Redirecing C:\Users and C:\ProgramData folders to a USB memory stick

Discussion in 'Windows Vista Security' started by Audun, Oct 11, 2008.

  1. Audun

    Audun Guest

    I am experimenting with a configuration that redirects the C:\Users and
    C:\ProgramData folders to a USB memory stick. This allows me to always keep
    user data in personal care when travelling with the laptop. The redirection
    is done by setting the value of the ProfilesDirectory and ProgramData
    attributes in [Auto]Unattend.xml during Vista setup. This method is
    supported, albeit reluctantly, by Microsoft.

    To secure and enhance this configuration, I also:

    - encrypt the hard disk with BitLocker and the TPM key, TPM PIN, and USB
    startup key
    - encrypt the memory stick with BitLocker autounlock
    - lock down C:\ and S:\ (BitLocker) so that users cannot add data to these
    - disables the Windows pagefile to avoid user data "residue" on the system
    - enables write-caching on the memory stick (for performance reasons)
    - enables a large system cache (LargeSystemCache registry value) for the
    same reasons
    - uses Roaming Profiles to copy user profiles to a central server share (for
    - uses Folder Redirection to redirect user folders to a central server share
    (for backup)
    - uses Offline Files to locally cache server-side user folders and "user
    group" folders (i.e. folders shared between groups of users)
    - redirect the local Client-Side-Cache (C:\WIndows\CSC) to the memory stick
    to avoid user data "residue" on the system disk
    - disable Hibernation to avoid user data "residue" on the system disk
    - disable the Windows Search service since I don't use it, I don't like it,
    and it seems to generate a lot of traffic to the memory stick

    AFAIK, this leaves no room for user data to be written to the hard disk
    except to those subfolders of C:\Windows that Microsoft has made
    user-writable by default. I have not closed down these subfolders, but
    intend to do it at a later stage.

    In addition, I lock down Windows with a configuration similar to the SSLF
    profile of the W2008/Vista security guides and uses SRP to block end-user
    program execution outside Windows, Program Files, and the logon server
    SYSVOL share.

    I have been running this configuration for a few months now without any
    apparent problems arising from doing the redirection. Performance is
    acceptable even on the fairly slow (but conveniently small) Sony MicroVault
    Tiny 8GB USB2.0, 7/12MB sec write/read.

    The reason for posting this message is to get some feedback on my apporach,
    in particular

    - are there any potential problems or pitfalls that I ought to know about?
    - are there any uncovered ways that user data can be written to the hard
    - should I expect to run into trouble when I lock down the user-writable
    subfolders of C:\Windows?

    Audun, Oct 11, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.