macs will be required. It's not uncommon to have multiple solutions in place to cover different platforms
That is useless as it means the encrypted media is useless between macOS and Windows.
That's not an issue. There is no requirement to transport data between Mac and Windows devices on USB drives.
-
@Obsolesce said in Force USB encryption Windows and Mac:
@JaredBusch said in Force USB encryption Windows and Mac:
@Obsolesce said in Force USB encryption Windows and Mac:
@JaredBusch said in Force USB encryption Windows and Mac:
No there are not.
... Yes.
Bitlocker IS encryption. You can prevent write access to USB drives that are not encrypted with Bitlocker. That fits the requirements for Windows as a solution 100%.
No, there are not. Read the English again.
There is no possible way to have a policy that can know if a drive is encrypted. Yes, there is a policy that lets you know if a drive is encrypted specifically with bitlocker. But it does not and cannot know if a drive is encrypted in another method, because it is encrypted obviously.
Pay attention here...
If the drive is not encrypted with BitLocker, write access is denied. That's what the policy says. If the drive is encrypted with something else, great, that also meets the requirement. If the device is not encrypted, write access is denied. So it doesn't matter if it's encrypted by something other than BitLocker.
No it does not say with something else. It says another organization. Meaning bitlocker from a different environment. It is not possible to know if it was encrypted with anything other than bitlocker.
-
@Obsolesce said in Force USB encryption Windows and Mac:
@JaredBusch said in Force USB encryption Windows and Mac:
@Obsolesce said in Force USB encryption Windows and Mac:
Another solution for Macs will be required. It's not uncommon to have multiple solutions in place to cover different platforms
That is useless as it means the encrypted media is useless between macOS and Windows.
That's not an issue. There is no requirement to transport data between Mac and Windows devices on USB drives.
The point of wanting to use USB media is for portability. Otherwise, you simply disable it.
-
Beachhead does this
-
@JaredBusch said in Force USB encryption Windows and Mac:
@Obsolesce said in Force USB encryption Windows and Mac:
@JaredBusch said in Force USB encryption Windows and Mac:
@Obsolesce said in Force USB encryption Windows and Mac:
@JaredBusch said in Force USB encryption Windows and Mac:
No there are not.
... Yes.
Bitlocker IS encryption. You can prevent write access to USB drives that are not encrypted with Bitlocker. That fits the requirements for Windows as a solution 100%.
No, there are not. Read the English again.
There is no possible way to have a policy that can know if a drive is encrypted. Yes, there is a policy that lets you know if a drive is encrypted specifically with bitlocker. But it does not and cannot know if a drive is encrypted in another method, because it is encrypted obviously.
Pay attention here...
If the drive is not encrypted with BitLocker, write access is denied. That's what the policy says. If the drive is encrypted with something else, great, that also meets the requirement. If the device is not encrypted, write access is denied. So it doesn't matter if it's encrypted by something other than BitLocker.
No it does not say with something else. It says another organization. Meaning bitlocker from a different environment. It is not possible to know if it was encrypted with anything other than bitlocker.
There were two policies in that picture, only the first one was relevant. The irrelevant one mentioned "another organization".
Don't know why you read what I wrote so incorrectly.
They simply do not want data going from a managed computer to an unencrypted USB drive.
To meet this requirement for Windows, enable the policy to block write access to any USB drive that is not Bitlocker encrypted.
Yes, this means all USB drives will need to be bitlocker encrypted for data writability to them from Windows 10 computers with that policy applied. That's what you want.
Now, any USB drive that is not bitlocker encrypted or encrypted by something else will not be writable from managed Win10 devices. Anything not encrypted with Bitlocker will be mounted as read-only. Again, this is what you want.
As for the other requirement, I do not know if you can set bitlocker to automatically encrypt a non-encrypted USB drive. I think that requirement was not thought out. But the user can receive a message that they cannot write to it unless they encrypt it first with BitLocker.
For Mac, another solution will be needed, but they can be used on Macs with Bitlocker-to-go.
-
@JaredBusch said in Force USB encryption Windows and Mac:
@Obsolesce said in Force USB encryption Windows and Mac:
@JaredBusch said in Force USB encryption Windows and Mac:
@Obsolesce said in Force USB encryption Windows and Mac:
Another solution for Macs will be required. It's not uncommon to have multiple solutions in place to cover different platforms
That is useless as it means the encrypted media is useless between macOS and Windows.
That's not an issue. There is no requirement to transport data between Mac and Windows devices on USB drives.
The point of wanting to use USB media is for portability. Otherwise, you simply disable it.
I don't know how many users are sticking data on a USB drive from a Mac, then giving it to someone else or marching it over to a Windows device, or vice versa, but if that's the case, there are ways to make it work.
https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-to-go-faq