管理軟體限制原則Administer Software Restriction Policies

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

本主題適用於 IT 專業人員包含程序如何管理應用程式控制項原則與 Windows Server 2008 和 Windows Vista 使用軟體限制原則 (SRP) 開始。This topic for the IT professional contains procedures how to administer application control policies using Software Restriction Policies (SRP) beginning with Windows Server 2008 and Windows Vista.

簡介Introduction

軟體限制原則 (SRP) 是群組原則的功能辨識中加入網域的電腦上執行的軟體程式,以及控制執行這些程式的能力。Software Restriction Policies (SRP) is Group Policy-based feature that identifies software programs running on computers in a domain, and controls the ability of those programs to run. 您可以使用軟體限制原則來建立高度限制的電腦,您可讓只專門辨識應用程式執行設定。You use software restriction policies to create a highly restricted configuration for computers, in which you allow only specifically identified applications to run. 這些整合在一起 Microsoft Active Directory Domain Services 及群組原則,但是您也可以在獨立的電腦上設定。These are integrated with Microsoft Active Directory Domain Services and Group Policy but can also be configured on stand-alone computers. 如需 SRP 的詳細資訊,請查看軟體限制原則For more information about SRP, see the Software Restriction Policies.

開始使用 Windows Server 2008 R2 和 Windows 7、 Windows AppLocker 可用於而不是或 SRP 搭配您的應用程式控制項策略的一部分。Beginning with Windows Server 2008 R2 and Windows 7 , Windows AppLocker can be used instead of or in concert with SRP for a portion of your application control strategy.

本主題包含:This topic contains:

如需如何完成特定工作使用 SRP,請查看下列資訊:For information about how to accomplish specific tasks using SRP, see the following:

打開軟體限制原則To open Software Restriction Policies

適用於您的電腦For your local computer

  1. 打開本機安全性設定。Open Local Security Settings.

  2. 主控台中,按一下 [軟體限制原則In the console tree, click Software Restriction Policies.

    何處?Where?

    • 安全性設定/軟體限制原則Security Settings/Software Restriction Policies

注意

若要執行此程序,您必須在本機電腦上的系統管理員群組成員,或者您必須已委派適當的授權。To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority.

網域網站或組織單位,而且您的成員伺服器或已經加入網域工作站For a domain, site, or organizational unit, and you are on a member server or on a workstation that is joined to a domain

  1. 打開 Microsoft Management Console (MMC)。Open Microsoft Management Console (MMC).

  2. 檔案功能表上,按一下 [新增/移除嵌入式管理單元,然後按一下 [新增On the File menu, click Add/Remove Snap-in, and then click Add.

  3. 按一下本機群組原則物件編輯器,然後按一下 [新增]Click Local Group Policy Object Editor, and then click Add.

  4. 選取的群組原則物件,按一下 [瀏覽]In Select Group Policy Object, click Browse.

  5. 群組原則物件的瀏覽,選取適當的網域、 網站或組織單位群組原則物件 (GPO)-或建立新的 homegroup,然後按完成In Browse for a Group Policy Object, select a Group Policy Object (GPO) in the appropriate domain, site, or organizational unit-or create a new one, and then click Finish.

  6. 按一下關閉,然後按[確定]Click Close, and then click OK.

  7. 主控台中,按一下 [軟體限制原則In the console tree, click Software Restriction Policies.

    何處?Where?

    • 群組原則物件[電腦名稱] 原則日電腦設定或Group Policy Object [ComputerName] Policy/Computer Configuration or

      使用者設定日 Windows 設定日安全性設定/軟體限制原則User Configuration/Windows Settings/Security Settings/Software Restriction Policies

注意

若要執行此程序,您必須網域管理群組成員。To perform this procedure, you must be a member of the Domain Admins group.

針對網域或組織單位,以及您的網域控制站或工作站有安裝遠端伺服器管理工具For a domain or organizational unit, and you are on a domain controller or on a workstation that has the Remote Server Administration Tools installed

  1. 打開群組原則管理主控台。Open Group Policy Management Console.

  2. 在主機上按一下滑鼠右鍵群組原則物件 (GPO) 您想要的軟體限制原則。In the console tree, right-click the Group Policy Object (GPO) that you want to open software restriction policies for.

  3. 按一下編輯打開 GPO,您要編輯。Click Edit to open the GPO that you want to edit. 您也可以按一下新增]以建立新的 GPO,然後按編輯You can also click New to create a new GPO, and then click Edit.

  4. 主控台中,按一下 [軟體限制原則In the console tree, click Software Restriction Policies.

    何處?Where?

    • 群組原則物件[電腦名稱] 原則日電腦設定或Group Policy Object [ComputerName] Policy/Computer Configuration or

      使用者設定日 Windows 設定日安全性設定/軟體限制原則User Configuration/Windows Settings/Security Settings/Software Restriction Policies

注意

若要執行此程序,您必須網域管理群組成員。To perform this procedure, you must be a member of the Domain Admins group.

網站,以及您的網域控制站或工作站有安裝遠端伺服器管理工具For a site, and you are on a domain controller or on a workstation that has the Remote Server Administration Tools installed

  1. 打開群組原則管理主控台。Open Group Policy Management Console.

  2. 主機樹,以滑鼠右鍵按一下您想要設定的群組原則的網站。In the console tree, right-click the site that you want to set Group Policy for.

    何處?Where?

    • Active Directory 網站和服務 [Domain_Controller_Name.Domain_Name] 網站 / / 網站Active Directory Sites and Services [Domain_Controller_Name.Domain_Name]/Sites/Site
  3. 按一下某個項目在群組原則物件連結來選取現有群組原則物件 (GPO),然後按編輯Click an entry in Group Policy Object Links to select an existing Group Policy Object (GPO), and then click Edit. 您也可以按一下新增]以建立新的 GPO,然後按編輯You can also click New to create a new GPO, and then click Edit.

  4. 主控台中,按一下 [軟體限制原則In the console tree, click Software Restriction Policies.

    位置Where

    • 群組原則物件[電腦名稱] 原則日電腦設定或Group Policy Object [ComputerName] Policy/Computer Configuration or

      使用者設定日 Windows 設定日安全性設定/軟體限制原則User Configuration/Windows Settings/Security Settings/Software Restriction Policies

注意

  • 若要執行此程序,您必須在本機電腦上的系統管理員群組成員,或者您必須已委派適當的授權。To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. 如果電腦已經加入網域,可能無法執行此程序的網域管理群組成員。If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure.
  • 若要設定原則設定可套用至電腦的使用者登入,無論按一下電腦設定To set policy settings that will be applied to computers, regardless of which users log on to them, click Computer Configuration.
  • 若要設定原則設定可套用至登入的電腦的使用者,請按一下的使用者設定To set policy settings that will be applied to users, regardless of which computer they log on to, click User Configuration.

若要建立新的軟體限制原則To create new software restriction policies

  1. 打開軟體限制原則。Open Software Restriction Policies.

  2. 動作功能表上,按新軟體限制原則On the Action menu, click New Software Restriction Policies.

警告

  • 需要其他系統管理員身分執行此程序,根據您的環境:Different administrative credentials are required to perform this procedure, depending on your environment:

    • 如果您的本機電腦建立新的軟體限制原則: 在本機成員資格系統管理員群組中或等最小,才能完成此程序。If you create new software restriction policies for your local computer: Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.
    • 如果您建立新的軟體限制原則已經加入網域的電腦,網域管理群組成員可以執行此程序。If you create new software restriction policies for a computer that is joined to a domain, members of the Domain Admins group can perform this procedure.
  • 如果軟體限制原則已經建立適用於群組原則物件 (GPO)、新軟體限制原則命令未顯示在動作功能表。If software restriction policies have already been created for a Group Policy Object (GPO), the New Software Restriction Policies command does not appear on the Action menu. Delete 軟體限制原則已經套用到 GPO 主控台中,以滑鼠右鍵按一下軟體限制原則,然後按Delete 軟體限制原則To delete the software restriction policies that are applied to a GPO, in the console tree, right-click Software Restriction Policies, and then click Delete Software Restriction Policies. 當您 delete 軟體限制原則 gpo 時,您也 delete 所有軟體限制原則規則該 gpo。When you delete software restriction policies for a GPO, you also delete all software restriction policies rules for that GPO. 您 delete 軟體限制原則之後,您可以在該 gpo 建立新的軟體限制原則。After you delete software restriction policies, you can create new software restriction policies for that GPO.

若要新增或 delete 指定的檔案類型To add or delete a designated file type

  1. 打開軟體限制原則。Open Software Restriction Policies.

  2. 在詳細資料窗格中,按兩下 [指定的檔案類型In the details pane, double-click Designated File Types.

  3. 執行下列其中一個動作:Do one of the following:

    • 若要將新增的檔案類型,檔案副檔名,輸入檔案名稱延伸模組,然後按新增To add a file type, in File name extension, type the file name extension, and then click Add.

    • 若要在 delete 檔案類型,指定的檔案類型,按一下 [檔案類型,然後按一下 [移除To delete a file type, in Designated file types, click the file type, and then click Remove.

注意

  • 需要其他系統管理員身分執行此程序,根據的環境中新增或 delete 指定的檔案類型:Different administrative credentials are required to perform this procedure, depending on the environment in which you add or delete a designated file type:

    • 如果您新增或 delete 指定的檔案類型的本機電腦: 在本機成員資格系統管理員群組中或等最小,才能完成此程序。If you add or delete a designated file type for your local computer: Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.
    • 如果您建立新的軟體限制原則已經加入網域的電腦,網域管理群組成員可以執行此程序。If you create new software restriction policies for a computer that is joined to a domain, members of the Domain Admins group can perform this procedure.
  • 它可能需要如果您擁有已經執行此動作,建立新的軟體限制原則設定的群組原則物件 (GPO)。It may be necessary to create a new software restriction policy setting for the Group Policy Object (GPO) if you have not already done so.
  • 清單中指定的檔案類型的所有規則都共用的 [電腦設定] 和 [使用者設定 gpo。The list of designated file types is shared by all rules for both Computer Configuration and User Configuration for a GPO.

若要防止軟體限制原則套用到本機系統管理員To prevent software restriction policies from applying to local administrators

  1. 打開軟體限制原則。Open Software Restriction Policies.

  2. 在詳細資料窗格中,按兩下 [執法In the details pane, double-click Enforcement.

  3. 適用於下列使用者軟體限制原則,按一下 [本機系統管理員以外的所有使用者Under Apply software restriction policies to the following users, click All users except local administrators.

警告

  • 在本機成員資格系統管理員群組中或等最小,才能完成此程序。Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.
  • 它可能需要如果您擁有已經執行此動作,建立新的軟體限制原則設定的群組原則物件 (GPO)。It may be necessary to create a new software restriction policy setting for the Group Policy Object (GPO) if you have not already done so.
  • 如果一般的使用者他們在組織中的電腦上系統管理員本機群組成員,您可能不希望此選項可讓。If it is common for users to be members of the local Administrators group on their computers in your organization, you may not want to enable this option.
  • 如果您的本機電腦的定義軟體限制原則設定,請使用此程序,以避免本機系統管理員軟體限制原則套用到它們。If you are defining a software restriction policy setting for your local computer, use this procedure to prevent local administrators from having software restriction policies applied to them. 如果您為您的網路定義軟體限制原則設定,請篩選依據成員資格安全性群組透過群組原則中的使用者原則設定。If you are defining a software restriction policy setting for your network, filter user policy settings based on membership in security groups through Group Policy.

若要變更預設的安全性等級的軟體限制原則To change the default security level of software restriction policies

  1. 打開軟體限制原則。Open Software Restriction Policies.

  2. 在詳細資料窗格中,按兩下 [安全性層級In the details pane, double-click Security Levels.

  3. 以滑鼠右鍵按一下您想要設為預設值,然後按一下 [安全性等級設定為預設值Right-click the security level that you want to set as the default, and then click Set as default.

警告

在某些目錄,預設安全性設定層級到不允許] ,可能會影響您的作業系統。In certain directories, setting the default security level to Disallowed can adversely affect your operating system.

注意

  • 需要其他系統管理員身分執行此程序,而定,您可以變更預設的安全性等級軟體限制原則的環境。Different administrative credentials are required to perform this procedure, depending on the environment for which you change the default security level of software restriction policies.
  • 它可能需要如果您擁有已經執行此動作,建立新的軟體限制原則設定的這個群組原則物件 (GPO)。It may be necessary to create a new software restriction policy setting for this Group Policy Object (GPO) if you have not already done so.
  • 在詳細資料窗格中,依黑色圓形中有核取記號表示目前預設的安全性等級。In the details pane, the current default security level is indicated by a black circle with a check mark in it. 如果您目前的預設的安全性等級,以滑鼠右鍵按一下設定為預設值功能表中未顯示命令。If you right-click the current default security level, the Set as default command does not appear in the menu.
  • 若要指定例外預設的安全性等級建立軟體限制原則規則。Software restriction policies rules are created to specify exceptions to the default security level. 當預設安全性層級設定為未限制,規則可以指定不允許執行的軟體。When the default security level is set to Unrestricted, rules can specify software that is not allowed to run. 當預設安全性層級設定為不允許],規則可以指定允許執行的軟體。When the default security level is set to Disallowed, rules can specify software that is allowed to run.
  • 安裝時,預設的安全性等級的所有檔案,您的系統上軟體限制原則設定為未限制At installation, the default security level of software restriction policies on all files on your system is set to Unrestricted.

若要套用 dll 軟體限制原則To apply software restriction policies to DLLs

  1. 打開軟體限制原則。Open Software Restriction Policies.

  2. 在詳細資料窗格中,按兩下 [執法In the details pane, double-click Enforcement.

  3. 適用於下列軟體限制原則,按一下 [軟體的所有檔案Under Apply software restriction policies to the following, click All software files.

注意

  • 若要執行此程序,您必須在本機電腦上的系統管理員群組成員,或者您必須已委派適當的授權。To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. 如果電腦已經加入網域,可能無法執行此程序的網域管理群組成員。If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure.
  • 根據預設,軟體限制原則不會檢查動態連結的媒體櫃 (Dll)。By default, software restriction policies do not check dynamic-link libraries (DLLs). 檢查 Dll 可以減少系統的效能,因為每一次載入 DLL 必須評估軟體限制原則。Checking DLLs can decrease system performance, because software restriction policies must be evaluated every time a DLL is loaded. 不過,您也可以查看 Dll,如果您擔心目標的 Dll 接收病毒。However, you may decide to check DLLs if you are concerned about receiving a virus that targets DLLs. 如果設為預設的安全性等級不允許],以及您 DLL 檢查,您必須建立軟體限制原則,可讓每個執行 DLL 規則。If the default security level is set to Disallowed, and you enable DLL checking, you must create software restriction policies rules that allow each DLL to run.