Re: Software Restrictions - Certificate rules do not work

From: klose (norepl_at_noreply.com)
Date: 07/29/04 

Date: Thu, 29 Jul 2004 11:20:40 -0400

Solid Answer! Thank you.

All the searches for software restrictions did not turn up that article. I
can imagine why this important point was ommitted in other articles.

I created a adm file for my GP and it works great with this reg key.

Is there any other issues that may pop up if I enable this reg key?

"Kenny Wood" <Kenwood@online.microsoft.com> wrote in message
news:uWZ93TrcEHA.2516@cpmsftngxa06.phx.gbl...
> Hello,
>
> Have you walked through the KB article:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;324036
>
> Note that there is a prerequisite to use Certificate based rules;
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifie
> \AuthenticodeEnabled must equal 1.
>
> Thank you for your post.
>
> Kenny Wood
> CISSP, MCSE (+S, +M)
> PSS Security
> Microsoft Corporation
> --
>
> This posting is provided "AS IS" with no warranties, and confers no
rights. Use of included
> script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
>
> Note: For the benefit of the community-at-large, all responses to this
message are best
> directed to the newsgroup/thread from which they originated.
> --------------------
> | From: "klose" <norepl@noreply.com>
> | Subject: Software Restrictions - Certificate rules do not work
> | Date: Fri, 23 Jul 2004 16:41:02 -0400
> | Lines: 32
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
> | Message-ID: <#dNIhVPcEHA.3944@tk2msftngp13.phx.gbl>
> | Newsgroups: microsoft.public.win2000.security
> | NNTP-Posting-Host: deputy.jvc.com 207.10.33.107
> | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!
> tk2msftngp13.phx.gbl
> | Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.security:29980
> | X-Tomcat-NG: microsoft.public.win2000.security
> |
> | I am trying to create a GP certificate rule for to prevent a software
> | package from being installed.
> |
> | I tried the HASH method, which does not work on all digitally signed
> | programs.
> |
> | Senerio:
> | Block install of Norton SS V7.0 (2004) exceutable is signed by Symantec
> | Corporation.
> | SYMSETUP.EXE
> |
> | I imported the cer into my test machine, then exported in all three
formats.
> | The software restriction cert rule was pointed to each of these at one
test
> | or another.
> | Each was tried but the install still worked.
> |
> | I noticed an article by
> | http://www.rtfm-ed.co.uk/microsoft/tips/windows/win2003.htm
> | that mentions the software rest cert rules don't work unless you enable
> | Computer Config\windows settings\security settings\local
policies\security
> | options\system settings: Use Certificate Rules on Windows Exec for
Sofware
> | Restrictio polices and enable this policy.
> |
> | I do not see this option any place.
> |
> | Has any done this successfully yet?
> |
> | Tom
> |
> |
> |
> |
> |
>
>