Software Restrictions - Certificate rules do not work

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

I am trying to create a GP certificate rule for to prevent a software
package from being installed.

I tried the HASH method, which does not work on all digitally signed
programs.

Senerio:
Block install of Norton SS V7.0 (2004) exceutable is signed by Symantec
Corporation.
SYMSETUP.EXE

I imported the cer into my test machine, then exported in all three formats.
The software restriction cert rule was pointed to each of these at one test
or another.
Each was tried but the install still worked.

I noticed an article by
http://www.rtfm-ed.co.uk/microsoft/tips/windows/win2003.htm
that mentions the software rest cert rules don't work unless you enable
Computer Config\windows settings\security settings\local policies\security
options\system settings: Use Certificate Rules on Windows Exec for Sofware
Restrictio polices and enable this policy.

I do not see this option any place.

Has any done this successfully yet?

Tom

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Hello,

Have you walked through the KB article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;324036

Note that there is a prerequisite to use Certificate based rules;

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifie
\AuthenticodeEnabled must equal 1.

Thank you for your post.

Kenny Wood
CISSP, MCSE (+S, +M)
PSS Security
Microsoft Corporation
--

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included
script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best
directed to the newsgroup/thread from which they originated.
--------------------
| From: "klose" <norepl@noreply.com>
| Subject: Software Restrictions - Certificate rules do not work
| Date: Fri, 23 Jul 2004 16:41:02 -0400
| Lines: 32
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
| Message-ID: <#dNIhVPcEHA.3944@tk2msftngp13.phx.gbl>
| Newsgroups: microsoft.public.win2000.security
| NNTP-Posting-Host: deputy.jvc.com 207.10.33.107
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!
tk2msftngp13.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.security:29980
| X-Tomcat-NG: microsoft.public.win2000.security
|
| I am trying to create a GP certificate rule for to prevent a software
| package from being installed.
|
| I tried the HASH method, which does not work on all digitally signed
| programs.
|
| Senerio:
| Block install of Norton SS V7.0 (2004) exceutable is signed by Symantec
| Corporation.
| SYMSETUP.EXE
|
| I imported the cer into my test machine, then exported in all three formats.
| The software restriction cert rule was pointed to each of these at one test
| or another.
| Each was tried but the install still worked.
|
| I noticed an article by
| http://www.rtfm-ed.co.uk/microsoft/tips/windows/win2003.htm
| that mentions the software rest cert rules don't work unless you enable
| Computer Config\windows settings\security settings\local policies\security
| options\system settings: Use Certificate Rules on Windows Exec for Sofware
| Restrictio polices and enable this policy.
|
| I do not see this option any place.
|
| Has any done this successfully yet?
|
| Tom
|
|
|
|
|

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Solid Answer! Thank you.

All the searches for software restrictions did not turn up that article. I
can imagine why this important point was ommitted in other articles.

I created a adm file for my GP and it works great with this reg key.

Is there any other issues that may pop up if I enable this reg key?

"Kenny Wood" <Kenwood@online.microsoft.com> wrote in message
news:uWZ93TrcEHA.2516@cpmsftngxa06.phx.gbl...
> Hello,
>
> Have you walked through the KB article:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;324036
>
> Note that there is a prerequisite to use Certificate based rules;
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifie
> \AuthenticodeEnabled must equal 1.
>
> Thank you for your post.
>
> Kenny Wood
> CISSP, MCSE (+S, +M)
> PSS Security
> Microsoft Corporation
> --
>
> This posting is provided "AS IS" with no warranties, and confers no
rights. Use of included
> script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
>
> Note: For the benefit of the community-at-large, all responses to this
message are best
> directed to the newsgroup/thread from which they originated.
> --------------------
> | From: "klose" <norepl@noreply.com>
> | Subject: Software Restrictions - Certificate rules do not work
> | Date: Fri, 23 Jul 2004 16:41:02 -0400
> | Lines: 32
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
> | Message-ID: <#dNIhVPcEHA.3944@tk2msftngp13.phx.gbl>
> | Newsgroups: microsoft.public.win2000.security
> | NNTP-Posting-Host: deputy.jvc.com 207.10.33.107
> | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!
> tk2msftngp13.phx.gbl
> | Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.security:29980
> | X-Tomcat-NG: microsoft.public.win2000.security
> |
> | I am trying to create a GP certificate rule for to prevent a software
> | package from being installed.
> |
> | I tried the HASH method, which does not work on all digitally signed
> | programs.
> |
> | Senerio:
> | Block install of Norton SS V7.0 (2004) exceutable is signed by Symantec
> | Corporation.
> | SYMSETUP.EXE
> |
> | I imported the cer into my test machine, then exported in all three
formats.
> | The software restriction cert rule was pointed to each of these at one
test
> | or another.
> | Each was tried but the install still worked.
> |
> | I noticed an article by
> | http://www.rtfm-ed.co.uk/microsoft/tips/windows/win2003.htm
> | that mentions the software rest cert rules don't work unless you enable
> | Computer Config\windows settings\security settings\local
policies\security
> | options\system settings: Use Certificate Rules on Windows Exec for
Sofware
> | Restrictio polices and enable this policy.
> |
> | I do not see this option any place.
> |
> | Has any done this successfully yet?
> |
> | Tom
> |
> |
> |
> |
> |
>
>