Jump to content

Redirecing C:\Users and C:\ProgramData folders to a USB memory stick

Featured Replies

Posted

I am experimenting with a configuration that redirects the C:\Users and

C:\ProgramData folders to a USB memory stick. This allows me to always keep

user data in personal care when travelling with the laptop. The redirection

is done by setting the value of the ProfilesDirectory and ProgramData

attributes in [Auto]Unattend.xml during Vista setup. This method is

supported, albeit reluctantly, by Microsoft.

 

To secure and enhance this configuration, I also:

 

- encrypt the hard disk with BitLocker and the TPM key, TPM PIN, and USB

startup key

- encrypt the memory stick with BitLocker autounlock

- lock down C:\ and S:\ (BitLocker) so that users cannot add data to these

folders

- disables the Windows pagefile to avoid user data "residue" on the system

disk

- enables write-caching on the memory stick (for performance reasons)

- enables a large system cache (LargeSystemCache registry value) for the

same reasons

- uses Roaming Profiles to copy user profiles to a central server share (for

backup)

- uses Folder Redirection to redirect user folders to a central server share

(for backup)

- uses Offline Files to locally cache server-side user folders and "user

group" folders (i.e. folders shared between groups of users)

- redirect the local Client-Side-Cache (C:\WIndows\CSC) to the memory stick

to avoid user data "residue" on the system disk

- disable Hibernation to avoid user data "residue" on the system disk

- disable the Windows Search service since I don't use it, I don't like it,

and it seems to generate a lot of traffic to the memory stick

 

AFAIK, this leaves no room for user data to be written to the hard disk

except to those subfolders of C:\Windows that Microsoft has made

user-writable by default. I have not closed down these subfolders, but

intend to do it at a later stage.

 

In addition, I lock down Windows with a configuration similar to the SSLF

profile of the W2008/Vista security guides and uses SRP to block end-user

program execution outside Windows, Program Files, and the logon server

SYSVOL share.

 

I have been running this configuration for a few months now without any

apparent problems arising from doing the redirection. Performance is

acceptable even on the fairly slow (but conveniently small) Sony MicroVault

Tiny 8GB USB2.0, 7/12MB sec write/read.

 

The reason for posting this message is to get some feedback on my apporach,

in particular

 

- are there any potential problems or pitfalls that I ought to know about?

- are there any uncovered ways that user data can be written to the hard

disk?

- should I expect to run into trouble when I lock down the user-writable

subfolders of C:\Windows?

 

Audun

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...