software restrictions

  • Thread starter Thread starter Wayne A. Harris
  • Start date Start date
W

Wayne A. Harris

I'm trying to implement S/R to block all .MSI files, except those that
have a Digital Certificate from an internal PKI.


We have an internal PKI that has issued a cert than can be used for
Code-signing.


Actually, what I want to do is EXACTLY like what's described in the the

document "How To Use Software Restriction Policies in Windows Server
2003"


http://support.microsoft.com/default.aspx?scid=kb;en-us;324036


Simply put, I want Default rule to be unrestricted
path rule *.msi to be disallowed
certificate rule (to inside PKI) to be unrestricted.


I made the reg change outlined in the doc to allow for Certificates to
be checked.
(HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifie­rs)



MY issue is simply this. The path rule will not allow the signed MSI
files to execute. (Event ID:866 in event log) All msi files are
restricted. ALL


What's interesting is that when I reverse it. (allow all MSI files by
path, and disallow all signed MSI files) it seems to work. I can
execute all msi files, save for the ones that I have signed. (Event
ID:867 in event log)


I dunno, This should be a no-brainer..


Anythoughts?
 
Are these Windows 2003/XP Pro computers that you are trying to do this
?? --- Steve


I'm trying to implement S/R to block all .MSI files, except those that
have a Digital Certificate from an internal PKI.


We have an internal PKI that has issued a cert than can be used for
Code-signing.


Actually, what I want to do is EXACTLY like what's described in the the

document "How To Use Software Restriction Policies in Windows Server
2003"


http://support.microsoft.com/default.aspx?scid=kb;en-us;324036


Simply put, I want Default rule to be unrestricted
path rule *.msi to be disallowed
certificate rule (to inside PKI) to be unrestricted.


I made the reg change outlined in the doc to allow for Certificates to
be checked.
(HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifie­rs)



MY issue is simply this. The path rule will not allow the signed MSI
files to execute. (Event ID:866 in event log) All msi files are
restricted. ALL


What's interesting is that when I reverse it. (allow all MSI files by
path, and disallow all signed MSI files) it seems to work. I can
execute all msi files, save for the ones that I have signed. (Event
ID:867 in event log)


I dunno, This should be a no-brainer..


Anythoughts?
 
Back
Top