Only let the user run programs with specified certificate (Windows)

0

I want to allow the user on a Windows 7 PC only to run programs which are certificated by me (I used openSSL to create a self-made pem/cer resp. pfx file) I sign the files with Microsoft SignTool.exe. This works like a charm, all my exe files show that they are certificated.

I found out there is a way using AppLocker, but every time I try to use AppLocker he gives the following error:

"The publisher information cannot be extracted from the specified file: [FILENAME] Reason: The object identifier does not represent a valid object. (Exception from HRESULT: 0x800710D8)"

I created the certificate with this HowTo: https://www.howtoforge.de/anleitung/howto-selbstsigniertes-ssl-zertifikat-erstellen/ Did I miss something?

The second way I read about is to use the Software Restriction Policies (SRP). When I try to use a signed exe file he gives me an error:

Die Erweiterung für die Basiseinschränkung eines Zertifikates wurde nicht eingehalten (The extension of the basic limitations of a certificate has not been respected.)

When I use the created .cer file it seems to work, but I can run all programs anyways.

So in the end my question is: What is the best method in Windows to allow the user run only certificated programs (certificated by me)

Thank you very much, Spider

windows
ssl
certificate
applocker
asked on Stack Overflow Aug 10, 2016 by Max R.

1 Answer

0

Ok, found the solution. When you install a certificate in Windows by doubleclicking the file you install the certificate as local user. AppLocker works with an "computer account".

Start > Run > MMC.msc > File > Add/Remove Snap-in… > choose "Certificates" > click Add > select ‘Computer account‘ and then insert the keys.

This way AppLocker identify the certificates as trustfull.

answered on Stack Overflow Aug 11, 2016 by Max R.

User contributions licensed under CC BY-SA 3.0