Guardian Edge Configuration Administration Weakness

By Roger on August 18, 2007 8:58 PM | | Comments (0) | TrackBacks (0)

Guardian Edge Encryption Anywhere Hard Disk is Full Disk Encryption product that in the words of their website offers a "unique integration with Microsoft Active Directory for Group Policy Object based policy management ".

Some policies can only be set at installation, but other settings can be configured through Group Policy. They provided Group Policy Administrative Templates (ADM files) that are imported into Group Policy and deployed to the users. Guardian Edge recommends that access to these Group Policy snap-ins be restricted (which can be done in group policy). This prevents a local administrator from importing the ADM file into their local group policy and modifying settings themselves.

By opening the ADM files in a text editor, it is apparent what registry keys are modified by each policy. I haven't tested this out since enabling the Group Policy snap-in restriction, but I am reasonably sure that no Group Policy snap-in restriction will prevent me from directly creating these registry keys. Malicious code, or a user trying to escape perceived encryption slowness could then bypass the normal administration methods and decrypt the hard drive.

Disabling security products is often step 1 for malware when it finds a new computer to infect. Why not decrypt the drive too? That sort of thing wouldn't help an attacker motivated by money, but there are still plenty motivated by mischief making.

I approached Guardian Edge support to ask them if this was indeed a viable attack. Is it desirable to place an ACL on this registry key? Could an ACL even be placed on the registry keys used by a policy? They responded:

"We totally depend on the Windows/Active Directory Security models. As of today, Microsoft has provided fixes for all the publicly known security holes for those models."

Do you really want your Full Disk Encryption totally dependent on Windows for security?

The bottom line is that Guardian Edge's Full Disk Encryption does what its designed for. A stolen computer will be protected by the pre-boot logon as long as the user has shut the machine done.

Categories

FDE

Tags

0 TrackBacks

Listed below are links to blogs that reference this entry: Guardian Edge Configuration Administration Weakness.

TrackBack URL for this entry: http://www.infosecblog.org/mt-tb20071121.pl/573

Leave a comment

Powered by Ajax Comments

About this Entry

This page contains a single entry by Roger published on August 18, 2007 8:58 PM.

By the skin of their teeth was the previous entry in this blog.

Security as a Product Requirement, or not is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Subscribe to feed Subscribe to this blog's feed
Add to Google
Please contact me by leaving a comment where appropriate. Otherwise, you can click here to reveal an email address for me.
Got Backups? Get Safe Online Remember Rick Rescorla Powered by Movable Type 4.2-en

Search