Re: RE: Can we really block users from installing applications through Group policy?
From: Joshua Feek (jfeek_at_yahoo.com.au)
Date: 10/28/04
- Previous message: Marc Fossi: "SecurityFocus Microsoft Newsletter #212"
- Maybe in reply to: chang zhu: "Can we really block users from installing applications through Group policy?"
- Next in thread: Laura Robinson: "Re: RE: Can we really block users from installing applications through Group policy?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 28 Oct 2004 01:57:06 +0100 (BST) To: Laura Robinson <larobins@verizon.net>, Paul Aviles <paviles@adjoined.com>, Harlan Carvey <keydet89@yahoo.com>, focus-ms@securityfocus.com
When you repackage your applications into a new
certifified msi package, you specifify the cert to be
used to digitally sign the application. Wise and most
of the others have this capability.
Under software restriction GPO additional rules, new
certificate rule,you add the reference to the cert you
used for the applications packaged above.
--- Laura Robinson <larobins@verizon.net> wrote:
> Could you please identify the GPO setting in
> question? Thanks.
>
> Laura
> >
> > From: Joshua Feek <jfeek@yahoo.com.au>
> > Date: 2004/10/25 Mon PM 11:05:12 EDT
> > To: Laura Robinson <larobins@verizon.net>,
> > Paul Aviles <paviles@adjoined.com>,
> > Harlan Carvey <keydet89@yahoo.com>,
> focus-ms@securityfocus.com
> > CC: chang zhu <cyz2000@yahoo.com>
> > Subject: Re: RE: Can we really block users from
> installing applications through Group policy?
> >
> > This is not related to software restriction but a
> > method that can be used via group policy to
> restrict
> > the applications that can be installed, software
> > restriction only stops the application being
> launched.
> >
> > Within a GPO you can specify that only a cert
> > certified applciation can be installed and then
> > specify the trusted cert provider. By enforcing
> this a
> > user cannot install unauthorised applications.
> >
> > The original question was how to stop users from
> > installing apps via a gpo method. This fits the
> bill
> > and works very well, except you have to repackage
> > applications to msi format (or anything else) so
> that
> > you can sign the installation with your cert.
> >
> >
> > --- Laura Robinson <larobins@verizon.net> wrote:
> > > While your reply actually seems to be in
> response to
> > > something other than the message to which it is
> > > attached, I did want to comment on a couple of
> > > items. First, implementing software restriction
> > > policies does not require one to repackage all
> > > applications into signed .msi packages- it
> depends
> > > on which of the four methods of restriction you
> > > implement. Second, you are only mentioning one
> way
> > > to implement software restriction policies-
> there
> > > are numerous ways of going about it. It's not
> quite
> > > as facile as the description below indicates.
> > >
> > > Laura
> > > >
> > > > From: Joshua Feek <jfeek@yahoo.com.au>
> > > > Date: 2004/10/18 Mon PM 09:13:01 EDT
> > > > To: Laura Robinson <larobins@verizon.net>,
> Paul
> > > Aviles <paviles@adjoined.com>,
> > > > Harlan Carvey <keydet89@yahoo.com>,
> > > focus-ms@securityfocus.com
> > > > CC: chang zhu <cyz2000@yahoo.com>
> > > > Subject: Re: RE: Can we really block users
> from
> > > installing applications through Group policy?
> > > >
> > > > Of course you can though it requires you to
> > > package
> > > > all applications into MSI format and certify
> using
> > > a
> > > > PKI cert. You then config a GPO to only allow
> apps
> > > > that are certified by your cert to be
> installed.
> > > This
> > > > will stop dead every other application
> > > installation.
> > > > You can of course include other certs from
> verdors
> > > to
> > > > minimise this repackage requirement
> > > >
> > > > --- Laura Robinson <larobins@verizon.net>
> wrote:
> > > > > Um, I don't recall Harlan saying that the
> policy
> > > had
> > > > > to be applied to *everyone*.
> > > > >
> > > > > Laura
> > > > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> >
>
___________________________________________________________ALL-NEW
> > > Yahoo! Messenger - all new features - even more
> fun!
> > > http://uk.messenger.yahoo.com
> > > >
> > >
> > >
> >
> >
> >
> >
> >
> >
>
___________________________________________________________ALL-NEW
> Yahoo! Messenger - all new features - even more fun!
> http://uk.messenger.yahoo.com
> >
> >
>
---------------------------------------------------------------------------
> >
>
---------------------------------------------------------------------------
> >
> >
>
>
Send instant messages to your online friends http://uk.messenger.yahoo.com
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Marc Fossi: "SecurityFocus Microsoft Newsletter #212"
- Maybe in reply to: chang zhu: "Can we really block users from installing applications through Group policy?"
- Next in thread: Laura Robinson: "Re: RE: Can we really block users from installing applications through Group policy?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
