FDE: August 2007 Archives

Guardian Edge Configuration Administration Weakness

Guardian Edge Encryption Anywhere Hard Disk is Full Disk Encryption product that in the words of their website offers a "unique integration with Microsoft Active Directory for Group Policy Object based policy management ".

Some policies can only be set at installation, but other settings can be configured through Group Policy. They provided Group Policy Administrative Templates (ADM files) that are imported into Group Policy and deployed to the users. Guardian Edge recommends that access to these Group Policy snap-ins be restricted (which can be done in group policy). This prevents a local administrator from importing the ADM file into their local group policy and modifying settings themselves.

By opening the ADM files in a text editor, it is apparent what registry keys are modified by each policy. I haven't tested this out since enabling the Group Policy snap-in restriction, but I am reasonably sure that no Group Policy snap-in restriction will prevent me from directly creating these registry keys. Malicious code, or a user trying to escape perceived encryption slowness could then bypass the normal administration methods and decrypt the hard drive.

Disabling security products is often step 1 for malware when it finds a new computer to infect. Why not decrypt the drive too? That sort of thing wouldn't help an attacker motivated by money, but there are still plenty motivated by mischief making.

I approached Guardian Edge support to ask them if this was indeed a viable attack. Is it desirable to place an ACL on this registry key? Could an ACL even be placed on the registry keys used by a policy? They responded:

"We totally depend on the Windows/Active Directory Security models. As of today, Microsoft has provided fixes for all the publicly known security holes for those models."

Do you really want your Full Disk Encryption totally dependent on Windows for security?

The bottom line is that Guardian Edge's Full Disk Encryption does what its designed for. A stolen computer will be protected by the pre-boot logon as long as the user has shut the machine done.

By Roger on August 18, 2007 8:58 PM | | Comments (0) | TrackBacks (0)
« FDE: December 2006 | Main Index | Archives | FDE: February 2008 »

About this Archive

This page is a archive of entries in the FDE category from August 2007.

FDE: December 2006 is the previous archive.

FDE: February 2008 is the next archive.

Find recent content on the main index or look in the archives to find all content.

FDE: August 2007: Monthly Archives

Subscribe to feed Subscribe to this blog's feed
Add to Google
Please contact me by leaving a comment where appropriate. Otherwise, you can click here to reveal an email address for me.
Got Backups? Get Safe Online Remember Rick Rescorla Powered by Movable Type 4.2-en

Search