Some installers try to install their certificates in the Trusted Publishers store of the local machine.

Is it possible to prohibit this installation, even under administrator rights?

    2 answers 2

    There is one more answer - the most obvious. It is necessary to block the change of the registry branch responsible for storing certificates: HKLM \ SOFTWARE \ Microsoft \ SystemCertificates \ TrustedPublisher \ Certificates

    In it you need to set access to reading, including the "CREATOR OWNER", which, by the way, includes the group of "Administrators" of the computer. After that, the ability to change the TrustedPublisher certificate store of the local computer disappears.

      I understand that you need to "freeze" the current certificate store TrustedPublisher. Considering that such events are most likely not audited, I would suggest the following. It is necessary to verify the "reference" list after the events that indicate the possibility of installation.

      1. You need to create a reference list of certificates, but at least just a regular list. Even the console will go:

        certutil-store TrustedPublisher

      2. Set triggers on installation events, you can even bind on the events of the log "Installation".

      3. In the trigger command being executed, it is necessary to unload the list and compare it with the reference one. If there is a mismatch, generate a security event (notify administrators, etc.). And then restore the list, at least through the same certutil commands (dellstore, addstore).

      PS If the computer is in infrastructure of AD and on it the typical configuration is supposed. Then I would consider the option of distributing certificates through GPO functionality.