軟體限制原則判斷拒絕允許清單與應用程式清單Determine Allow-Deny List and Application Inventory for Software Restriction Policies

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

本主題適用於 IT 專業人員,提供指引如何建立允許和拒絕受軟體限制原則 (SRP) 與 Windows Server 2008 和 Windows Vista 的開頭的應用程式] 清單。This topic for the IT professional gives guidance how to create an allow and deny list for applications to be managed by Software Restriction Policies (SRP) beginning with Windows Server 2008 and Windows Vista.

簡介Introduction

軟體限制原則 (SRP) 是群組原則的功能辨識中加入網域的電腦上執行的軟體程式,以及控制執行這些程式的能力。Software Restriction Policies (SRP) is Group Policy-based feature that identifies software programs running on computers in a domain, and controls the ability of those programs to run. 您可以使用軟體限制原則來建立高度限制的電腦,您可讓只專門辨識應用程式執行設定。You use software restriction policies to create a highly restricted configuration for computers, in which you allow only specifically identified applications to run. 這些整合在一起 Microsoft Active Directory Domain Services 及群組原則,但是您也可以在獨立的電腦上設定。These are integrated with Microsoft Active Directory Domain Services and Group Policy but can also be configured on stand-alone computers. 針對 SRP 的起點,請查看軟體限制原則For a starting point for SRP, see the Software Restriction Policies.

開始使用 Windows Server?Beginning with Windows Server?? 2008 R2 和 Windows 7?2008 R2 and Windows 7?? Windows AppLocker 可用於而不是或 SRP 搭配您的應用程式控制項策略的一部分。, Windows AppLocker can be used instead of or in concert with SRP for a portion of your application control strategy.

如需如何完成特定工作使用 SRP,請查看下列資訊:For information about how to accomplish specific tasks using SRP, see the following:

選擇哪些預設的規則:允許或拒絕What default rule to choose: Allow or Deny

其中一個預設規則的基準的兩種模式可部署軟體限制原則:允許清單或拒絕清單。Software restriction policies can be deployed in one of two modes that are the basis of your default rule: Allow List or Deny List. 您可以建立辨識允許; 環境中執行每個應用程式原則您的原則中的預設規則會限制,並將會封鎖所有您明確不允許執行的應用程式。You can create a policy that identifies every application that is allowed to run in your environment; the default rule within your policy is Restricted and will block all applications that you do not explicitly allow to run. 您可以建立的原則,將無法執行; 每個應用程式辨識預設值是不受限制 \ 和您明確列出的應用程式可限制。Or you can create a policy that identifies every application that cannot run; the default rule is Unrestricted and restricts only the applications that you have explicitly listed.

重要

拒絕清單模式可能會為您的組織相關的應用程式控制項高維護策略。The Deny List mode might be a high-maintenance strategy for your organization regarding application control. 建立及維護就是禁止所有的惡意程式碼和其他發生問題的應用程式的進化清單會很費時且容易使用。Creating and maintaining an evolving list that prohibits all malware and other problematic applications would be time consuming and susceptible to mistakes.

建立允許清單中的應用程式清單Create an inventory of your applications for the Allow list

若要允許預設規則有效的使用,您需要判斷完全哪些應用程式需要您在組織中。To effectively use the Allow default rule, you need to determine exactly which applications are required in your organization. 有而設計的應用程式清單,例如清單中的行程 Microsoft 應用程式的相容性工具組工具。There are tools designed to produce an application inventory, such as the Inventory Collector in the Microsoft Application Compatibility Toolkit. 但 SRP 有進階登入功能可協助您了解完全哪些應用程式中執行您的環境。But SRP has an advanced logging feature to help you understand exactly what applications are running in your environment.

若要探索允許的應用程式To discover which applications to allow
  1. 在測試環境中,軟體限制原則部署預設規則設定限制以並移除任何其他規則。In a test environment, deploy Software Restriction Policy with the default rule set to Unrestricted and remove any additional rules. 如果您不必限制的任何應用程式讓 SRP,SPR 無法監視功能的應用程式正在執行。If you enable SRP without forcing it to restrict any applications, SPR will be able to monitor what applications are being run.

  2. 建立下列登錄值,以讓進階登入功能,並設定路徑寫入登入檔案的位置。Create the following registry value in order to enable the advanced logging feature and set the path to where the log file should be written.

    「HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\ CodeIdentifiers」"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\ CodeIdentifiers"

    字串:NameLogFile NameLogFile 路徑String Value: NameLogFile path to NameLogFile

    因為 SRP 正在評估所有應用程式執行時,項目寫入登入檔案NameLogFile應用程式執行時,每一次。Because SRP is evaluating all applications when they run, an entry is written to the log file NameLogFile each time that application is run.

  3. 評估登入檔案Evaluate the log file

    顯示每個登入的項目:Each log entry states:

    • 播報來電者的軟體限制原則與 ID () 的 PID 呼叫處理程序the caller of the software restriction policy and the process ID (PID) of the calling process

    • 正在評估目標the target being evaluated

    • 發生該應用程式執行時 SRP 規則the SRP rule that was encountered when that application ran

    • 識別字 SRP 規則。an identifier for the SRP rule.

    輸出寫入登入檔案的範例:An example of the output written to a log file:

explorer.exe (PID = 4728) identifiedC:\Windows\system32\onenote.exe Guid 不受限制的 usingpath 規則 = {320bd852-aa7c-4674-82c5-9a80321670a3}所有應用程式和 SRP 檢查並封鎖設定的相關驗證碼將 experience 登入檔案,然後您可以使用它來判斷的可執行檔視為的允許清單中。explorer.exe (PID = 4728) identifiedC:\Windows\system32\onenote.exe as Unrestricted usingpath rule, Guid ={320bd852-aa7c-4674-82c5-9a80321670a3} All applications and associated code that SRP checks and set to block will be noted in the log file, which you then can use to determine which executables should be considered for your Allowed list.