Code Integrity

According to industry best practices, all ActivClient components are digitally signed (installer, executables, libraries). The signature relies on Authenticode technology from Microsoft.

The fact that all ActivClient components are signed permits a deployment to leverage the Microsoft Software Restriction Policies (http://technet.microsoft.com/en-us/library/cc507878.aspx) for Windows Vista and its successor AppLocker (http://technet.microsoft.com/en-us/library/dd723678(WS.10).aspx) for Microsoft Windows 7 and later.

These technologies enable enforcing that only approved software is installed on computers:

• It enables to define a collection of rules for enforcing only certain software to run on the machine.

• The rules can be based on: trust of code signature, hash of files or file path location.

• Rules can be applied to executables (.exe), Windows Installer files (.msi and .msp), scripts (.bat, .cmd, .js, .ps1, and .vbs), and DLLs (.dll and .ocx)

• Rules can then be assigned to users or group of users.

• Rules can be denied or accepted. Rules can have exceptions.

• Rules can be managed and pushed centrally via GPO mechanisms.

Of particular interest is the possibility to define publisher condition rules. These conditions are the most secure ones, and permit to define rules for files that are digitally signed. Additional conditions can be added including: publisher, product name, files version and name. This type of rules can be defined for all ActivClient components.

It is recommended that you leverage these technologies to make sure that only genuine ActivClient signed components are deployed on end user machines.