I have a question about building a computer that will be used to access classified information but it will not be allowed to write to the main hard drive. The machine will be a laptop with an internal hard drive that has the operating system and application files but all material written must be done on a drive in a removable bay which can then be secured in a safe. The machine will also need to use a non-classified drive so there will be two external drives connected to the machine depending on how it will be used. Because the data must be either locked in a safe or with the user it is easier to have all materials write to a second drive so only the drive needs to be secured and not the whole machine. Hardening the machine will not be a problem but are there any suggestions or documentation on how to redirect all data to a second drive? I would need to redirect everything written by applications and the operating system to the secondary drive and all user data as well. Because it is a classified machine all users must have individual accounts for auditing purposes. Is this any easier to do with Windows 7? Currently Windows XP is our corporate standard but we have almost finished testing Windows 7 for deployment so it wouldn't be a large problem to use Windows 7 if it was any easier. Any tips, thoughts, links, or ideas would be greatly appreciated.

Our environment is similar.....for classified standalone (non networked) machines our Primary local drives is a removable drive. A caddy is installed in one of the drive bays of the workstation and is removed after shutdown to be put into a safe. As your machine is a laptop could you not look into an approved (CAPS) Encryption product that is suitable for the particular classification level. We utilise Flagstone Hardware Encryption or Disk Protect software encryption.Lee Bowman MCITP MCTS

On Mon, 6 Dec 2010 06:00:00 +0000, CorradoGuy wrote: > I have a question about building a computer that will be used to access classified information but it will not be allowed to write to the main hard drive. The machine will be a laptop with an internal hard drive that has the operating system and application files but all material written must be done on a drive in a removable bay which can then be secured in a safe. Not possible. The computer needs to write to the drive Windows is installed on--primarily to the registry. Ken Blake

The company I work for is a project based company so we have contracts from different sources and the machines are controlled under NSA, ITAR, and NATO security regulations to name a few. The machine in question is covered under NATO and must either be someone's hands or it must be locked in a approved safe. When our users travel with the machine it means they have to take that machine with them everywhere so ideally they would rather just carry the hard drive with all data with it so the actual machine can be left unattended. The current machine is a IBM A30 or something really old and it is running Windows 2000 with the OS on one drive and all data being written to a second drive. IBM/Lenovo have had what they call an ultra-bay and so the current machine is using a 3.5" IDE ultra bay so this is where the secondary bay is. I have already suggested Lee's suggestion of just putting everything on an UltraBay and running it this way. They need to run the machine as a secret machine and they also have to run it as a non-classified machine which adds a hitch into it. This means I would have to either give them two machines or I would need to have a classified image and another drive with a non-classified image meaning twice the patching and maintenance. Having two drives in the machine is not a problem with the current Lenovo laptops and one is easily accessible. We don't have have to secure or encrypt the drive because it is either locked in a safe that would be hard to access or they are prying out of someones hands. [quote] Not possible. The computer needs to write to the drive Windows is installed on--primarily to the registry.[/quote] We currently have a Windows 2000 machine that is configured to write the swap file, users temp and windows temp, and Adobe Distiller to the secondary drive as well as the users profile and settings. The Operating system is on the main C: drive and from what I can see most of the users information in their profile has been redirected to the D: drive. Some of the applications on the machine have redirected to the D: drive as well. As it sits we have modified the permissions to restrict the user but the OS can still change files and all of the applications files are actually installed on the C: drive. How secure do you think this is? I know the print spooler is still on the C: drive and there must be other things that may actually write to the C: drive that could be classified and bits of it could be left over. The idea is to be 100% certain that the machine is secure and if the OS and data were configured so they were on different drives that it would be safe leaving the OS drive unsecured. I guess the real question is can I take a lot of time and redirect everything to the D: drive while the OS is on the C: drive and know that there is no chance of anything being written to the C: drive that could be considered classified? I think the quote above is accurate but I would like to know for sure because any change request must be validated. Thanks again for your input, Dennis

Hi, Since this has answer by Ken Blake and it’s impossible to realize what you want “I have a question about building a computer that will be used to access classified information but it will not be allowed to write to the main hard drive. The machine will be a laptop with an internal hard drive that has the operating system and application files but all material written must be done on a drive in a removable bay which can then be secured in a safe. ” I will mark Ken’s reply as answer. It could help other communities here who have the same issue. Thanks for your cooperation! Regards, Leo Huang TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks again for the feed-back, I did more research on this and the answers I was getting were the same. Even with redirection there is a chance that the computer could write data to the C: drive so having the OS on one drive and redirecting everything to a secondary drive is not secure. Another problem would OS or application crashes, this can also leave data on the C: drive if either did not shut down properly. I have made the change and if we need to have a machine that can have a removable drive with classified data on it then the drive will have the OS and the data on it. We use Lenovo laptops which have a hard drive bay that can replace the CD/DVD drive so these machines are easy to configure.