Software Restrictions - Certificate rules do not work

[klose]

I am trying to create a GP certificate rule for to prevent a software
package from being installed.

I tried the HASH method, which does not work on all digitally signed
programs.

Senerio:
Block install of Norton SS V7.0 (2004) exceutable is signed by Symantec
Corporation.
SYMSETUP.EXE

I imported the cer into my test machine, then exported in all three formats.
The software restriction cert rule was pointed to each of these at one test
or another.
Each was tried but the install still worked.

I noticed an article by
http://www.rtfm-ed.co.uk/microsoft/tips/windows/win2003.htm
that mentions the software rest cert rules don't work unless you enable
Computer Config\windows settings\security settings\local policies\security
options\system settings: Use Certificate Rules on Windows Exec for Sofware
Restrictio polices and enable this policy.

I do not see this option any place.

Has any done this successfully yet?

Tom

 

[Kenny Wood]

Hello,

Have you walked through the KB article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;324036

Note that there is a prerequisite to use Certificate based rules;

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifie
\AuthenticodeEnabled must equal 1.

Thank you for your post.

Kenny Wood
CISSP, MCSE (+S, +M)
PSS Security
Microsoft Corporation
--

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included
script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best
directed to the newsgroup/thread from which they originated.
--------------------
| From: "klose" <[email protected]>
| Subject: Software Restrictions - Certificate rules do not work
| Date: Fri, 23 Jul 2004 16:41:02 -0400
| Lines: 32
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
| Message-ID: <#[email protected]>
| Newsgroups: microsoft.public.win2000.security
| NNTP-Posting-Host: deputy.jvc.com 207.10.33.107
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!
tk2msftngp13.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.security:29980
| X-Tomcat-NG: microsoft.public.win2000.security
|
| I am trying to create a GP certificate rule for to prevent a software
| package from being installed.
|
| I tried the HASH method, which does not work on all digitally signed
| programs.
|
| Senerio:
| Block install of Norton SS V7.0 (2004) exceutable is signed by Symantec
| Corporation.
| SYMSETUP.EXE
|
| I imported the cer into my test machine, then exported in all three formats.
| The software restriction cert rule was pointed to each of these at one test
| or another.
| Each was tried but the install still worked.
|
| I noticed an article by
| http://www.rtfm-ed.co.uk/microsoft/tips/windows/win2003.htm
| that mentions the software rest cert rules don't work unless you enable
| Computer Config\windows settings\security settings\local policies\security
| options\system settings: Use Certificate Rules on Windows Exec for Sofware
| Restrictio polices and enable this policy.
|
| I do not see this option any place.
|
| Has any done this successfully yet?
|
| Tom
|
|
|
|
|

 

[klose]

Solid Answer! Thank you.

All the searches for software restrictions did not turn up that article. I
can imagine why this important point was ommitted in other articles.

I created a adm file for my GP and it works great with this reg key.

Is there any other issues that may pop up if I enable this reg key?