18.9.11.3.13 Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'

Information

This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.

All removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.

The recommended state for this setting is: Enabled.

Rationale:

Users may not voluntarily encrypt removable drives prior to saving important data to the drive.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled:

Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\Deny write access to removable drives not protected by BitLocker

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template VolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).

Impact:

All removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.

Default Value:

Disabled. (All removable data drives on the computer will be mounted with read and write access.)

See Also

https://workbench.cisecurity.org/files/2700

Item Details

Category: MEDIA PROTECTION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|MP-4, 800-53|SC-28(1), CSCv6|13.2

Plugin: Windows

Control ID: dee4e902d4aedf91b3747ac3c421eeac6b3d050f83bc9c1f3b28b8dc589add18