With the release of Windows 8 Enterprise, Microsoft included support for Windows To Go, a feature that lets you set up a Windows workspace on a bootable USB drive. A Windows To Go drive contains a full Windows 8 or Windows 8.1 image that is accessible from any laptop or desktop certified to run Windows 7 or Windows 8.
IT can issue the drives to mobile and contract workers as a way to manage their desktops while keeping sensitive data separate from personal information. Before your team starts provisioning Windows To Go drives, however, you should first be aware of the potential security risks they pose and how to use Windows 8 Bitlocker.
Protecting Windows To Go drives with BitLocker
If a Windows To Go disk is lost or stolen, sensitive data and network resources can be put at risk. Fortunately, you can protect your Windows To Go disks with BitLocker, a full-disk encryption feature built into Windows 7 and Windows 8. BitLocker uses the Advanced Encryption Standard algorithm to protect a volume with 128-bit or 256-bit encryption.
Normally, BitLocker relies on the Trusted Platform Module standard to authenticate a boot pathway and protect the encryption keys. Because this approach is not possible with a Windows To Go drive, BitLocker uses a user-defined password to encrypt and decrypt the disk. The user must provide the password to unlock the drive and boot into the Windows To Go workspace. As long as the password itself is not compromised, unauthorized users normally cannot access protected data or secure network resources.
If you're planning to deploy Windows To Go drives, BitLocker should be enabled on those systems when provisioning the devices. However, that's not always possible. For example, if you're provisioning multiple drives, you might want to use a USB drive duplicator to simplify the process. Unfortunately, BitLocker drives should not be duplicated. That means you must first provision the drives and then configure them with the Windows 8 feature.
If you're working with many drives -- a likely scenario if you're using a duplicator -- you might want to pass the BitLocker portion of the task on to your users. The process itself is easy enough. As with the desktop versions of Windows 8 and Windows 8.1, the user simply follows the steps in the BitLocker Setup Wizard.
The bigger trick is to ensure that your users actually implement BitLocker. Without some sort of confirmation process, you can't be certain that the Windows To Go drives are being protected, any more than you can ensure that your users are properly safeguarding their passwords.
Windows To Go data leakage
Windows 8 includes a new SAN policy setting -- OFFLINE_INTERNAL - "4" -- that prevents the operating system from automatically mounting the host computer's internal drives. When this policy is enabled, users cannot see the internal drives from within the Windows To Go environment. This can help prevent accidental data leakage between the Windows To Go environment and the local computer. The policy can also help to prevent someone from using a Windows To Go drive as a hacking device to gain quick access to an internal disk.
Even if the policy is enabled, however, someone can use the diskmgmt.msc tool built into Windows To Go to override the default behavior and mount an internal drive. Of course, the user will still have to contend with applicable folder and file security on the host system.
More on Windows To Go and Windows 8 BitLocker
Microsoft preps Windows 8.1 download for Windows To Go
Manage client encryption with BitLocker To Go
Consider alternatives to Windows 8 BitLocker
BYOD gets a boost as Windows To Go delivers images via USB
Guide to Microsoft BitLocker
However, many of the files could prove easily accessible, and transferring files from the Windows To Go environment to an unsecure machine could be easier still. In addition, mounting an internal drive when the host system is in hibernation mode can lead to the loss of data or corruption of the host OS.
Another area of concern is the user who plugs a Windows To Go drive into a running machine. In general, Microsoft recommends against this. If the computer has been compromised, the disk could also be compromised. However, IT also has no way of preventing this sort of action.
IT can ensure that the NoDefaultDriveLetter attribute is enabled on the Windows To Go drive. The attribute prevents the host computer from assigning a drive letter to the drive if the drive is inserted into a running machine. Consequently, the drive is not visible in Windows Explorer on the host system, thus helping to prevent accidental data leakage between systems. Unfortunately, users can again use diskmgmt.msc -- this time on the host computer -- to manually assign a drive letter to the Windows To Go drive.
Booting from a USB device
According to Microsoft, a Windows To Go drive should be used only on host computers certified to run Windows 7 or Windows 8. One reason for this is that these computers support bootable USB drives. Note that the host system's firmware startup settings (e.g., BIOS) must usually be specifically configured to include USB drives in the boot process.
If IT administrators manage the host computer, they can include the setting as part of the initial setup or management process. If the user owns the computer, that person must manually enable USB booting, either through the firmware's startup settings or, in Windows 8, by using the Windows To Go Startup Options feature.
Regardless of how USB booting is enabled, users and admins should be aware of the implications. For example, a USB drive that contains malware can be inserted into a USB port. When the computer starts, it will try to boot from the drive, infect the host computer and do serious damage.
In addition, if two USB drivers are plugged in at the same time, boot conflicts can occur. Again, IT has little control over what users do with either the Windows To Go drives or the host computers.
Making the most of Windows To Go
Clearly, Windows To Go is no panacea for all the security concerns that IT faces in the era of mobile computing. If a drive is not encrypted, it presents serious security risks. Plus, user actions can lead to data leakage, compromised resources and infected systems.
Yet a Windows To Go drive is probably no riskier than most other devices. If you provision a laptop for a mobile worker, you're still relying on that person to make smart decisions about protecting sensitive data. In fact, IT must rely on users more than ever to take the proper steps to maintain Windows 8 security.
Desktop admins can help users, not only by providing adequate instructions and training, but also by offering services to make data storage and management both seamless and secure. And the Windows To Go drive has a big advantage over other devices. It's easy to provision and a lot cheaper to replace.