TL;DR
BitLocker doesn’t automatically protect drives when they are mapped over a network. This guide shows you how to prevent unauthorized access by controlling who can unlock these drives using Group Policy.
Solution Guide
- Understand the Problem: When you map a BitLocker-encrypted drive on a network, the encryption key isn’t automatically shared. Anyone with access to the share *could* potentially attempt to unlock it if they have the right permissions and software (like Windows). This is especially risky in larger organisations.
- Identify Affected Users/Groups: Determine which users or groups need access to the network-mapped BitLocker drives. You’ll use this information in Group Policy.
- Open Group Policy Management:
- Press
Windows key + R, typegpedit.mscand press Enter (for local policy editing). - For domain-joined computers, open Server Manager > Tools > Group Policy Management.
- Press
- Navigate to the Correct Setting: In Group Policy Management Editor, go to:
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment. - Configure ‘Access this computer from the network’:
- Double-click ‘Access this computer from the network’.
- Click ‘Add User or Group…’.
- Enter the name of the user(s) or group(s) you identified in Step 2 and click ‘OK’. Only add those who *need* access.
- Remove any unnecessary users/groups (like ‘Everyone’). This is crucial for security!
- Click ‘Apply’, then ‘OK’.
- Configure ‘Deny access to this computer from the network’:
- Double-click ‘Deny access to this computer from the network’.
- Click ‘Add User or Group…’.
- Enter any users/groups you want to *explicitly* block from accessing the computer over the network (optional, but good practice for high-security environments). For example, ‘Guest’.
- Click ‘Apply’, then ‘OK’.
- Force Group Policy Update: On the target computer(s), open Command Prompt as an administrator and run:
gpupdate /forceThis forces a refresh of the Group Policy settings.
- Test Access: Log in with a user account that *should* have access, and attempt to map the network drive. Verify it works as expected. Then log in with an account that *should not* have access and confirm they are blocked from mapping the drive.
- Consider Network Share Permissions: Remember that Group Policy controls computer access. You also need to ensure your network share permissions are correctly configured to only allow authorized users/groups read/write access to the shared folder containing the BitLocker-encrypted data. NTFS permissions on the folder itself matter too.
- Regular Auditing: Periodically review who has ‘Access this computer from the network’ rights in Group Policy and your network share permissions to ensure they remain appropriate.