I am experimenting with a configuration that redirects the C:\Users and
C:\ProgramData folders to a USB memory stick. This allows me to always keep
user data in personal care when travelling with the laptop. The redirection
is done by setting the value of the ProfilesDirectory and ProgramData
attributes in [Auto]Unattend.xml during Vista setup. This method is
supported, albeit reluctantly, by Microsoft.
To secure and enhance this configuration, I also:
- encrypt the hard disk with BitLocker and the TPM key, TPM PIN, and USB
- encrypt the memory stick with BitLocker autounlock
- lock down C:\ and S:\ (BitLocker) so that users cannot add data to these
- disables the Windows pagefile to avoid user data "residue" on the system
- enables write-caching on the memory stick (for performance reasons)
- enables a large system cache (LargeSystemCache registry value) for the
- uses Roaming Profiles to copy user profiles to a central server share (for
- uses Folder Redirection to redirect user folders to a central server share
- uses Offline Files to locally cache server-side user folders and "user
group" folders (i.e. folders shared between groups of users)
- redirect the local Client-Side-Cache (C:\WIndows\CSC) to the memory stick
to avoid user data "residue" on the system disk
- disable Hibernation to avoid user data "residue" on the system disk
- disable the Windows Search service since I don't use it, I don't like it,
and it seems to generate a lot of traffic to the memory stick
, this leaves no room for user data to be written to the hard disk
except to those subfolders of C:\Windows that Microsoft has made
user-writable by default. I have not closed down these subfolders, but
intend to do it at a later stage.
In addition, I lock down Windows with a configuration similar to the SSLF
profile of the W2008/Vista security guides and uses SRP to block end-user
program execution outside Windows, Program Files, and the logon server
I have been running this configuration for a few months now without any
apparent problems arising from doing the redirection. Performance is
acceptable even on the fairly slow (but conveniently small) Sony MicroVault
Tiny 8GB USB2.0, 7/12MB sec write/read.
The reason for posting this message is to get some feedback on my apporach,
- are there any potential problems or pitfalls that I ought to know about?
- are there any uncovered ways that user data can be written to the hard
- should I expect to run into trouble when I lock down the user-writable
subfolders of C:\Windows?