Guardian Edge Configuration Administration Weakness

Guardian Edge Encryption Anywhere Hard Disk is Full Disk Encryption product that in the words of their website offers a “unique integration with Microsoft Active Directory for Group Policy Object based policy management “.

Some policies can only be set at installation, but other settings can be configured through Group Policy. They provided Group Policy Administrative Templates (ADM files) that are imported into Group Policy and deployed to the users. Guardian Edge recommends that access to these Group Policy snap-ins be restricted (which can be done in group policy). This prevents a local administrator from importing the ADM file into their local group policy and modifying settings themselves.

By opening the ADM files in a text editor, it is apparent what registry keys are modified by each policy. I haven’t tested this out since enabling the Group Policy snap-in restriction, but I am reasonably sure that no Group Policy snap-in restriction will prevent me from directly creating these registry keys. Malicious code, or a user trying to escape perceived encryption slowness could then bypass the normal administration methods and decrypt the hard drive.
Disabling security products is often step 1 for malware when it finds a new computer to infect. Why not decrypt the drive too? That sort of thing wouldn’t help an attacker motivated by money, but there are still plenty motivated by mischief making.

I approached Guardian Edge support to ask them if this was indeed a viable attack. Is it desirable to place an ACL on this registry key? Could an ACL even be placed on the registry keys used by a policy? They responded:

“We totally depend on the Windows/Active Directory Security models. As of today, Microsoft has provided fixes for all the publicly known security holes for those models.”

Do you really want your Full Disk Encryption totally dependent on Windows for security?

The bottom line is that Guardian Edge’s Full Disk Encryption does what its designed for. A stolen computer will be protected by the pre-boot logon as long as the user has shut the machine done.