管理员指南: Azure 信息保护统一标签客户端支持的文件类型Admin Guide: File types supported by the Azure Information Protection unified labeling client

适用于: Azure 信息保护,windows 10,Windows 8.1,windows 8,windows server 2019,windows server 2016,windows Server 2012 R2,windows server 2012>Applies to: Azure Information Protection, Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012>

如果你具有 Windows 7 或 Office 2010,请参阅 AIP For Windows And office 版本中的扩展支持If you have Windows 7 or Office 2010, see AIP for Windows and Office versions in extended support.

适用于以下内容的说明: Azure 信息保护适用于 Windows 的统一标签客户端Instructions for: Azure Information Protection unified labeling client for Windows

Azure 信息保护统一标签客户端可以将以下内容应用于文档和电子邮件:The Azure Information Protection unified labeling client can apply the following to documents and emails:

  • 仅分类Classification only

  • 分类和保护Classification and protection

  • 仅保护Protection only

Azure 信息保护统一标签客户端还可以使用已知的敏感信息类型或你定义的正则表达式来检查某些文件类型的内容。The Azure Information Protection unified labeling client can also inspect the content of some file types using well-known sensitive information types or regular expressions that you define.

使用以下信息查看 Azure 信息保护统一标签客户端支持的文件类型,了解不同级别的保护,以及如何更改默认保护级别,以及如何确定哪些文件被自动排除 (从分类和保护中跳过) 。Use the following information to check which file types the Azure Information Protection unified labeling client supports, understand the different levels of protection and how to change the default protection level, and to identify which files are automatically excluded (skipped) from classification and protection.

对于列出的文件类型,WebDav 位置不受支持。For the listed file types, WebDav locations are not supported.

支持仅分类的文件类型File types supported for classification only

可对以下文件类型进行分类(即使在它们未受保护时也可)。The following file types can be classified even when they are not protected.

  • Adobe 可移植文档格式:pdfAdobe Portable Document Format: .pdf

  • Microsoft Project:.mpp、.mptMicrosoft Project: .mpp, .mpt

  • Microsoft Publisher:.pubMicrosoft Publisher: .pub

  • Microsoft XPS:.xps .oxpsMicrosoft XPS: .xps .oxps

  • 图像****:.jpg、.jpe、.jpeg、.jif、.jfif、.jfi、Images: .jpg, .jpe, .jpeg, .jif, .jfif, .jfi. .png、.tif、.tiffpng, .tif, .tiff

  • Autodesk Design Review 2013:.dwfxAutodesk Design Review 2013: .dwfx

  • Adobe Photoshop:.psdAdobe Photoshop: .psd

  • 数码底片:.dngDigital Negative: .dng

  • Microsoft Office:下表中的文件类型。Microsoft Office: File types in the following table.

    这些文件类型的受支持文件格式是以下 Office 程序的 97-2003 文件格式和 Office Open XML 格式:Word、Excel 和 PowerPoint。The supported file formats for these file types are the 97-2003 file formats and Office Open XML formats for the following Office programs: Word, Excel, and PowerPoint.

    Office 文件类型Office file type Office 文件类型Office file type
    .doc.doc

    .docm.docm

    .docx.docx

    .dot.dot

    .dotm.dotm

    .dotx.dotx

    .potm.potm

    .potx.potx

    .pps.pps

    .ppsm.ppsm

    .ppsx.ppsx

    .ppt.ppt

    .pptm.pptm

    .pptx.pptx

    .vdw.vdw

    .vsd.vsd
    .vsdm.vsdm

    .vsdx.vsdx

    .vss.vss

    .vssm.vssm

    .vst.vst

    .vstm.vstm

    .vssx.vssx

    .vstx.vstx

    .xls.xls

    .xlsb.xlsb

    .xlt.xlt

    .xlsm.xlsm

    .xlsx.xlsx

    .xltm.xltm

    .xltx.xltx

其他文件类型在受保护时也支持分类。Additional file types support classification when they are also protected. 有关这些文件类型,请参阅支持分类和保护的文件类型部分。For these file types, see the Supported file types for classification and protection section.

示例:Examples:

  • 如果 " 常规 敏感度" 标签应用分类并且不应用保护:可以将 " 常规 " 标签应用到名为 sales.pdf 的文件,但不能将此标签应用于名为 sales.txt 的文件。If the General sensitivity label applies classification and does not apply protection: You could apply the General label to a file named sales.pdf but you could not apply this label to a file named sales.txt.

  • 如果 " 机密 \ 所有员工 " 敏感度标签应用分类和保护:可以将此标签应用于名为 sales.pdf 的文件和名为 sales.txt 的文件。If the Confidential \ All Employees sensitivity label applies classification and protection: You could apply this label to a file named sales.pdf and a file named sales.txt. 还可以只对这些文件应用保护,而不应用分类。You could also apply just protection to these files, without classification.

支持保护的文件类型File types supported for protection

Azure 信息保护统一标签客户端支持两个不同级别的保护,如下表中所述。The Azure Information Protection unified labeling client supports protection at two different levels, as described in the following table.

保护类型Type of protection 本机Native 泛型Generic
说明Description 对于文本、图像、Microsoft Office(Word、Excel、PowerPoint)文件、pdf 文件和其他支持 Rights Management 服务的应用程序文件类型,本机保护提供了同时包括权限的加密和强制执行的强保护级别。For text, image, Microsoft Office (Word, Excel, PowerPoint) files, .pdf files, and other application file types that support a Rights Management service, native protection provides a strong level of protection that includes both encryption and enforcement of rights (permissions). 对于其他所有应用程序和文件类型,常规保护提供了一种保护级别,该保护级别既包括使用 .pfile 文件类型的文件封装,又包括用于验证用户是否有权打开该文件的身份验证。For all other applications and file types, generic protection provides a level of protection that includes both file encapsulation using the .pfile file type and authentication to verify if a user is authorized to open the file.
保护Protection 通过以下方式强制执行文件保护:Files protection is enforced in the following ways:

- 必须在通过电子邮件接收文件的用户或通过文件被授予访问权限或共享权限的用户成功通过身份验证之后,才能呈现受保护的内容。- Before protected content is rendered, successful authentication must occur for those who receive the file through email or are given access to it through file or share permissions.

- 此外,无论是使用 Azure 信息保护查看器(适用于受保护的文本和图像文件)还是使用关联的应用程序(适用于其他所有受支持的文件类型)呈现内容时,都会强制执行内容所有者在文件处于受保护状态时所设置的使用权限和策略。- Additionally, usage rights and policy that were set by the content owner when the files were protected are enforced when the content is rendered in either the Azure Information Protection viewer (for protected text and image files) or the associated application (for all other supported file types).
通过以下方式强制执行文件保护:File protection is enforced in the following ways:

- 必须在经授权可打开文件的人员以及被授予访问权限的人员成功通过身份验证之后才能呈现受保护的内容。- Before protected content is rendered, successful authentication must occur for people who are authorized to open the file and given access to it. 如果授权失败,则文件不会打开。If authorization fails, the file does not open.

- 将显示由内容所有者设置的使用权限和策略,以向授权用户通知预期使用策略。- Usage rights and policy set by the content owner are displayed to inform authorized users of the intended usage policy.

- 将对已授权的用户打开和访问文件的操作执行审核日志记录。- Audit logging of authorized users opening and accessing files occurs. 但不强制执行使用权限。However, usage rights are not enforced.
文件类型默认值Default for file types 这是以下文件类型的默认保护级别:This is the default level of protection for the following file types:

- 文本和图像文件- Text and image files

- Microsoft Office(Word、Excel、PowerPoint)文件- Microsoft Office (Word, Excel, PowerPoint) files

- 可移植文档格式 (.pdf)- Portable document format (.pdf)

有关详细信息,请参阅以下部分:支持分类和保护的文件类型For more information, see the following section, Supported file types for classification and protection.
这是针对不受本机保护支持的其他所有文件类型(例如 .vsdx、.rtf 等)的默认保护。This is the default protection for all other file types (such as .vsdx, .rtf, and so on) that are not supported by native protection.

不能更改 Azure 信息保护统一标签客户端或扫描程序应用的默认保护级别。You cannot change the default protection level that the Azure Information Protection unified labeling client or the scanner applies. 但是,您可以更改受保护的文件类型。However, you can change which file types are protected. 有关详细信息,请参阅 更改要保护的文件类型For more information, see Change which file types to protect.

当用户选择管理员配置的敏感度标签,或者用户可以使用 权限级别指定自己的自定义保护设置时,可以自动应用保护。The protection can be applied automatically when a user selects a sensitivity label that an administrator has configured, or users can specify their own custom protection settings by using permission levels.

支持保护的文件大小File sizes supported for protection

Azure 信息保护统一标签客户端支持保护的最大文件大小。There are maximum file sizes that the Azure Information Protection unified labeling client supports for protection.

  • Office 文件:For Office files:

    Office 应用程序Office application 支持的最大文件大小Maximum file size supported
    Word 2010Word 2010

    Word 2013Word 2013

    Word 2016Word 2016
    32 位:512 MB32-bit: 512 MB

    64 位:512 MB64-bit: 512 MB
    Excel 2010Excel 2010

    Excel 2013Excel 2013

    Excel 2016Excel 2016
    32 位:2 GB32-bit: 2 GB

    64 位:仅受可用磁盘空间和内存限制64-bit: Limited only by available disk space and memory
    PowerPoint 2010PowerPoint 2010

    PowerPoint 2013PowerPoint 2013

    PowerPoint 2016PowerPoint 2016
    32 位:仅受可用磁盘空间和内存限制32-bit: Limited only by available disk space and memory

    64 位:仅受可用磁盘空间和内存限制64-bit: Limited only by available disk space and memory
  • 对于其他所有文件For all other files:

    • 若要保护其他文件类型,并在 Azure 信息保护查看器中打开这些文件类型:文件大小上限仅受可用磁盘空间和内存限制。To protect other file types, and to open these file types in the Azure Information Protection viewer: The maximum file size is limited only by available disk space and memory.

    • 若要使用 Unprotect-RMSFile cmdlet 取消保护文件:.pst 文件支持的文件大小上限为 5GB。To unprotect files by using the Unprotect-RMSFile cmdlet: The maximum file size supported for .pst files is 5 GB. 其他文件类型的文件大小上限仅受可用磁盘空间和内存限制Other file types are limited only by available disk space and memory

      提示:如果需要在大型 .pst 文件中搜索或恢复受保护的项目,请参阅使用 Unprotect-RMSFile 进行电子数据展示的指南Tip: If you need to search or recover protected items in large .pst files, see Guidance for using Unprotect-RMSFile for eDiscovery.

支持用于分类和保护的文件类型Supported file types for classification and protection

下表列出了支持 Azure 信息保护统一标签客户端的本机保护的文件类型的子集,还可以进行分类。The following table lists a subset of file types that support native protection by the Azure Information Protection unified labeling client, and that can also be classified.

这些文件类型单独进行标识,因为它们受到本机保护时,原始文件扩展名将更改,这些文件将变为只读。These file types are identified separately because when they are natively protected, the original file name extension is changed, and these files become read-only. 请注意,以常规形式保护文件时,原始文件扩展名将始终更改为 .pfile。Note that when files are generically protected, the original file name extension is always changed to .pfile.

警告

如果拥有可根据文件扩展名进行检查并采取操作的防火墙、Web 代理或者安全软件,你可能需要重新配置这些网络设备和软件以支持这些新的文件扩展名。If you have firewalls, web proxies, or security software that inspect and take action according to file name extensions, you might need to reconfigure these network devices and software to support these new file name extensions.

原始文件扩展名Original file name extension 受保护的文件扩展名Protected file name extension
.txt.txt .ptxt.ptxt
.xml.xml .pxml.pxml
.jpg.jpg .pjpg.pjpg
.jpeg.jpeg .pjpeg.pjpeg
.png.png .ppng.ppng
.tif.tif .ptif.ptif
.tiff.tiff .ptiff.ptiff
.bmp.bmp .pbmp.pbmp
.gif.gif .pgif.pgif
.jpe.jpe .pjpe.pjpe
.jfif.jfif .pjfif.pjfif
.jt.jt .pjt.pjt

下表列出了支持 Azure 信息保护统一标签客户端的本机保护的其他文件类型,还可以进行分类。The next table lists the remaining file types that support native protection by the Azure Information Protection unified labeling client, and that can also be classified. 会将它们识别为用于 Microsoft Office 应用的文件类型。You will recognize these as file types for Microsoft Office apps. 这些文件类型的受支持文件格式是以下 Office 程序的 97-2003 文件格式和 Office Open XML 格式:Word、Excel 和 PowerPoint。The supported file formats for these file types are the 97-2003 file formats and Office Open XML formats for the following Office programs: Word, Excel, and PowerPoint.

对于这些文件,在文件受 Rights Management 服务保护后,文件扩展名仍保持不变。For these files, the file name extension remains the same after the file is protected by a Rights Management service.

Office 支持的文件类型File types supported by Office Office 支持的文件类型File types supported by Office
.doc.doc

.docm.docm

.docx.docx

.dot.dot

.dotm.dotm

.dotx.dotx

.potm.potm

.potx.potx

.pps.pps

.ppsm.ppsm

.ppsx.ppsx

.ppt.ppt

.pptm.pptm

.pptx.pptx

.vsdm.vsdm
.vsdx.vsdx

.vssm.vssm

.vssx.vssx

.vstm.vstm

.vstx.vstx

.xla.xla

.xlam.xlam

.xls.xls

.xlsb.xlsb

.xlt.xlt

.xlsm.xlsm

.xlsx.xlsx

.xltm.xltm

.xltx.xltx

.xps.xps

从分类和保护中排除的文件类型File types that are excluded from classification and protection

为了帮助阻止用户更改对计算机操作至关重要的文件,某些文件类型和文件夹会自动从分类和保护中排除。To help prevent users from changing files that are critical for computer operations, some file types and folders are automatically excluded from classification and protection. 如果用户尝试使用 Azure 信息保护统一标签客户端来分类或保护这些文件,则会看到一条排除的消息。If users try to classify or protect these files by using the Azure Information Protection unified labeling client, they see a message that they are excluded.

  • 排除的文件类型:.lnk、.exe、.com、.cmd、.bat、.dll、.ini、.pst、.sca、.drm、.sys、.cpl、.inf、.drv、.dat、.tmp、.msp、.msi、.pdb、.jarExcluded file types: .lnk, .exe, .com, .cmd, .bat, .dll, .ini, .pst, .sca, .drm, .sys, .cpl, .inf, .drv, .dat, .tmp, .msp, .msi, .pdb, .jar

  • 排除的文件夹Excluded folders:

    • WindowsWindows
    • Program Files(\Program Files 和 \Program Files (x86))Program Files (\Program Files and \Program Files (x86))
    • \ProgramData\ProgramData
    • \AppData(适用于所有用户)\AppData (for all users)

Azure 信息保护扫描程序从分类和保护中排除的文件类型File types that are excluded from classification and protection by the Azure Information Protection scanner

默认情况下,扫描器还会排除与 Azure 信息保护统一标签客户端相同的文件类型,但有以下例外:By default, the scanner also excludes the same file types as the Azure Information Protection unified labeling client with the following exceptions:

  • 也排除 .msg、.rtf 和 rar.msg, .rtf, and .rar, are also excluded

可更改扫描程序检查文件时包含或排除的文件类型:You can change the file types included or excluded for file inspection by the scanner:

  • 通过使用 Azure 门户,在扫描程序配置文件中配置“要扫描的文件类型”****。Configure File types to scan in the scanner profile, by using the Azure portal.

    备注

    如果在扫描时包含 .rtf 文件,请仔细监视扫描程序。If you include .rtf files for scanning, carefully monitor the scanner. 扫描程序无法成功检查某些 .rtf 文件,对于这些文件,未完成检查,必须重启服务。Some .rtf files cannot be successfully inspected by the scanner and for these files, the inspection doesn't complete and the service must be restarted.

默认情况下,扫描程序仅保护 Office 文件类型,以及 PDF 文件(使用 ISO PDF 加密标准进行保护时)。By default, the scanner protects only Office file types, and PDF files when they are protected by using the ISO standard for PDF encryption. 若要为扫描程序更改此行为,请使用 PowerShell 高级设置 PFileSupportedExtensionsTo change this behavior for the scanner, use the PowerShell advanced setting, PFileSupportedExtensions. 有关详细信息,请参阅使用 PowerShell 更改从扫描程序部署说明中 保护的文件类型For more information, see Use PowerShell to change which file types are protected from the scanner deployment instructions.

默认不受保护的文件Files that cannot be protected by default

受密码保护的任何文件都不能通过 Azure 信息保护统一标签客户端进行本机保护,除非该文件当前在应用保护的应用程序中打开。Any file that is password-protected cannot be natively protected by the Azure Information Protection unified labeling client unless the file is currently open in the application that applies the protection. 最常看到的是受密码保护的 PDF 文件,但 Office 应用等其他应用程序也提供此功能。You most often see PDF files that are password-protected but other applications, such as Office apps, also offer this functionality.

容器文件(如 .zip 文件)的限制Limitations for container files, such as .zip files

有关详细信息,请参阅 Azure 信息保护已知问题For more information, see the Azure Information Protection known issues.

支持检查的文件类型File types supported for inspection

如果没有任何其他配置,Azure 信息保护统一标签客户端将使用 Windows IFilter 来检查文档的内容。Without any additional configuration, the Azure Information Protection unified labeling client uses Windows IFilter to inspect the contents of documents. Windows Search 使用 Windows IFilter 来编制索引。Windows IFilter is used by Windows Search for indexing. 因此,使用 Set-aipfileclassification PowerShell 命令时,可以检查以下文件类型。As a result, the following file types can be inspected when you use the Set-AIPFileClassification PowerShell command.

应用程序类型Application type 文件类型File type
WordWord 文档.docx; docm; .dot; normal.dotm;. dotx.doc; docx; .docm; .dot; .dotm; .dotx
ExcelExcel .xls; .xlt; .xlsx; .xltx; .xltm; .xlsm; .xlsb.xls; .xlt; .xlsx; .xltx; .xltm; .xlsm; .xlsb
PowerPointPowerPoint .ppt; .pps; .pot; .pptx; .ppsx; .pptm; .ppsm; .potx; .potm.ppt; .pps; .pot; .pptx; .ppsx; .pptm; .ppsm; .potx; .potm
PDFPDF .pdf.pdf
文本Text .txt; .xml; .csv.txt; .xml; .csv

通过进行额外配置,还可以检查其他文件类型。With additional configuration, other file types can also be inspected. 例如,可以注册自定义文件扩展名,使用现有 Windows 筛选器处理程序处理文本文件,还可以安装软件供应商提供的其他筛选器。For example, you can register a custom file name extension to use the existing Windows filter handler for text files, and you can install additional filters from software vendors.

若要检查安装了哪些筛选器,请参阅 Windows Search 开发人员指南中的查找给定文件扩展名的筛选器处理程序一节。To check what filters are installed, see the Finding a Filter Handler for a Given File Extension section from the Windows Search Developer's Guide.

以下各节提供了检查 .zip 文件和 .tiff 文件的配置说明。The following sections have configuration instructions to inspect .zip files, and .tiff files.

检查 .zip 文件To inspect .zip files

请按照以下说明操作,使用 Azure 信息保护扫描程序和 Set-AIPFileClassification PowerShell 命令检查 .zip 文件:The Azure Information Protection scanner and the Set-AIPFileClassification PowerShell command can inspect .zip files when you follow these instructions:

  1. 对于运行扫描程序或 PowerShell 会话的计算机,请安装 Office 2010 Filter Pack SP2For the computer running the scanner or the PowerShell session, install the Office 2010 Filter Pack SP2.

  2. 对于扫描仪:查找敏感信息后,如果要使用标签对 .zip 文件进行分类和保护,请使用 PowerShell 高级设置 PFileSupportedExtensions指定 .zip 文件扩展名,如使用 powershell 更改从扫描程序部署说明中 保护的文件类型 中所述。For the scanner: After finding sensitive information, if the .zip file should be classified and protected with a label, specify the .zip file name extension with the PowerShell advanced setting, PFileSupportedExtensions, as described in Use PowerShell to change which file types are protected from the scanner deployment instructions.

执行这些步骤后的示例方案:Example scenario after doing these steps:

名为“accounts.zip”的文件包含带有信用卡号的 Excel 电子表格****。A file named accounts.zip contains Excel spreadsheets with credit card numbers. 你有一个名为 " 机密 \ 财务" 的敏感度标签,该标签配置为发现信用卡号,并自动应用带有限制访问财务组的保护的标签。You have a sensitivity label named Confidential \ Finance, which is configured to discover credit card numbers and automatically apply the label with protection that restricts access to the Finance group.

检查文件后,来自 PowerShell 会话的统一标签客户端会将此文件归类为 机密 \ 财务,并对该文件应用常规保护,以便只有财务组的成员可以将该文件解压缩,并将该文件重命名 accounts.zip .pfileAfter inspecting the file, the unified labeling client from your PowerShell session classifies this file as Confidential \ Finance, applies generic protection to the file so that only members of the Finance groups can unzip it, and renames the file accounts.zip.pfile.

使用 OCR 检查 .tiff 文件To inspect .tiff files by using OCR

AIPFileClassiciation powershell 命令可以使用光学字符识别 (OCR) 在安装 Windows TIFF IFilter 功能时使用 tiff 文件扩展名检查 tiff 图像,然后在运行 PowerShell 会话的计算机上配置Windows tiff ifilter 设置The Set-AIPFileClassiciation PowerShell command can use optical character recognition (OCR) to inspect TIFF images with a .tiff file name extension when you install the Windows TIFF IFilter feature, and then configure Windows TIFF IFilter Settings on the computer running the PowerShell session.

对于扫描仪:查找敏感信息后,如果应使用标签对 tiff 文件进行分类和保护,请使用 PowerShell 高级设置 PFileSupportedExtensions指定此文件扩展名,如使用 powershell 更改从扫描程序部署说明中 保护的文件类型 中所述。For the scanner: After finding sensitive information, if the .tiff file should be classified and protected with a label, specify this file name extension with the PowerShell advanced setting, PFileSupportedExtensions, as described in Use PowerShell to change which file types are protected from the scanner deployment instructions.

后续步骤Next steps

现在,已确定 Azure 信息保护统一标签客户端支持的文件类型,请参阅以下资源,了解支持此客户端所需的其他信息:Now that you've identified the file types supported by the Azure Information Protection unified labeling client, see the following resources for additional information that you might need to support this client: