Wednesday, August 18, 2010

Encryption and Modification of core OS files at the same time just don’t mix

It has been a little while since my last blog entry – I think it has been a month or so… During that time, I have learned quite a bit more about the Windows desktop. In addition, I have been getting my feet wet with different encryption software solutions, and the problems that they cause :)

Encryption software is sometimes a necessary evil. For example, in places where patient data is at risk of being stolen the Health Information Privacy Act (HIPPA) requires that computers have a reasonable form of protecting patient data. That reasonable form of protection is almost always 100% done by encryption. But here is the problem: Windows XP is still the most widely deployed operating system and Windows XP does not include a ‘reasonable’ form of data encryption (regardless of how much Microsoft may argue this fact, I am correct in this statement). So what is an IT administrator to do? Install 3rd party encryption software.

My current employer requires for full disk encryption software be set up and installed on all desktop and laptop computers. We use Checkpoint Pointsec Full Disk Encryption to encrypt the entire drive. While this would NOT be my first choice, we do have Windows XP and have limited options for full disk encryption software…. After Checkpoint is installed, the system reboots, modifies the boot loader, then starts to encrypt the drive with it’s software. The encryption process can take up to 12 hours.

Here is the issue that I encountered: Checkpoint had only encrypted about 35% of the drive when Windows Automatic Updates decided to install Windows Updates automatically. See where I am going with this? Some of the core Windows OS files were encrypted, but others were not. So when Windows installed the new updates, some of the already encrypted files were considered corrupt. Some very strange things started to happen on some of the computers that I deployed after installing Checkpoint FDE. The Netlogon service wouldn’t start, the Workstation service wouldn’t start, users would complain of network slowness, some of the computers even displayed a BSOD from time to time. Unfortunately, the only solution was to wipe the drives clean and redeploy Windows again.

So, after learning about the causes of these issues, follow these simple steps when implementing encryption software on your computers:

1) Do not install the encryption software until everything is done processing on the target computer. This would include any automatic updates from Microsoft, Adobe, Java, etc.

2) Do not install or change any files on the computer until the computer is 100% encrypted. What I mean is don’t start installing a large program such as Microsoft SQL Server on a computer that is in the middle of encrypting unless you want problems to occur.

3) Allow the computer to finish encrypting before deployment. You may not be able to follow this step, but you get the point…

I hope you all learn from my mistakes and follow the simple guidelines above. Good luck with your encryption solutions!