軟體限制原則Software Restriction Policies

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

本主題適用於 IT 專業人員描述軟體限制原則 (SRP) 在 Windows Server 2012 和 Windows 8,並提供與 Windows Server 2003 SRP 開頭技術的資訊連結。This topic for the IT professional describes Software Restriction Policies (SRP) in Windows Server 2012 and Windows 8, and provides links to technical information about SRP beginning with Windows Server 2003.

程序與疑難排解提示,請查看管理軟體限制原則疑難排解軟體限制原則For procedures and troubleshooting tips, see Administer Software Restriction Policies and Troubleshoot Software Restriction Policies.

軟體限制原則描述Software Restriction Policies description

軟體限制原則 (SRP) 是群組原則的功能辨識中加入網域的電腦上執行的軟體程式,以及控制執行這些程式的能力。Software Restriction Policies (SRP) is Group Policy-based feature that identifies software programs running on computers in a domain, and controls the ability of those programs to run. 軟體限制原則的 Microsoft 安全性與管理策略協助企業增加可靠性、 完整性及管理其電腦的一部分。Software restriction policies are part of the Microsoft security and management strategy to assist enterprises in increasing the reliability, integrity, and manageability of their computers.

您也可以使用軟體限制原則來建立高度限制的電腦,您可讓只專門辨識應用程式執行設定。You can also use software restriction policies to create a highly restricted configuration for computers, in which you allow only specifically identified applications to run. 整合軟體限制原則與 Microsoft Active Directory 群組原則。Software restriction policies are integrated with Microsoft Active Directory and Group Policy. 您也可以在獨立的電腦上建立的軟體限制原則。You can also create software restriction policies on stand-alone computers. 軟體限制原則是信任原則的系統管理員的身分為限制指令碼和其他驗證碼不會完全無法執行受信任的規範。Software restriction policies are trust policies, which are regulations set by an administrator to restrict scripts and other code that is not fully trusted from running.

您可以定義透過本機群組原則編輯器] 或 [本機安全性原則嵌入式管理單元軟體限制原則延伸這些原則 Microsoft Management Console (MMC)。You can define these policies through the Software Restriction Policies extension of the Local Group Policy Editor or the Local Security Policies snap-in to the Microsoft Management Console (MMC).

適用於 SRP 的深入資訊,請查看軟體限制原則技術概觀For in-depth information about SRP, see the Software Restriction Policies Technical Overview.

實用的應用程式Practical applications

系統管理員可以使用軟體限制原則下列任務:Administrators can use software restriction policies for the following tasks:

  • 定義信任的程式碼Define what is trusted code

  • 設計彈性的群組原則的規範指令碼,可執行檔和 ActiveX 控制項Design a flexible Group Policy for regulating scripts, executable files, and ActiveX controls

作業系統和應用程式 (例如指令碼處理的應用程式) 符合使用軟體限制原則,會執行軟體限制原則。Software restriction policies are enforced by the operating system and by applications (such as scripting applications) that comply with software restriction policies.

具體而言,系統管理員可以使用軟體限制原則下列目的:Specifically, administrators can use software restriction policies for the following purposes:

  • 指定戶端可以執行的軟體 (可執行檔)Specify which software (executable files) can run on clients

  • 防止共用的電腦上執行特定程式Prevent users from running specific programs on shared computers

  • 指定誰可以戶端新增受信任的發行者Specify who can add trusted publishers to clients

  • 設定的軟體限制原則 (指定原則會影響所有使用者是否或戶端上的使用者子集) 範圍Set the scope of the software restriction policies (specify whether policies affect all users or a subset of users on clients)

  • 防止可執行檔的本機電腦,單位 (組織單位)、 網站或網域上執行。Prevent executable files from running on the local computer, organizational unit (OU), site, or domain. 您不具有惡意的使用者使用軟體限制原則潛在問題時,這是適用於案例。This would be appropriate in cases when you are not using software restriction policies to address potential issues with malicious users.

新功能和變更功能New and changed functionality

功能軟體限制原則有任何變更。There are no changes in functionality for Software Restriction Policies.

移除或已取代功能Removed or deprecated functionality

還有軟體限制原則不移除或已被取代功能。There is no removed or deprecated functionality for Software Restriction Policies.

軟體需求Software requirements

可透過 MMC 存取軟體限制原則延伸到本機群組原則編輯器。The Software Restriction Policies extension to the Local Group Policy Editor can be accessed through the MMC.

建立及維護本機電腦上的軟體限制原則需要下列功能:The following features are required to create and maintain software restriction policies on the local computer:

  • 本機群組原則編輯器Local Group Policy Editor

  • Windows 安裝程式Windows Installer

  • 驗證碼與 WinVerifyTrustAuthenticode and WinVerifyTrust

如果您的設計呼叫網域部署這些原則,除了上述清單中,下列功能都需要:If your design calls for domain deployment of these policies, in addition to the above list, the following features are required:

  • Active Directory Domain ServicesActive Directory Domain Services

  • 群組原則Group Policy

伺服器管理員資訊Server Manager information

軟體限制原則哪些擴充功能的本機群組原則編輯器是,透過在伺服器管理員、 新增角色與功能尚未安裝。Software Restriction Policies is an extension of the Local Group Policy Editor and is not installed through Server Manager, Add Roles and Features.

也了See also

下表中提供了解與使用 SRP 中相關資源的連結。The following table provides links to relevant resources in understanding and using SRP.

內容類型Content type 資訊尋找參考資料References
Product 評估Product evaluation 應用程式鎖定使用軟體限制原則Application Lockdown with Software Restriction Policies
規劃Planning 軟體限制原則技術概觀Software Restriction Policies Technical Overview(Windows Server 2012)

軟體限制原則技術參考Software Restriction Policies Technical Reference(Windows Server 2003)
部署Deployment 不是資源。No resources available.
作業Operations 管理軟體限制原則Administer Software Restriction Policies(Windows Server 2012)

軟體限制原則 Product 協助Software Restriction Policies Product Help(Windows Server 2003)
疑難排解Troubleshooting 疑難排解軟體限制原則Troubleshoot Software Restriction Policies(Windows Server 2012)

疑難排解軟體限制原則Software Restriction Policies Troubleshooting(Windows Server 2003)
安全性Security 威脅和措施的軟體限制原則Threats and Countermeasures for Software Restriction Polices(Windows Server 2008)

威脅和措施的軟體限制原則Threats and Countermeasures for Software Restriction Polices(Windows Server 2008 R2)
工具和設定Tools and settings 軟體限制原則工具並設定Software Restriction Policies Tools and Settings(Windows Server 2003)
社群資源Community resources 應用程式鎖定使用軟體限制原則Application Lockdown with Software Restriction Policies