Create a certificate rule

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To create a certificate rule

  1. Open Software Restriction Policies.

  2. In either the console tree or the details pane, right-click Additional Rules, and then click New Certificate Rule.

  3. Click Browse, and then select a certificate or signed file.

  4. In Security level, click either Disallowed or Unrestricted.

  5. In Description, type a description for this rule, and then click OK.

Notes

  • Different administrative credentials are required to perform this procedure, depending on your environment:

    • If you create a certificate rule for your local computer: To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

    • If you create a certificate rule for a computer that is joined to a domain: To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

  • To open Software Restriction Policies, see "Open Software Restriction Policies" in Related Topics.

  • It might be necessary to create a new software restriction policy setting for the Group Policy object (GPO) if you have not already done so. For information about how to create new software restriction policies, see Related Topics.

  • Certificate rules are not enabled by default. For information about how to enable certificate rules, see "Enable certificate rules" in Related Topics.

  • The only file types that are affected by certificate rules are those that are listed in Designated file types in the details pane for Software Restriction Policies. There is one list of designated file types that is shared by all rules. For more information, see "Add or delete a designated file type" in Related Topics.

  • For software restriction policies to take effect, users must update policy settings by logging off from and logging on to their computers.

  • When more than one software restriction policies rule is applied to policy settings, there is a precedence of rules for handling conflicts. For more information, see "Precedence of software restriction policies" in Related Topics.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Open Software Restriction Policies
Enable certificate rules
Create new software restriction policies
Security levels and additional rules
Software Restriction Policies
Add or delete a designated file type
Precedence of software restriction policies rules
Certificates overview
Security with Certificates