3_BL942-1101_generated_automation.md

scapolite	id	id_namespace	title	rule	rationale	description	applicability	implementations	crossrefs	history
class version rule 0.51	BL942-1101	com.siemens.seg.policy_framework.rule	Configure the policy 'Configure use of passwords for removable data drives'	<see below>	<see below>	<see below>	system c i a com.siemens.cert.acp 123 123 123 system roles com.siemens.cert.scapolite.target_audience asset_manager	relative_id description automations 01 <see below> system ui_path value constraints verification_status checksum org.scapolite.implementation.win_gpo Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\Configure use of passwords for removable data drives main_setting Configure password complexity for removable data drives Minimum password length for removable data drive Enabled Require password complexity 15 sub_setting Minimum password length for removable data drive min 15 Checked. sha224:7fb0f9fd7341a31854c539941dce16dfae5d6cc6048fcc1b2603ad5e system automations org.scapolite.automation.compound system config registry_key value_name action org.scapolite.implementation.windows_registry Computer Software\Policies\Microsoft\FVE RDVPassphrase DWORD:1 system config registry_key value_name action org.scapolite.implementation.windows_registry Computer Software\Policies\Microsoft\FVE RDVPassphraseComplexity DWORD:1 system config registry_key value_name action constraints org.scapolite.implementation.windows_registry Computer Software\Policies\Microsoft\FVE RDVPassphraseLength DWORD:15 min 15	system idref relation com.siemens.seg.policy_framework.rule 12.1.1-05 based_on system idref relation urn:scapolite:scce gpo:computer:admx:windows_components:bitlocker_drive_encryption:removable_data_drives:configure_use_of_passwords_for_removable_data_drives	version eval action description internal_comment 1.0 true created Not part of CIS Windows Server 2019 and Siemens Windows Server 2016 (BL968). Rule has been copied from Siemens Windows 10 (BL696). Originally taken from Windows 10 Measure Plan.

/rule

Enable the setting 'Configure use of passwords for removable data drives' and set the options as follows:

• Select the value Require password complexity in the drop-down list,
• Set the option 'Minimum password length for removable data drive' to 15.

Note: The encryption password for removable data drives is exempt from the password change requirements of the Specific Information Security Policy: Access Control Rule ID: 09.4.3-04.

/rationale

If an unencrypted USB memory stick or poorly configured (e.g., short password, weak cipher, only used disk space encrypted) gets lost or stolen, any person who finds the USB stick can plug in it to his or her computer and see the content on the stick if it is unencrypted or try to access it by guessing the password or exploiting a weakness of the cipher.

While a USB stick protected with a smart card can only be used if you have the smart card and the associated PIN, a malicious user might try to discover the password of an only password protected USB stick by using a brute-force attack.

/description

Microsoft Windows includes the built-in full disk and volume encryption feature BitLocker Drive Encryption (BDE) which, apart from encrypting fixed drives, can be used to encrypt removable drives (also known as BitLocker To Go).

You can protect a BitLocker To Go encrypted device either with a smart card, a password, or with a combination of both.

/implementations/0/description

To set the protection level to the desired state set the following Group Policy setting to Enabled

Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\Configure use of passwords for removable data drives

and set the options as follows:

• Select the value Require password complexity in the drop-down list,
• Set the option Minimum password length for removable data drive to 15.