software restrictions

W

Wayne A. Harris

I'm trying to implement S/R to block all .MSI files, except those that
have a Digital Certificate from an internal PKI.


We have an internal PKI that has issued a cert than can be used for
Code-signing.


Actually, what I want to do is EXACTLY like what's described in the the

document "How To Use Software Restriction Policies in Windows Server
2003"


http://support.microsoft.com/default.aspx?scid=kb;en-us;324036


Simply put, I want Default rule to be unrestricted
path rule *.msi to be disallowed
certificate rule (to inside PKI) to be unrestricted.


I made the reg change outlined in the doc to allow for Certificates to
be checked.
(HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifie­rs)



MY issue is simply this. The path rule will not allow the signed MSI
files to execute. (Event ID:866 in event log) All msi files are
restricted. ALL


What's interesting is that when I reverse it. (allow all MSI files by
path, and disallow all signed MSI files) it seems to work. I can
execute all msi files, save for the ones that I have signed. (Event
ID:867 in event log)


I dunno, This should be a no-brainer..


Anythoughts?
 
S

Steven L Umbach

Are these Windows 2003/XP Pro computers that you are trying to do this
?? --- Steve


I'm trying to implement S/R to block all .MSI files, except those that
have a Digital Certificate from an internal PKI.


We have an internal PKI that has issued a cert than can be used for
Code-signing.


Actually, what I want to do is EXACTLY like what's described in the the

document "How To Use Software Restriction Policies in Windows Server
2003"


http://support.microsoft.com/default.aspx?scid=kb;en-us;324036


Simply put, I want Default rule to be unrestricted
path rule *.msi to be disallowed
certificate rule (to inside PKI) to be unrestricted.


I made the reg change outlined in the doc to allow for Certificates to
be checked.
(HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifie­rs)



MY issue is simply this. The path rule will not allow the signed MSI
files to execute. (Event ID:866 in event log) All msi files are
restricted. ALL


What's interesting is that when I reverse it. (allow all MSI files by
path, and disallow all signed MSI files) it seems to work. I can
execute all msi files, save for the ones that I have signed. (Event
ID:867 in event log)


I dunno, This should be a no-brainer..


Anythoughts?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Software Restrictions - Certificate rules do not work 2
Software restrictions intermittently prevents application installa 0
EFS Auto enroll 0
Windows Installer Not Working 5
question about private certificate stored on smart card 4
Install Office 2003 with MST file 3
GP based software installations? 3
Software Restrictions 1

Top