Authenticode and Software Signing

Software downloaded from the Internet to users' computers can contain unauthorized programs or viruses intended to cause damage or provide clandestine network access to intruders. As networks become more interconnected, the threat of malicious software and viruses has extended to the intranet.

How Authenticode Works

To counter this growing threat, Microsoft developed Authenticode™ technology to enable developers to digitally sign software using standard X.509 public key certificates. Users can verify the publisher of digitally signed software as well as verify that the software has not been tampered with, because the publisher signed the code.

You can use Microsoft Certificate Services to issue digital signing certificates to your internal developers. Your developers can use signing certificates to sign software before they distribute it on the intranet. To protect your network from malicious programs and viruses, you need to also consider establishing policies that prevent users from downloading and running unsigned software from both the intranet and the Internet.

For software distributed on the Internet, most users are more likely to trust software signed by certificates issued by a reputable commercial certification authority. Using commercial certification authorities also removes the liability placed on your organization from assuming the responsibilities of a commercial certification authority for external software distribution. Therefore, if you distribute software on the Internet, you need to consider obtaining the services of a commercial certification authority to issue digital signing certificates to your external software developers.

Implementing Authenticode Screening

You can enable Authenticode-based screening of downloaded software in Internet Explorer by doing the following: on the Tools menu, point to Internet Options , and click the Security tab. Higher levels of security set from this tab screen software components for trusted digital signatures.

You can take control of these Internet Explorer security settings through Group Policy (described previously in this chapter). Open the Group Policy snap-in to MMC and navigate to the Internet Explorer container:

Group Policy object
 — Computer Configuration
 — Administrative Templates
  — Windows Components
   — Internet Explorer

Internet Explorer policies permit you to lock down security settings so that users cannot change them, and to require that all downloaded components have trusted signatures.

Considerations for Authenticode and Software Signing

Strategies for software signing in your deployment plan might include the following information:

  • Internal and external groups that need the capability to sign software.

  • Strategies for signing software for internal distribution.

  • Strategies for signing software for external distribution.

  • Certification authority deployment and trust management needed to support software signing strategies.

  • Process and strategies to enroll users as software signers.

  • Education to inform users not to run unsigned or untrusted components.