none
Proxying Windows External Storage Access RRS feed

  • Question

  • I want to control access to external storage like NAS, SAN, USB before logging in to OS by prompting user for a pass code. This prompt should appear before user login at every boot. If password is incorrect, user is redirected to OS login but cannot see the external storage devices.

    I want to store password to local drive. 

    Sunday, June 16, 2019 3:45 PM

All replies

  • Hi,

    I am afraid your desire is not available through official measure. According to your description, it seems like you need a strong security protect strategy, so I recommend to use Bitlocker to protect data. Once enabled Bitlocker on C drive, user need to put in password before login system. Once enabled Bitlocker on data driver, we need to enter password before access, also the password will be stored on local drive.

    Bests,  


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 18, 2019 9:03 AM
    Moderator
  • Hi,

    Haven't received your message a few days, was your issue resolved? 

    I am proposing previous helpful replies as "Answered". Please feel free to try it and let me know the result. If the reply is helpful, please remember to mark it as answer which can help other community members who have same questions and find the helpful reply quickly.

    Bests,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, June 21, 2019 9:21 AM
    Moderator
  • Hi Joy-Qiao

    I am looking to build a solution after Windows is booted. I would unmount the volume if user does not provide valid password for external storage media and continue with the Windows Login process. User shall not see the external device then in 'Devices and Drivers'. 

    I cannot use Bitlocker because I need to create a provision for customizations like modifying encryption algorithm (custom algorithm). 

    Friday, June 21, 2019 7:50 PM
  • Hi, 

    Thank you for your reply. 

    I am not clearly understand "create a provision for customization like modifying encryption algorithm"? Would you describe more detailed?

    By the way, for enable Bitlocker in server environment, we could use Microsoft BitLocker Administration and Monitoring(MBAM) to control and manage Bitlocker password and recovery key.

    Bests, 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 25, 2019 1:38 AM
    Moderator
  • I have custom Encryption algorithms to be used. The idea is to implement 2 things:

    1). Whenever user logs in, just after drivers are loaded, I would prompt the user if any external storage media is connected for authentication. If user fails to autheticate I would unmount the external strage media and proceed to login screen. User won't see those drives even if attached physically since they are unmounted.

    2). If authenticated user can access to storage media so whatever data user writes in those storage media must be encrypted using a custom encryption algorithm.  

    Does Bitlocker has any APIs to extend / customize it?

    Wednesday, June 26, 2019 8:30 AM
  • Hi,

    Your desire is unavailable to achieve through official measure. However, for bitlocker the function is a little different with your desire. But similar on drive encryption before user logon. Bitlocker is available to manage but not available to customize.

    Bests, 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 27, 2019 8:49 AM
    Moderator
  • Can I write a piece of code that can run during boot time after drivers are loaded and prompt user just like a BIOS password. 

    We can write an application that can run before Windows Login, can we prompt user there otherwise?

    Thursday, June 27, 2019 9:46 AM
  • Hi, 

    If we write a code, we need to use Group Policy to add the script to Start up. However, according to the system boot process, Windows will permit user logon at first. Then apply configuration settings on Group Policy and search for start up application. So your desire is also not available to achieve.

    For more information, we could refer to Windows boot process as the link below. (Windows 10 is same with it)

    https://social.technet.microsoft.com/wiki/contents/articles/11341.windows-7-the-boot-process-explained.aspx


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, June 28, 2019 1:47 AM
    Moderator