18.9.11.3.17 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'

Information

This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.
All removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
The recommended state for this setting is: Enabled.

Rationale:
Users may not voluntarily encrypt removable drives prior to saving important data to the drive.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled:
Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\Deny write access to removable drives not protected by BitLocker
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template VolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).

Impact:
All removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.

Default Value:
Disabled. (All removable data drives on the computer will be mounted with read and write access.)

References:
1. CCE-33077-9

See Also

https://workbench.cisecurity.org/benchmarks/14249

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-19(5), 800-53|MP-7, CSCv6|13.5, CSCv7|13.6, CSCv7|13.8

Plugin: Windows

Control ID: d0f39a9118a471f260a9b74e6b59c73f98168766bae3417dbf28d7898ab5d55e