Software Restrictions - Certificate rules do not work

Archived from groups: microsoft.public.win2000.security (More info?)

I am trying to create a GP certificate rule for to prevent a software
package from being installed.

I tried the HASH method, which does not work on all digitally signed
programs.

Senerio:
Block install of Norton SS V7.0 (2004) exceutable is signed by Symantec
Corporation.
SYMSETUP.EXE

I imported the cer into my test machine, then exported in all three formats.
The software restriction cert rule was pointed to each of these at one test
or another.
Each was tried but the install still worked.

I noticed an article by
http://www.rtfm-ed.co.uk/microsoft/tips/windows/win2003.htm
that mentions the software rest cert rules don't work unless you enable
Computer Config\windows settings\security settings\local policies\security
options\system settings: Use Certificate Rules on Windows Exec for Sofware
Restrictio polices and enable this policy.

I do not see this option any place.

Has any done this successfully yet?

Tom
2 answers Last reply
More about software restrictions certificate rules work
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Hello,

    Have you walked through the KB article:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;324036

    Note that there is a prerequisite to use Certificate based rules;

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifie
    \AuthenticodeEnabled must equal 1.

    Thank you for your post.

    Kenny Wood
    CISSP, MCSE (+S, +M)
    PSS Security
    Microsoft Corporation
    --

    This posting is provided "AS IS" with no warranties, and confers no rights. Use of included
    script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm

    Note: For the benefit of the community-at-large, all responses to this message are best
    directed to the newsgroup/thread from which they originated.
    --------------------
    | From: "klose" <norepl@noreply.com>
    | Subject: Software Restrictions - Certificate rules do not work
    | Date: Fri, 23 Jul 2004 16:41:02 -0400
    | Lines: 32
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
    | Message-ID: <#dNIhVPcEHA.3944@tk2msftngp13.phx.gbl>
    | Newsgroups: microsoft.public.win2000.security
    | NNTP-Posting-Host: deputy.jvc.com 207.10.33.107
    | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!
    tk2msftngp13.phx.gbl
    | Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.security:29980
    | X-Tomcat-NG: microsoft.public.win2000.security
    |
    | I am trying to create a GP certificate rule for to prevent a software
    | package from being installed.
    |
    | I tried the HASH method, which does not work on all digitally signed
    | programs.
    |
    | Senerio:
    | Block install of Norton SS V7.0 (2004) exceutable is signed by Symantec
    | Corporation.
    | SYMSETUP.EXE
    |
    | I imported the cer into my test machine, then exported in all three formats.
    | The software restriction cert rule was pointed to each of these at one test
    | or another.
    | Each was tried but the install still worked.
    |
    | I noticed an article by
    | http://www.rtfm-ed.co.uk/microsoft/tips/windows/win2003.htm
    | that mentions the software rest cert rules don't work unless you enable
    | Computer Config\windows settings\security settings\local policies\security
    | options\system settings: Use Certificate Rules on Windows Exec for Sofware
    | Restrictio polices and enable this policy.
    |
    | I do not see this option any place.
    |
    | Has any done this successfully yet?
    |
    | Tom
    |
    |
    |
    |
    |
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Solid Answer! Thank you.

    All the searches for software restrictions did not turn up that article. I
    can imagine why this important point was ommitted in other articles.

    I created a adm file for my GP and it works great with this reg key.

    Is there any other issues that may pop up if I enable this reg key?

    "Kenny Wood" <Kenwood@online.microsoft.com> wrote in message
    news:uWZ93TrcEHA.2516@cpmsftngxa06.phx.gbl...
    > Hello,
    >
    > Have you walked through the KB article:
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;324036
    >
    > Note that there is a prerequisite to use Certificate based rules;
    >
    > HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifie
    > \AuthenticodeEnabled must equal 1.
    >
    > Thank you for your post.
    >
    > Kenny Wood
    > CISSP, MCSE (+S, +M)
    > PSS Security
    > Microsoft Corporation
    > --
    >
    > This posting is provided "AS IS" with no warranties, and confers no
    rights. Use of included
    > script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm
    >
    > Note: For the benefit of the community-at-large, all responses to this
    message are best
    > directed to the newsgroup/thread from which they originated.
    > --------------------
    > | From: "klose" <norepl@noreply.com>
    > | Subject: Software Restrictions - Certificate rules do not work
    > | Date: Fri, 23 Jul 2004 16:41:02 -0400
    > | Lines: 32
    > | X-Priority: 3
    > | X-MSMail-Priority: Normal
    > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
    > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
    > | Message-ID: <#dNIhVPcEHA.3944@tk2msftngp13.phx.gbl>
    > | Newsgroups: microsoft.public.win2000.security
    > | NNTP-Posting-Host: deputy.jvc.com 207.10.33.107
    > | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!
    > tk2msftngp13.phx.gbl
    > | Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.security:29980
    > | X-Tomcat-NG: microsoft.public.win2000.security
    > |
    > | I am trying to create a GP certificate rule for to prevent a software
    > | package from being installed.
    > |
    > | I tried the HASH method, which does not work on all digitally signed
    > | programs.
    > |
    > | Senerio:
    > | Block install of Norton SS V7.0 (2004) exceutable is signed by Symantec
    > | Corporation.
    > | SYMSETUP.EXE
    > |
    > | I imported the cer into my test machine, then exported in all three
    formats.
    > | The software restriction cert rule was pointed to each of these at one
    test
    > | or another.
    > | Each was tried but the install still worked.
    > |
    > | I noticed an article by
    > | http://www.rtfm-ed.co.uk/microsoft/tips/windows/win2003.htm
    > | that mentions the software rest cert rules don't work unless you enable
    > | Computer Config\windows settings\security settings\local
    policies\security
    > | options\system settings: Use Certificate Rules on Windows Exec for
    Sofware
    > | Restrictio polices and enable this policy.
    > |
    > | I do not see this option any place.
    > |
    > | Has any done this successfully yet?
    > |
    > | Tom
    > |
    > |
    > |
    > |
    > |
    >
    >
Ask a new question

Read More

Certificate Software Windows