I've seen this from cisco

============

Launch Programs Without Admin Privileges

The executable must have:

•A valid digital signature signed by certificates with specific field value(s)

•File version information with specific item value(s)

Note also that:

•The executable must be signed with a code signing certificate with a proper chain of certificates. The code signing certificate must be installed on the client machine.

•The root certificate must also be installed on the client machine and must be in the Trusted Root Certification Authority on Windows.

•You must create a registry key that is particular to the executable being run in addition to installing the certificate

============

I tried to get free code signing certificate for test (PFX file), don't know if it's ok.

the certificate appears under "Trusted Root Certification Authority "

I signed the exe file with SignGUI and now, i can see the tab "digital signature" from the exe file property

I don't know what registry key i need to create.

Is there anyone who can say if it's ok with free certificate and what should be added on registry?

Hi,

See this:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cam/m_agent.html#wpxref78883

How the Agent Verifies Digital Signature and Trust on an Executable Program

On the client computers where the executables will run, you must add a Trust key in the registry under the Stub Service definition for the executable that you want to run under the Stub service. It is the administrator's responsibility to populate the required registry keys for the programs to be trusted by the Agent and Agent Stub. The Clean Access Agent Stub verifies the launch program for a trusted digital signature as follows:

1. Verifies the digital signature - Ensures the digital signature is trusted.

2. Verifies the signer certificate information based on the information in the registry.

The related registry structure appears as follows:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CCAAgentStub\Trust\

\Certificate\2.5.4.3 "Cisco Systems"

\FileVersionInfo\ProductName "Clean Access"

Where:

• is a numeric number.

•For the entries under Certificate, each value can be exact case-insensitive.

•For the entries under FileVersionInfo, each value must appear in the corresponding value in the file information stream, and can also be case-insensitive.

•All the entries under Certificate and FileVersionInfo must be satisfied (AND operations) to qualify as a trusted target.

•If any of the Trust chain is satisfied, the target is qualified to launch.

Thanks for your reply.

Let's suppose we need to launch tftpd (exe file : tftpd32.exe) and clamwin Antivirus, does it mean that we need to add

Trust1 under : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CCAAgentStub for tftp

and  Trust2 under : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CCAAgentStub for clamwin

and do we need to create "certificate" and "FileVersionInfo" ?

what value should we use ?

Thanks for your reply.

I would like to post all steps we did.

Please, correct if there's something wrong.

1/ code signing

- we asked for a free certificate from internet and we got a pfx file

- we used a free tool (SignGUI) and got spc, cer and pvk file from the pfx

- we launched signcode.exe to sign excutable files (clamwinTray.exe and tftpd32.exe)

- we chose "custom" option and "selected from file" on digital signature wizard, we selected the spc file

- we specified the location of pvk file

- we selected sha1 as hash algorithm

- "all cerificates in the certification path, including the root certificate" was chosen under "certifcate in the certification path"

- we got a message "digital signing wizard was completed successfully"

- from "digital signatures" tab of the executable file, we had "cerificate issued to certificate_usernac" and "cerificate issued by Root Agency"

2/ registry key

- under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CCAAgentStub, we created 2 subtree, Trust1 and Trust2.

for trust1, we created

- new key : certificate

- new string value : name = 2.5.4.3, value = certificate_usernac

- new key : FileVersionInfo

- new string value : name = ProductName, value = ClamWin Antivirus

for trust2, we created

- new key : certificate

- new string value : name = 2.5.4.3, value = certificate_usernac

- new key : FileVersionInfo

- new string value : name = ProductName, value = Tftpd32

3/ NAC

- we create "Application check" for ClamTray.exe and tftpd32.exe, operator = running, OS = Windows All, rule = automatically created

- we created new requirement with Launch Program

Program Name : SYSTEM_PROGRAMS\ClamWin\bin\ClamTray.exe for ClamWin

Program Name : SYSTEM_DRIVE\tftpd32.exe for tftp

OS = Windows XP (All)

- we configured "Requirement-rules"

- we configured "Role-Requirement"

we always get "Stub Agent failed to launch ... "

Is there anything wrong or missing ?

I would like to know also if  it can be used on windows with language other than english.

Looking forward to hearing from you soon.

Thanks and Best Regards.

It seems to me the steps are OK. The english language is not required, we tried with Hungarian XP lanuage

"Stub Agent failed to launch ..."

Stub agent?

In nac 4.7 and 4.8 the stub agent is obsoloted.

Which NAC version ?

And one more thing, at NACAgentCFG.xml you have to set  the

SignatureCheck to 1

 1 

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_agntd.html#wp1348376

Hello,

Thanks for your reply.

We're using nac ver4.1.1 (we have to use it for the moment)

On the document, it is mentionned :

"The root certificate must also be installed on the client machine and must be in the Trusted Root Certification Authority on Windows."

Could you please tell how to do and check this.

After code-signing the executable, we had the following message when checking the certificate from file property

"this certificate cannot be verified up to a trusted certification authority"

how to fix ?

Looking forward to hearing from you soon.

Thanks and Best Regards

Hi,

According to this page:

http://blogs.msdn.com/b/saurabh_singh/archive/2007/11/07/you-get-a-security-alert-when-you-try-to-access-an-ssl-enabled-web-site-when-certificate-has-been-issued-by-an-internal-root-ca.aspx

When you signed your files with a certificate (root CA), this certificate must exist at Client's

Trusted Root Certification Authorities.

So when you click on your signes file's properties -> Digital signatures -> Details -> View certificate -> Certificate Chain you mustn't see a red cross at root (like here: http://blogs.msdn.com/blogfiles/saurabh_singh/WindowsLiveWriter/Yougetasecurityalertwhenyoutrytoaccessa_834/image_thumb_5.png

If it not helps - I am sorry, but the certificates is not my speciality, in this case I am afraid you need a microsoft expert.

Attila

Thanks indeed for all your replies, they are extermely helpful.

it was the certificate.

I would like to ask how to do in case the user (without admin privilige) needs to install a software for remediation.

Looking forward to hearing from you soon.

Thanks and Best Regards

Hello Attila,

Thanks a lot for your reply and for this interesting URL.

Sorry for my late reply.

We've tested software setup and Antivirus update using non-admin user, it works fine.

We are going to test windows update and let you know.

We have more question about OOB L3 and IP phone. We'll add other posts asking these. Please, send us your extremely helpful answer, as usual.

Thanks and Best Regards

Hi,

Read this one: http://www.caysec.com/2008/06/cisco-nac-with-ip-phones.html

/and change this topic's state to answered /

Thanks Attila.

How about L3 OOB, is it possible to use L3 if the NAC is setup as OOB Virtual Gateway?

i 've put this question in another discussion

https://supportforums.cisco.com/thread/2091996

Looking Forward to hearing from you soon.

Thans and Best Regards