When you repackage your applications into a new
certifified msi package, you specifify the cert to be
used to digitally sign the application. Wise and most
of the others have this capability.
Under software restriction GPO additional rules, new
certificate rule,you add the reference to the cert you
used for the applications packaged above.
--- Laura Robinson <larobins@verizon.net> wrote:
Could you please identify the GPO setting in
question? Thanks.
Laura
From: Joshua Feek <jfeek@yahoo.com.au>
Date: 2004/10/25 Mon PM 11:05:12 EDT
To: Laura Robinson <larobins@verizon.net>,
Paul Aviles <paviles@adjoined.com>,
Harlan Carvey <keydet89@yahoo.com>,
focus-ms@securityfocus.com
CC: chang zhu <cyz2000@yahoo.com>
Subject: Re: RE: Can we really block users from
installing applications through Group policy?
This is not related to software restriction but a
method that can be used via group policy to
restrict
the applications that can be installed, software
restriction only stops the application being
launched.
Within a GPO you can specify that only a cert
certified applciation can be installed and then
specify the trusted cert provider. By enforcing
this a
user cannot install unauthorised applications.
The original question was how to stop users from
installing apps via a gpo method. This fits the
bill
and works very well, except you have to repackage
applications to msi format (or anything else) so
that
you can sign the installation with your cert.
--- Laura Robinson <larobins@verizon.net> wrote:
While your reply actually seems to be in
response to
something other than the message to which it is
attached, I did want to comment on a couple of
items. First, implementing software restriction
policies does not require one to repackage all
applications into signed .msi packages- it
depends
on which of the four methods of restriction you
implement. Second, you are only mentioning one
way
to implement software restriction policies-
there
are numerous ways of going about it. It's not
quite
as facile as the description below indicates.
Laura
From: Joshua Feek <jfeek@yahoo.com.au>
Date: 2004/10/18 Mon PM 09:13:01 EDT
To: Laura Robinson <larobins@verizon.net>,
Paul
Aviles <paviles@adjoined.com>,
Harlan Carvey <keydet89@yahoo.com>,
focus-ms@securityfocus.com
CC: chang zhu <cyz2000@yahoo.com>
Subject: Re: RE: Can we really block users
from
installing applications through Group policy?
Of course you can though it requires you to
package
all applications into MSI format and certify
using
a
PKI cert. You then config a GPO to only allow
apps
that are certified by your cert to be
installed.
This
will stop dead every other application
installation.
You can of course include other certs from
verdors
to
minimise this repackage requirement
--- Laura Robinson <larobins@verizon.net>
wrote:
Um, I don't recall Harlan saying that the
policy
had
to be applied to *everyone*.
Laura
___________________________________________________________ALL-NEW
Yahoo! Messenger - all new features - even more
fun!
http://uk.messenger.yahoo.com
___________________________________________________________ALL-NEW
Yahoo! Messenger - all new features - even more fun!
http://uk.messenger.yahoo.com
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Send instant messages to your online friends http://uk.messenger.yahoo.com
---------------------------------------------------------------------------
---------------------------------------------------------------------------
