Vista - Redirecing C:\Users and C:\ProgramData folders to a USB memory stick

permalink · 10-11-2008

I am experimenting with a configuration that redirects the C:\Users and
C:\ProgramData folders to a USB memory stick. This allows me to always keep
user data in personal care when travelling with the laptop. The redirection
is done by setting the value of the ProfilesDirectory and ProgramData
attributes in [Auto]Unattend.xml during Vista setup. This method is
supported, albeit reluctantly, by Microsoft.

To secure and enhance this configuration, I also:

- encrypt the hard disk with BitLocker and the TPM key, TPM PIN, and USB
startup key
- encrypt the memory stick with BitLocker autounlock
- lock down C:\ and S:\ (BitLocker) so that users cannot add data to these
folders
- disables the Windows pagefile to avoid user data "residue" on the system
disk
- enables write-caching on the memory stick (for performance reasons)
- enables a large system cache (LargeSystemCache registry value) for the
same reasons
- uses Roaming Profiles to copy user profiles to a central server share (for
backup)
- uses Folder Redirection to redirect user folders to a central server share
(for backup)
- uses Offline Files to locally cache server-side user folders and "user
group" folders (i.e. folders shared between groups of users)
- redirect the local Client-Side-Cache (C:\WIndows\CSC) to the memory stick
to avoid user data "residue" on the system disk
- disable Hibernation to avoid user data "residue" on the system disk
- disable the Windows Search service since I don't use it, I don't like it,
and it seems to generate a lot of traffic to the memory stick

AFAIK, this leaves no room for user data to be written to the hard disk
except to those subfolders of C:\Windows that Microsoft has made
user-writable by default. I have not closed down these subfolders, but
intend to do it at a later stage.

In addition, I lock down Windows with a configuration similar to the SSLF
profile of the W2008/Vista security guides and uses SRP to block end-user
program execution outside Windows, Program Files, and the logon server
SYSVOL share.

I have been running this configuration for a few months now without any
apparent problems arising from doing the redirection. Performance is
acceptable even on the fairly slow (but conveniently small) Sony MicroVault
Tiny 8GB USB2.0, 7/12MB sec write/read.

The reason for posting this message is to get some feedback on my apporach,
in particular

- are there any potential problems or pitfalls that I ought to know about?
- are there any uncovered ways that user data can be written to the hard
disk?
- should I expect to run into trouble when I lock down the user-writable
subfolders of C:\Windows?

Audun

10-11-2008	#1 (permalink)
Audun n/a posts	Redirecing C:\Users and C:\ProgramData folders to a USB memory stick I am experimenting with a configuration that redirects the C:\Users and C:\ProgramData folders to a USB memory stick. This allows me to always keep user data in personal care when travelling with the laptop. The redirection is done by setting the value of the ProfilesDirectory and ProgramData attributes in [Auto]Unattend.xml during Vista setup. This method is supported, albeit reluctantly, by Microsoft. To secure and enhance this configuration, I also: - encrypt the hard disk with BitLocker and the TPM key, TPM PIN, and USB startup key - encrypt the memory stick with BitLocker autounlock - lock down C:\ and S:\ (BitLocker) so that users cannot add data to these folders - disables the Windows pagefile to avoid user data "residue" on the system disk - enables write-caching on the memory stick (for performance reasons) - enables a large system cache (LargeSystemCache registry value) for the same reasons - uses Roaming Profiles to copy user profiles to a central server share (for backup) - uses Folder Redirection to redirect user folders to a central server share (for backup) - uses Offline Files to locally cache server-side user folders and "user group" folders (i.e. folders shared between groups of users) - redirect the local Client-Side-Cache (C:\WIndows\CSC) to the memory stick to avoid user data "residue" on the system disk - disable Hibernation to avoid user data "residue" on the system disk - disable the Windows Search service since I don't use it, I don't like it, and it seems to generate a lot of traffic to the memory stick AFAIK, this leaves no room for user data to be written to the hard disk except to those subfolders of C:\Windows that Microsoft has made user-writable by default. I have not closed down these subfolders, but intend to do it at a later stage. In addition, I lock down Windows with a configuration similar to the SSLF profile of the W2008/Vista security guides and uses SRP to block end-user program execution outside Windows, Program Files, and the logon server SYSVOL share. I have been running this configuration for a few months now without any apparent problems arising from doing the redirection. Performance is acceptable even on the fairly slow (but conveniently small) Sony MicroVault Tiny 8GB USB2.0, 7/12MB sec write/read. The reason for posting this message is to get some feedback on my apporach, in particular - are there any potential problems or pitfalls that I ought to know about? - are there any uncovered ways that user data can be written to the hard disk? - should I expect to run into trouble when I lock down the user-writable subfolders of C:\Windows? Audun
My System Specs

Similar Threads
Thread	Forum
Memory Stick	Vista hardware & devices
memory stick	Vista hardware & devices
USB memory stick	Vista General
Memory Stick	Vista file management
'Users', 'Program Files' and 'ProgramData' folders on diff. partit	Vista installation & setup