Software restriction policy [Lưu Trữ] - DIỄN ĐÀN QUẢN TRỊ MẠNG MICRO$OFT AND MORE

sonnv

05-30-2007, 03:27 PM

Cũng giống như các rules khác trong phần software restriction policy, certificate rule cũng nhằm mục đích can thiệp vào quá trình hoạt động của chương trình nào đó ( cho chạy hay không cho chạy) trong hệ thống. Thay vì thực hiện dựa trên đường dẫn đến chương trình như path rule hay xác định chương trình qua mã hóa nhận dạng (cryptographic fingerprint) thì certificate lại dựa vào chứng thực số của nhà sản xuất phầm mềm đó (digitally signed certificate )
bạn tham khảo thêm về certificate rule ở dưới nhé.

The Certificate Rule

A certificate rule specifies that a software publisher's certificate (used for code-signing) must exist before a program is allowed to run. For example, an administrator can require signed certificates for all scripts and ActiveX controls. Allowable sources that comply with the certificate rule include:
•A commercial certificate authority (CA), such as VeriSign.
•A Microsoft Windows 2000/Windows Server™ 2003 public key infrastructure (PKI).
•A self-signed certificate.

A certificate rule is a strong software identification method because it uses signed hashes in the signature of the signed file to match files, regardless of name or location. Unfortunately, few software vendors use code-signing technology, and even those that do typically sign a small percentage of the executable files that they distribute. For these reasons, certificate rules are generally used for a few specific application types such as ActiveX controls or internally developed applications. For example, this guide recommends that organizations digitally sign scripts that are used to manage computers and users so that all unsigned scripts can be blocked. A hash rule can be used to identify exceptions to a certificate rule.
Enabling Certificate Rules

Certificate rules are not enabled by default. Complete the steps in the following procedure to enable certificate rules.
To enable certificate rules
1.
Open the GPO in the Group Policy Object Editor.
2.
In the console tree, click Security Options.
3.
In the details pane, double-click System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies.
4.
Click Enabled to make the certificate rules available.

For detailed instructions about how to digitally sign files, see the “Step-by-Step Guide to Digitally Signing Files with Test Certificates” section of the "Using Software Restriction Policies to Protect Against Unauthorized Software (http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx)" at http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx.
Many commercial Web sites have their software code-signed by a commercial certification authority (CA). These certificates are usually valid from one to several years. When you use certificate rules, be aware that the certificates carry expiration dates. You may be able contact the software publisher to find out more information about the expiration period for a published certificate. When you receive a certificate from a commercial CA, you can export it to a file to create a certificate rule. Complete the steps in the following procedure to export a certificate.
To export a certificate
1.
Select the trusted publisher that will issue the certificate. In this example, the certificate publisher is Microsoft MSN®.
http://img.microsoft.com/library/media/1033/technet/images/security/prodtech/windowsxp/secwinxp/xpsg0602.jpg
Figure 6.2 The Security Warning dialog box that shows the trusted publisher
See full-sized image (http://www.microsoft.com/library/media/1033/technet/images/security/prodtech/windowsxp/secwinxp/xpsg0602_big.jpg)

2.
Click the Details tab and then Copy to File... to copy this certificate to a file and use it to create a certificate rule.
http://img.microsoft.com/library/media/1033/technet/images/security/prodtech/windowsxp/secwinxp/xpsg0603.jpg
Figure 6.3 The Details tab of the Certificate dialog box
See full-sized image (http://www.microsoft.com/library/media/1033/technet/images/security/prodtech/windowsxp/secwinxp/xpsg0603_big.jpg)

3.
The Certificate Export Wizard welcome page will display. Click Next to continue.
http://img.microsoft.com/library/media/1033/technet/images/security/prodtech/windowsxp/secwinxp/xpsg0604.jpg
Figure 6.4 The Certificate Export Wizard welcome page
See full-sized image (http://www.microsoft.com/library/media/1033/technet/images/security/prodtech/windowsxp/secwinxp/xpsg0604_big.jpg)

4.
On the Export File Format page, select DER encoded binary X.509 (.CER) and click Next to create the certificate file with a (.cer) extension.
http://img.microsoft.com/library/media/1033/technet/images/security/prodtech/windowsxp/secwinxp/xpsg0605.jpg
Figure 6.5 The Certificate Export Wizard
See full-sized image (http://www.microsoft.com/library/media/1033/technet/images/security/prodtech/windowsxp/secwinxp/xpsg0605_big.jpg)

5.
On the File to Export page, designate a descriptive certificate rule file name. The certificate will be saved to whatever location you select with whatever file name you choose.
http://img.microsoft.com/library/media/1033/technet/images/security/prodtech/windowsxp/secwinxp/xpsg0606.jpg
Figure 6.6 The Certificate Export Wizard
See full-sized image (http://www.microsoft.com/library/media/1033/technet/images/security/prodtech/windowsxp/secwinxp/xpsg0606_big.jpg)

6.
The Completing the Certificate Export Wizard page will display the certificate file’s specified settings. Review the settings and click Finish to export the file.
http://img.microsoft.com/library/media/1033/technet/images/security/prodtech/windowsxp/secwinxp/xpsg0607.jpg
Figure 6.7 The Certificate Export Wizard Completion page that shows the specified settings