Enable certificate rules

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To enable certificate rules

  • For your local computer

  • For a Group Policy object, and you are on a server that is joined to a domain

  • For a Group Policy object, and you are on a domain controller or a on workstation that has the Windows Server 2003 Administration Tools Pack installed

  • For only domain controllers, and you are on a domain controller or on a workstation that has the Administration Tools Pack installed

For your local computer

  1. Open Local Security Settings.

  2. In the console tree, click Security Options.

    Where?

    • Security Settings/Local Policies/Security Options
  3. In the details pane, double-click System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies.

  4. Do one of the following, and then click OK:

    • To enable certificate rules, click Enabled.

    • To disable certificate rules, click Disabled.

Notes

  • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

  • To open Local Security Policy, click Start, point to Settings, click Control Panel, double-click Administrative Tools, and then double-click Local Security Policy.

For a Group Policy object, and you are on a server that is joined to a domain

  1. Open Microsoft Management Console (MMC).

  2. On the File menu, click Add/Remove snap-in, and then click Add.

  3. Click Group Policy Object Editor, and then click Add.

  4. In Select Group Policy Object, click Browse.

  5. In Browse for a Group Policy Object, select a Group Policy object (GPO) in the appropriate domain, site, or organizational unit--or create a new one, and then click Finish.

  6. Click Close, and then click OK.

  7. In the console tree, click Security Options.

    Where?

    • GroupPolicyObject [ComputerName] Policy/Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options
  8. In the details pane, double-click System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies.

  9. If this policy setting has not yet been defined, select the Define these policy settings check box.

  10. Do one of the following, and then click OK:

    • To enable certificate rules, click Enabled.

    • To disable certificate rules, click Disabled.

Notes

  • To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

  • To open Microsoft Management Console, click Start, click Run, type mmc, and then click OK.

For a Group Policy object, and you are on a domain controller or a on workstation that has the Windows Server 2003 Administration Tools Pack installed

  1. Open Active Directory Users and Computers.

  2. In the console tree, right-click the Group Policy object (GPO) for which you want to enable certificate rules.

  3. Click Properties, and then click the Group Policy tab.

  4. Click Edit to open the GPO that you want to edit. You can also click New to create a new GPO, and then click Edit.

  5. In the console tree, click Security Options.

    Where?

    • GroupPolicyObject [ComputerName] Policy/Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options
  6. In the details pane, double-click System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies.

  7. If this policy setting has not yet been defined, select the Define these policy settings check box.

  8. Do one of the following, and then click OK:

    • To enable certificate rules, click Enabled.

    • To disable certificate rules, click Disabled.

Notes

  • To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

  • To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

For only domain controllers, and you are on a domain controller or on a workstation that has the Administration Tools Pack installed

  1. Open Domain Controller Security Settings.

  2. In the console tree, click Security Options.

    Where?

    • GroupPolicyObject [ComputerName] Policy/Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options
  3. In the details pane, double-click System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies.

  4. If this policy setting has not yet been defined, select the Define these policy settings check box.

  5. Do one of the following, and then click OK:

    • To enable certificate rules, click Enabled.

    • To disable certificate rules, click Disabled.

Notes

  • To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

  • To open Domain Controller Security Policy, click Start, click Control Panel, double-click Administrative Tools, and then double-click Domain Controller Security Policy.

Note

  • You must perform this procedure before certificate rules can take effect.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Open Software Restriction Policies
Create a certificate rule
Security levels and additional rules
Registry Editor