Your company has an Active Directory domain. All servers run Windows Server 2008 R2.
Your company runs an Enterprise Root certification authority (CA).
You need to ensure that only administrators can sign code.
Which two tasks should you perform? (Each correct answer presents part of the solution.
Choose two.)
A.
Edit the local computer policy of the Enterprise Root CA to allow only administrators to
manage Trusted Publishers.
B.
Modify the security settings on the template to allow only administrators to request code
signing certificates.
C.
Edit the local computer policy of the Enterprise Root CA to allow users to trust peer
certificates and allow only administrators to apply the policy.
D.
Publish the code signing template.
Explanation:
http://techblog.mirabito.net.au/?p=297
Generating and working with code signing certificates
A code signing certificate is a security measure designed to assist in the prevention of
malicious code execution. The intention is that code must be “signed” with a certificate that is
trusted by the machine on which the code is executed. The trust is verified by contacting the
certification authority for the certificate, which could be either a local (on the machine itself,
such as a self-signed certificate), internal (on the domain, such as an enterprise certification
authority) or external certification authority (third party, such as Verisign or Thawte).
For an Active Directory domain with an enterprise root certification authority, the enterprise
root certification authority infrastructure is trusted by all machines that are a member of the
Active Directory domain, and therefore any certificates issued by this certification authority
are automatically trusted.
In the case of code signing, it may be necessary also for the issued certificate to be in the
“Trusted Publishers” store of the local machine in order to avoid any prompts upon executing
code, even if the certificate was issued by a trusted certification authority. Therefore, it is
required to ensure that certificates are added to this store where user interaction is
unavailable, such as running automated processes that call signed code.A certificate can be assigned to a user or a computer, which will then be the “publisher” of
the code in question.
Generally, this should be the user, and the user will then become the trusted publisher. As
an example, members of the development team in your organisation will probably each have
their own code signing certificate, which would all be added to the “Trusted Publishers” store
on the domain machines. Alternatively, a special domain account might exist specifically for
signing code, although one of the advantages of code signing is to be able to determine the
person who signed it.