Again, could you be very specific as to exactly which setting you're talking about? I understand the concept, but I think you may be talking about the exact settings I was referencing.
Laura
>
> From: Joshua Feek <jfeek (at) yahoo.com (dot) au [email concealed]>
> Date: 2004/10/27 Wed PM 08:57:06 EDT
> To: Laura Robinson <larobins (at) verizon (dot) net [email concealed]>, Paul Aviles <paviles (at) adjoined (dot) com [email concealed]>,
> Harlan Carvey <keydet89 (at) yahoo (dot) com [email concealed]>, focus-ms (at) securityfocus (dot) com [email concealed]
> CC: chang zhu <cyz2000 (at) yahoo (dot) com [email concealed]>
> Subject: Re: RE: Can we really block users from installing applications through Group policy?
>
> When you repackage your applications into a new
> certifified msi package, you specifify the cert to be
> used to digitally sign the application. Wise and most
> of the others have this capability.
>
> Under software restriction GPO additional rules, new
> certificate rule,you add the reference to the cert you
> used for the applications packaged above.
>
> --- Laura Robinson <larobins (at) verizon (dot) net [email concealed]> wrote:
> > Could you please identify the GPO setting in
> > question? Thanks.
> >
> > Laura
> > >
> > > From: Joshua Feek <jfeek (at) yahoo.com (dot) au [email concealed]>
> > > Date: 2004/10/25 Mon PM 11:05:12 EDT
> > > To: Laura Robinson <larobins (at) verizon (dot) net [email concealed]>,
> > > Paul Aviles <paviles (at) adjoined (dot) com [email concealed]>,
> > > Harlan Carvey <keydet89 (at) yahoo (dot) com [email concealed]>,
> > focus-ms (at) securityfocus (dot) com [email concealed]
> > > CC: chang zhu <cyz2000 (at) yahoo (dot) com [email concealed]>
> > > Subject: Re: RE: Can we really block users from
> > installing applications through Group policy?
> > >
> > > This is not related to software restriction but a
> > > method that can be used via group policy to
> > restrict
> > > the applications that can be installed, software
> > > restriction only stops the application being
> > launched.
> > >
> > > Within a GPO you can specify that only a cert
> > > certified applciation can be installed and then
> > > specify the trusted cert provider. By enforcing
> > this a
> > > user cannot install unauthorised applications.
> > >
> > > The original question was how to stop users from
> > > installing apps via a gpo method. This fits the
> > bill
> > > and works very well, except you have to repackage
> > > applications to msi format (or anything else) so
> > that
> > > you can sign the installation with your cert.
> > >
> > >
> > > --- Laura Robinson <larobins (at) verizon (dot) net [email concealed]> wrote:
> > > > While your reply actually seems to be in
> > response to
> > > > something other than the message to which it is
> > > > attached, I did want to comment on a couple of
> > > > items. First, implementing software restriction
> > > > policies does not require one to repackage all
> > > > applications into signed .msi packages- it
> > depends
> > > > on which of the four methods of restriction you
> > > > implement. Second, you are only mentioning one
> > way
> > > > to implement software restriction policies-
> > there
> > > > are numerous ways of going about it. It's not
> > quite
> > > > as facile as the description below indicates.
> > > >
> > > > Laura
> > > > >
> > > > > From: Joshua Feek <jfeek (at) yahoo.com (dot) au [email concealed]>
> > > > > Date: 2004/10/18 Mon PM 09:13:01 EDT
> > > > > To: Laura Robinson <larobins (at) verizon (dot) net [email concealed]>,
> > Paul
> > > > Aviles <paviles (at) adjoined (dot) com [email concealed]>,
> > > > > Harlan Carvey <keydet89 (at) yahoo (dot) com [email concealed]>,
> > > > focus-ms (at) securityfocus (dot) com [email concealed]
> > > > > CC: chang zhu <cyz2000 (at) yahoo (dot) com [email concealed]>
> > > > > Subject: Re: RE: Can we really block users
> > from
> > > > installing applications through Group policy?
> > > > >
> > > > > Of course you can though it requires you to
> > > > package
> > > > > all applications into MSI format and certify
> > using
> > > > a
> > > > > PKI cert. You then config a GPO to only allow
> > apps
> > > > > that are certified by your cert to be
> > installed.
> > > > This
> > > > > will stop dead every other application
> > > > installation.
> > > > > You can of course include other certs from
> > verdors
> > > > to
> > > > > minimise this repackage requirement
> > > > >
> > > > > --- Laura Robinson <larobins (at) verizon (dot) net [email concealed]>
> > wrote:
> > > > > > Um, I don't recall Harlan saying that the
> > policy
> > > > had
> > > > > > to be applied to *everyone*.
> > > > > >
> > > > > > Laura
> > > > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > >
> >
> ___________________________________________________________ALL-NEW
> > > > Yahoo! Messenger - all new features - even more
> > fun!
> > > > http://uk.messenger.yahoo.com
> > > > >
> > > >
> > > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> ___________________________________________________________ALL-NEW
> > Yahoo! Messenger - all new features - even more fun!
> > http://uk.messenger.yahoo.com
> > >
> > >
> >
> ------------------------------------------------------------------------
---
> > >
> >
> ------------------------------------------------------------------------
---
> > >
> > >
> >
> >
>
> Send instant messages to your online friends http://uk.messenger.yahoo.com
>
Laura
>
> From: Joshua Feek <jfeek (at) yahoo.com (dot) au [email concealed]>
> Date: 2004/10/27 Wed PM 08:57:06 EDT
> To: Laura Robinson <larobins (at) verizon (dot) net [email concealed]>, Paul Aviles <paviles (at) adjoined (dot) com [email concealed]>,
> Harlan Carvey <keydet89 (at) yahoo (dot) com [email concealed]>, focus-ms (at) securityfocus (dot) com [email concealed]
> CC: chang zhu <cyz2000 (at) yahoo (dot) com [email concealed]>
> Subject: Re: RE: Can we really block users from installing applications through Group policy?
>
> When you repackage your applications into a new
> certifified msi package, you specifify the cert to be
> used to digitally sign the application. Wise and most
> of the others have this capability.
>
> Under software restriction GPO additional rules, new
> certificate rule,you add the reference to the cert you
> used for the applications packaged above.
>
> --- Laura Robinson <larobins (at) verizon (dot) net [email concealed]> wrote:
> > Could you please identify the GPO setting in
> > question? Thanks.
> >
> > Laura
> > >
> > > From: Joshua Feek <jfeek (at) yahoo.com (dot) au [email concealed]>
> > > Date: 2004/10/25 Mon PM 11:05:12 EDT
> > > To: Laura Robinson <larobins (at) verizon (dot) net [email concealed]>,
> > > Paul Aviles <paviles (at) adjoined (dot) com [email concealed]>,
> > > Harlan Carvey <keydet89 (at) yahoo (dot) com [email concealed]>,
> > focus-ms (at) securityfocus (dot) com [email concealed]
> > > CC: chang zhu <cyz2000 (at) yahoo (dot) com [email concealed]>
> > > Subject: Re: RE: Can we really block users from
> > installing applications through Group policy?
> > >
> > > This is not related to software restriction but a
> > > method that can be used via group policy to
> > restrict
> > > the applications that can be installed, software
> > > restriction only stops the application being
> > launched.
> > >
> > > Within a GPO you can specify that only a cert
> > > certified applciation can be installed and then
> > > specify the trusted cert provider. By enforcing
> > this a
> > > user cannot install unauthorised applications.
> > >
> > > The original question was how to stop users from
> > > installing apps via a gpo method. This fits the
> > bill
> > > and works very well, except you have to repackage
> > > applications to msi format (or anything else) so
> > that
> > > you can sign the installation with your cert.
> > >
> > >
> > > --- Laura Robinson <larobins (at) verizon (dot) net [email concealed]> wrote:
> > > > While your reply actually seems to be in
> > response to
> > > > something other than the message to which it is
> > > > attached, I did want to comment on a couple of
> > > > items. First, implementing software restriction
> > > > policies does not require one to repackage all
> > > > applications into signed .msi packages- it
> > depends
> > > > on which of the four methods of restriction you
> > > > implement. Second, you are only mentioning one
> > way
> > > > to implement software restriction policies-
> > there
> > > > are numerous ways of going about it. It's not
> > quite
> > > > as facile as the description below indicates.
> > > >
> > > > Laura
> > > > >
> > > > > From: Joshua Feek <jfeek (at) yahoo.com (dot) au [email concealed]>
> > > > > Date: 2004/10/18 Mon PM 09:13:01 EDT
> > > > > To: Laura Robinson <larobins (at) verizon (dot) net [email concealed]>,
> > Paul
> > > > Aviles <paviles (at) adjoined (dot) com [email concealed]>,
> > > > > Harlan Carvey <keydet89 (at) yahoo (dot) com [email concealed]>,
> > > > focus-ms (at) securityfocus (dot) com [email concealed]
> > > > > CC: chang zhu <cyz2000 (at) yahoo (dot) com [email concealed]>
> > > > > Subject: Re: RE: Can we really block users
> > from
> > > > installing applications through Group policy?
> > > > >
> > > > > Of course you can though it requires you to
> > > > package
> > > > > all applications into MSI format and certify
> > using
> > > > a
> > > > > PKI cert. You then config a GPO to only allow
> > apps
> > > > > that are certified by your cert to be
> > installed.
> > > > This
> > > > > will stop dead every other application
> > > > installation.
> > > > > You can of course include other certs from
> > verdors
> > > > to
> > > > > minimise this repackage requirement
> > > > >
> > > > > --- Laura Robinson <larobins (at) verizon (dot) net [email concealed]>
> > wrote:
> > > > > > Um, I don't recall Harlan saying that the
> > policy
> > > > had
> > > > > > to be applied to *everyone*.
> > > > > >
> > > > > > Laura
> > > > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > >
> >
> ___________________________________________________________ALL-NEW
> > > > Yahoo! Messenger - all new features - even more
> > fun!
> > > > http://uk.messenger.yahoo.com
> > > > >
> > > >
> > > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> ___________________________________________________________ALL-NEW
> > Yahoo! Messenger - all new features - even more fun!
> > http://uk.messenger.yahoo.com
> > >
> > >
> >
> ------------------------------------------------------------------------
---
> > >
> >
> ------------------------------------------------------------------------
---
> > >
> > >
> >
> >
>
> Send instant messages to your online friends http://uk.messenger.yahoo.com
>
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]