Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: RE: Can we really block users from installing applications through G

from [Laura Robinson] Network Security [Permanent Link]
Subject: Re: RE: Can we really block users from installing applications through Group policy?
Date: Thu, 28 Oct 2004 12:19:17 -0400 
Again, could you be very specific as to exactly which setting you're talking 
about? I understand the concept, but I think you may be talking about the exact 
settings I was referencing.

Laura


From: Joshua Feek <jfeek@yahoo.com.au>
Date: 2004/10/27 Wed PM 08:57:06 EDT
To: Laura Robinson <larobins@verizon.net>,  Paul Aviles 
<paviles@adjoined.com>, 
  Harlan Carvey <keydet89@yahoo.com>,  focus-ms@securityfocus.com
CC: chang zhu <cyz2000@yahoo.com>
Subject: Re: RE: Can we really block users from installing applications 
through Group policy?

When you repackage your applications into a new
certifified msi package, you specifify the cert to be
used to digitally sign the application. Wise and most
of the others have this capability.

Under software restriction GPO additional rules, new
certificate rule,you add the reference to the cert you
used for the applications packaged above.

 --- Laura Robinson <larobins@verizon.net> wrote: 

Could you please identify the GPO setting in
question? Thanks.

Laura


From: Joshua Feek <jfeek@yahoo.com.au>
Date: 2004/10/25 Mon PM 11:05:12 EDT
To: Laura Robinson <larobins@verizon.net>, 
  Paul Aviles <paviles@adjoined.com>, 
  Harlan Carvey <keydet89@yahoo.com>, 

focus-ms@securityfocus.com

CC: chang zhu <cyz2000@yahoo.com>
Subject: Re: RE: Can we really block users from

installing applications through Group policy?


This is not related to software restriction but a
method that can be used via group policy to

restrict

the applications that can be installed, software
restriction only stops the application being

launched.


Within a GPO you can specify that only a cert
certified applciation can be installed and then
specify the trusted cert provider. By enforcing

this a

user cannot install unauthorised applications.

The original question was how to stop users from
installing apps via a gpo method. This fits the

bill

and works very well, except you have to repackage
applications to msi format (or anything else) so

that

you can sign the installation with your cert.


 --- Laura Robinson <larobins@verizon.net> wrote: 

While your reply actually seems to be in

response to

something other than the message to which it is
attached, I did want to comment on a couple of
items. First, implementing software restriction
policies does not require one to repackage all
applications into signed .msi packages- it

depends

on which of the four methods of restriction you
implement. Second, you are only mentioning one

way

to implement software restriction policies-

there

are numerous ways of going about it. It's not

quite

as facile as the description below indicates.

Laura


From: Joshua Feek <jfeek@yahoo.com.au>
Date: 2004/10/18 Mon PM 09:13:01 EDT
To: Laura Robinson <larobins@verizon.net>, 

Paul

Aviles <paviles@adjoined.com>, 

  Harlan Carvey <keydet89@yahoo.com>, 

focus-ms@securityfocus.com

CC: chang zhu <cyz2000@yahoo.com>
Subject: Re: RE: Can we really block users

from

installing applications through Group policy?


Of course you can though it requires you to

package

all applications into MSI format and certify

using

a

PKI cert. You then config a GPO to only allow

apps

that are certified by your cert to be

installed.

This

will stop dead every other application

installation.

You can of course include other certs from

verdors

to

minimise this repackage requirement 

 --- Laura Robinson <larobins@verizon.net>

wrote: 

Um, I don't recall Harlan saying that the

policy

had

to be applied to *everyone*. 

Laura






      
      
              








___________________________________________________________ALL-NEW

Yahoo! Messenger - all new features - even more

fun!

 http://uk.messenger.yahoo.com




 



  
  
          




___________________________________________________________ALL-NEW

Yahoo! Messenger - all new features - even more fun!
 http://uk.messenger.yahoo.com






---------------------------------------------------------------------------





---------------------------------------------------------------------------





 


Send instant messages to your online friends http://uk.messenger.yahoo.com 




---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: 802.1x Authentication, Jef Feltman
Next by Date:  RE: 802.1x Authentication, Jordan, Jason D. \"Dallas\"
Previous by Thread:  Re: RE: Can we really block users from installing applications through Group policy?, Joshua Feek
Next by Thread:  RE: Can we really block users from installing applications through Group policy?, Starks, Brad
Indexes:  [Date] [Thread] [Top] [All Lists]