Skip to content

Latest commit

 

History

History
80 lines (64 loc) · 3.06 KB

1_BL942-1101.md

File metadata and controls

80 lines (64 loc) · 3.06 KB
Raw
scapolite id id_namespace title rule rationale description applicability implementations crossrefs history
class version
rule
0.51
BL942-1101
com.siemens.seg.policy_framework.rule
Configure the policy 'Configure use of passwords for removable data drives'
<see below>
<see below>
<see below>
system c i a
com.siemens.cert.acp
123
123
123
system roles
com.siemens.cert.scapolite.target_audience
asset_manager
relative_id description
01
<see below>
system idref relation
com.siemens.seg.policy_framework.rule
12.1.1-05
based_on
system idref relation
urn:scapolite:scce
gpo:computer:admx:windows_components:bitlocker_drive_encryption:removable_data_drives:configure_use_of_passwords_for_removable_data_drives
version eval action description internal_comment
1.0
true
created
Not part of CIS Windows Server 2019 and Siemens Windows Server 2016 (BL968). Rule has been copied from Siemens Windows 10 (BL696).
Originally taken from Windows 10 Measure Plan.

/rule

Enable the setting 'Configure use of passwords for removable data drives' and set the options as follows:

  • Select the value Require password complexity in the drop-down list,
  • Set the option 'Minimum password length for removable data drive' to 15.

Note: The encryption password for removable data drives is exempt from the password change requirements of the Specific Information Security Policy: Access Control Rule ID: 09.4.3-04.

/rationale

If an unencrypted USB memory stick or poorly configured (e.g., short password, weak cipher, only used disk space encrypted) gets lost or stolen, any person who finds the USB stick can plug in it to his or her computer and see the content on the stick if it is unencrypted or try to access it by guessing the password or exploiting a weakness of the cipher.

While a USB stick protected with a smart card can only be used if you have the smart card and the associated PIN, a malicious user might try to discover the password of an only password protected USB stick by using a brute-force attack.

/description

Microsoft Windows includes the built-in full disk and volume encryption feature BitLocker Drive Encryption (BDE) which, apart from encrypting fixed drives, can be used to encrypt removable drives (also known as BitLocker To Go).

You can protect a BitLocker To Go encrypted device either with a smart card, a password, or with a combination of both.

/implementations/0/description

To set the protection level to the desired state set the following Group Policy setting to Enabled

Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\Configure use of passwords for removable data drives

and set the options as follows:

  • Select the value Require password complexity in the drop-down list,
  • Set the option Minimum password length for removable data drive to 15.