GPO to set Trusted Publishers for authenticode signing?

[Erik]

Hi all,



I want to use a GPO to set the Trusted Publishers in IE for all users in the
domain, but can't seem to get it to work.



Background: We've started to use code signing to sign macros in office
documents to able to raise the security level to High in the office programs
(and get rid of some warnings). The actual code signing works fine, but I
want to be able to use a GPO to set the Trusted Publishers in IE for all
users in the domain to automatically trust certificates issued by me (to get
rid of a Security Warning where the users need to check "Always trust macros
from this publisher").



Environment: Windows 2000 Server (we have our own Root Certificate Authority
(stores data in the AD). XP clients.



Details: I'm running GPMC as domain admin on my local machine (running XP).
I have tried modifying a GPO to set the Trusted Publishers, but it doesn't
get applied on the client. I went into User Configuration, Windows Settings,
Internet Explorer Maintenance, Security / Authenticode Settings. Then I
imported the current Authenticode information from my machine. All looked
fine (the certificate being listed). I also tried changing some other IE
settings (the home page) just as a test.



When refreshing the policy on a test machine the IE home page gets applied,
but the list of Trusted Publishers in IE is not. This shows that there isn't
a problem with the actual policy just with the Trusted Publishers part.



Any ideas what's going wrong?



Or is there a better way of achieving what I want: distributing a list of
Trusted Publishers so that clients always trust these for code signing of
Office documents. (I know I can add the certificates in Office 2003 setup
program using the Custom Installation Wizard, but this seems a bit
unflexible so I'd like to use AD).



/ Erik

 

[Bob Qin [MSFT]]

Hi Erik,

Thanks for your posting here.

Do you have any Windows 2000 client? Does it work on Windows 2000 client?

Please import the information into a new GPO of your domain in AD Users and
Computers. ( User Configuration -> Windows Settings -> IE Maintenance ->
Security -> Authenticode Settings -> Import Current Authenticode
Security Information).

Now run "secedit /refreshpolicy user_policy /enforce" command and test
with the same user from XP and W2K Pro clients. What is the result?

Another suggestion would be to use a script to import certificate on every
client. Make use of the CERTUTIL.EXE utility that can be obtained from the
certificate servers. The executable can be run from a share, but the
accompanied DLL, certadm.dll needs to be copied and registered using the
regsvr32 command. Once this is done, the certificate can be loaded using
the following command (without the single quotes):

' <Location of CERTUTIL>\CERTUTIL -user -addstore "<Name of store (for this
case, it was TrustedPublisher)>" "<Location of certificate>\<Name of
certificate>"'

Wish the information helps.

Regards,
Bob Qin
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Erik]

Thanks for the reply,

I haved tested now on a freshly installed Windows 2000 client where it
works! The Certificates are installed. But if I then edit the list in
Internet Explorer (for example delete the cert), then the GPO doesn't put
the cert back. So it seems like the changes to the Trusted Publishers is
changed only once.... but maybe this is the way it should work?

I also tested on a fresh Windows XP, but there it still doesn't work.

Refreshing the policy (which btw is done with gpupdate in XP) doesn't help.

Certutil.exe works (and the DLL doesn't need to be registred, only be
present in the directory). But this solution isn't as "pretty" as using the
GPO directly so the questions are:

Why isn't the Windows 2000 server GPO setting the Trusted Publishers for XP?
Can the administrative template be too old? If so, can it be updated?

/ Erik

 

[Bob Qin [MSFT]]

Hi Erik,

I have done some research on this problem and it appears to be an IE6
issue. As I know, the fix is
schedule for Windows XP SP2. Currently, I would like to provide the
Certutil.exe as a workaround for this issue.

Thanks for your understanding.

Regards,
Bob Qin
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Erik]

Thanks for the help,

Unfortunately it turned out that I still get the Security Warning in Excel
(and the other office programs) with the check box "always trust macros from
this publisher". Even when the certifcate has been installed using Certutil
(or on Windows 2000 where the GPO worked).

The strange thing is that when I add the certificate in the Office 2003
setup program using the Custom Installation Wizard I DON'T get the
warning....

So I guess there must be some setting in Office (the registry somewhere?)
that Office 2003 setup program changes to prevent these warning but that
isn't changed by the GPO or certutil. I have searched but didn't find
anything.

Anyway, I can live with this, but if anyone happens to know the solution I'd
be glad to know it.(allthough this if more of an Office newsgroup question).

/ Erik

 

[Bob Qin [MSFT]]

Hi Erik,

Thanks for your update.

To better address this problem, I would like to suggest that you post this
question to the following news groups:

microsoft.public.office.misc
microsoft.public.outlook

I believe that you can get more informative answers there.

Regards,
Bob Qin
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.