軟體限制原則技術概觀Software Restriction Policies Technical Overview

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

本主題描述軟體限制原則的時機,以及如何使用此功能,變更已實作在過去版本中,並提供額外的資源,協助您建立和部署軟體限制原則與 Windows Server 2008 和 Windows Vista 開頭的連結。This topic describes software restriction policies, when and how to use the feature, what changes have been implemented in past releases, and provides links to additional resources to help you create and deploy software restriction policies beginning with Windows Server 2008 and Windows Vista.

簡介Introduction

軟體限制原則提供系統管理員使用群組原則導向機制來找出軟體和控制能力的本機電腦上執行。Software restriction policies provide administrators with a Group Policy-driven mechanism to identify software and control its ability to run on the local computer. 這些原則,可用來保護電腦免於已知衝突執行 Microsoft 的 Windows 作業系統 (與 Windows Server 2003 及 Windows XP Professional 開頭),並保護電腦免於惡意病毒和特洛伊木馬程式安全性威脅。These policies can be used to protect computers running Microsoft Windows operating systems (beginning with Windows Server 2003 and Windows XP Professional) against known conflicts and safeguard the computers against security threats such as malicious viruses and Trojan horse programs. 您也可以使用軟體限制原則來建立高度限制的電腦,您可讓只專門辨識應用程式執行設定。You can also use software restriction policies to create a highly restricted configuration for computers, in which you allow only specifically identified applications to run. 整合軟體限制原則與 Microsoft Active Directory 群組原則。Software restriction policies are integrated with Microsoft Active Directory and Group Policy. 您也可以在獨立的電腦上建立的軟體限制原則。You can also create software restriction policies on stand-alone computers.

軟體限制原則是信任原則的系統管理員的身分為限制指令碼和其他驗證碼不會完全無法執行受信任的規範。Software restriction policies are trust policies, which are regulations set by an administrator to restrict scripts and other code that is not fully trusted from running. 軟體限制原則延伸到本機群組原則編輯器提供可以來管理設定限制的應用程式使用的單一使用者介面本機電腦上或在網域。The Software Restriction Policies extension to the Local Group Policy Editor provides a single user interface through which the settings for restricting the use of applications can be managed on the local computer or throughout a domain.

程序Procedures

軟體限制原則使用量案例Software restriction policy usage scenarios

商務使用者合作,使用電子郵件、 立即訊息、 和對等應用程式。Business users collaborate by using e-mail, instant messaging, and peer-to-peer applications. 增加這些合作,尤其是藉由使用網際網路在公司電腦中,因此執行的惡意程式碼,例如蠕蟲、 病毒和惡意的使用者或攻擊者威脅的威脅。As these collaborations increase, especially with the use of the Internet in business computing, so do the threats from malicious code, such as worms, viruses, and malicious user or attacker threats.

使用者可能會收到許多形式,原生 Windows 可執行檔 (.exe 檔案) 從巨集 (例如.doc 檔案)、 文件中的惡意程式碼指令碼 (例如.vbs 檔案)。Users might receive hostile code in many forms, ranging from native Windows executable files (.exe files), to macros in documents (such as .doc files), to scripts (such as .vbs files). 使用者惡意或攻擊者經常使用取得執行程式碼包含病毒、 蠕蟲使用者社交方法。Malicious users or attackers often use social engineering methods to get users to run code containing viruses and worms. (社交是到洩露他們的密碼或某種類型的安全性資訊欺騙連絡人的詞彙。)如果便會觸動這類程式碼,它可以產生阻服務攻擊網路上的、 敏感或私密資料傳送至網際網路、 讓電腦的安全性風險,或損壞到硬碟。(Social engineering is a term for tricking people into revealing their password or some form of security information.) If such code is activated, it can generate denial-of-service attacks on the network, send sensitive or private data to the Internet, put the security of the computer at risk, or damage the contents of the hard disk drive.

IT 組織和使用者必須能判斷安全地執行的軟體,但不。IT organizations and users must be able to determine which software is safe to run and which is not. 大量和惡意程式碼可以進行表單,這將會變成困難的工作。With the large numbers and forms that hostile code can take, this becomes a difficult task.

為了協助保護其電腦的未知或不支援的軟體和惡意程式碼,組織可以實作軟體限制原則他們整體安全性策略的一部分。To help protect their network computers from both hostile code and unknown or unsupported software, organizations can implement software restriction policies as part of their overall security strategy.

系統管理員可以使用軟體限制原則下列任務:Administrators can use software restriction policies for the following tasks:

  • 定義信任的程式碼Define what is trusted code

  • 設計彈性的群組原則的規範指令碼,可執行檔和 ActiveX 控制項Design a flexible Group Policy for regulating scripts, executable files, and ActiveX controls

作業系統和應用程式 (例如指令碼處理的應用程式) 符合使用軟體限制原則,會執行軟體限制原則。Software restriction policies are enforced by the operating system and by applications (such as scripting applications) that comply with software restriction policies.

具體而言,系統管理員可以使用軟體限制原則下列目的:Specifically, administrators can use software restriction policies for the following purposes:

  • 指定 (可執行檔) 的軟體可以 client 電腦上執行Specify which software (executable files) can run on client computers

  • 防止共用的電腦上執行特定程式Prevent users from running specific programs on shared computers

  • 指定誰可以 client 電腦新增受信任的發行者Specify who can add trusted publishers to client computers

  • 設定的軟體限制原則 (指定原則會影響所有使用者是否或 client 電腦的使用者子集) 範圍Set the scope of the software restriction policies (specify whether policies affect all users or a subset of users on client computers)

  • 防止可執行檔的本機電腦,單位 (組織單位)、 網站或網域上執行。Prevent executable files from running on the local computer, organizational unit (OU), site, or domain. 您不具有惡意的使用者使用軟體限制原則潛在問題時,這是適用於案例。This would be appropriate in cases when you are not using software restriction policies to address potential issues with malicious users.

不同和變更的功能Differences and changes in functionality

SRP for Windows Server 2012 和 Windows 8 中的功能有任何變更。There are no changes in functionality in SRP for Windows Server 2012 and Windows 8.

支援的版本Supported versions

軟體限制原則可只在與套用到電腦,最少執行 Windows Server 2003,包括 Windows Server 2012,而至少 Windows XP 中,包括 Windows 8。Software Restriction Policies can only be configured on and applied to computers running at least Windows Server 2003, including Windows Server 2012 , and at least Windows XP, including Windows 8.

注意

某些版本的 Windows client 作業系統開始在 Windows vista 不需要軟體限制原則。Certain editions of the Windows client operating system beginning with Windows Vista do not have Software Restrictions Policies. 不透過群組原則管理網域中的電腦可能會不會收到分散式的原則。Computers not administered in a domain by Group Policy might not receive distributed policies.

比較軟體限制原則與 AppLocker 應用程式控制項函式Comparing application control functions in Software Restriction Policies and AppLocker

下表比較軟體限制原則 (SRP) 的功能與 AppLocker 函式的功能。The following table compares the features and functions of the Software Restriction Policies (SRP) feature and AppLocker.

應用程式控制功能Application control function SRPSRP AppLockerAppLocker
範圍Scope 可以 SRP 原則套用到所有 Windows 作業系統開始使用 Windows XP 和 Windows Server 2003。SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003. AppLocker 原則僅適用於 Windows Server 2008 R2、 Windows Server 2012、 Windows 7 和 Windows 8。AppLocker policies apply only to Windows Server 2008 R2, Windows Server 2012 , Windows 7, and Windows 8.
建立原則Policy creation SRP 原則會保留透過群組原則和只有 GPO 的系統管理員可以更新 SRP 原則。SRP policies are maintained through Group Policy and only the administrator of the GPO can update the SRP policy. 在本機電腦上的系統管理員可以修改在本機 GPO 定義 SRP 原則。The administrator on the local computer can modify the SRP policies defined in the local GPO. 透過群組原則維護 AppLocker 原則,只有 GPO 的系統管理員可以更新的原則。AppLocker policies are maintained through Group Policy and only the administrator of the GPO can update the policy. 在本機電腦上的系統管理員可以在本機 GPO 定義 AppLocker 原則來修改。The administrator on the local computer can modify the AppLocker policies defined in the local GPO.

AppLocker 允許錯誤訊息,以直接網頁以取得協助使用者的自訂項的目。AppLocker permits customization of error messages to direct users to a Web page for help.
原則維護Policy maintenance SRP 原則必須使用本機安全性原則嵌入式管理單元 (如果原則建立本機) 或群組原則管理主控台 (GPMC) 來更新。SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC). AppLocker 原則可以使用 [本機安全性原則嵌入式管理單元 (如果原則建立本機),或在 GPMC 中或 Windows PowerShell AppLocker cmdlet 來更新。AppLocker policies can be updated by using the Local Security Policy snap-in (if the policies are created locally), or the GPMC, or the Windows PowerShell AppLocker cmdlets.
原則應用程式Policy application 透過群組原則分散 SRP 原則。SRP policies are distributed through Group Policy. 透過群組原則分散 AppLocker 原則。AppLocker policies are distributed through Group Policy.
執法模式Enforcement mode SRP 適用於:拒絕清單模式:SRP works in the ???????deny list mode?????? 位置的系統管理員可以建立規則不允許在企業中的其餘部分檔案的預設允許執行而想要的檔案。where administrators can create rules for files that they do not want to allow in this Enterprise whereas the rest of the file are allowed to run by default.

您也可以在設定 SRP:允許清單模式:SRP can also be configured in the ???????allow list mode?????? 例如,預設會封鎖所有的檔案,系統管理員需要建立允許的檔案,他們希望規則。such that the by default all files are blocked and administrators need to create allow rules for files that they want to allow.
AppLocker 預設適用於:允許清單模式:AppLocker by default works in the ???????allow list mode?????? 只有檔案允許有執行的是在符合允許規則。where only those files are allowed to run for which there is a matching allow rule.
檔案類型,就可以控制File types that can be controlled SRP 可以控制下列檔案類型:SRP can control the following file types:

-的可執行檔- Executables
-Dll- Dlls
-指令碼- Scripts
Windows 安裝程式- Windows Installers

SRP 分開無法控制每個檔案類型。SRP cannot control each file type separately. 所有 SRP 規則都的單一規則集合中。All SRP rules are in a single rule collection.
AppLocker 可以控制下列檔案類型:AppLocker can control the following file types:

-的可執行檔- Executables
-Dll- Dlls
-指令碼- Scripts
Windows 安裝程式- Windows Installers
-\ [已封裝的應用程式並安裝程式 (Windows Server 2012 和 Windows 8)- Packaged apps and installers ( Windows Server 2012 and Windows 8)

AppLocker 的五個檔案類型的每個維護不同規則的收藏。AppLocker maintains a separate rule collection for each of the five file types.
指定的檔案類型Designated file types SRP 支援檔案類型被認為是可執行檔延伸的清單。SRP supports an extensible list of file types that are considered executable. 系統管理員可以將新增檔案,都被視為可執行檔的擴充的功能。Administrators can add extensions for files that should be considered executable. AppLocker 不支援此。AppLocker does not support this. AppLocker 目前支援下列檔案擴充功能:AppLocker currently supports the following file extensions:

-的可執行檔 (.exe、.com)- Executables (.exe, .com)
-Dll (.ocx、.dll)- Dlls (.ocx, .dll)
-指令碼 (.vbs、.js、.ps1、.cmd、.bat)- Scripts (.vbs, .js, .ps1, .cmd, .bat)
.msi、.mst (.msp) 的 Windows 安裝程式- Windows Installers (.msi, .mst, .msp)
-已封裝應用程式安裝程式 (.appx)- Packaged app installers (.appx)
規則類型Rule types SRP 支援四種類型的規則:SRP supports four types of rules:

-Hash- Hash
路徑- Path
簽章- Signature
網際網路區域- Internet zone
AppLocker 支援三種類型的規則:AppLocker supports three types of rules:

-Hash- Hash
路徑- Path
-發行者- Publisher
編輯 hash 值。Editing the hash value SRP 可讓系統管理員提供自訂 hash 值。SRP allows administrators to provide custom hash values. AppLocker 計算本身 hash 值。AppLocker computes the hash value itself. 內部可移植可執行檔 (執行檔和 Dll) 及 Windows 安裝程式與其他 SHA1 一般檔案 hash 使用湊 SHA1 驗證碼。Internally it uses the SHA1 Authenticode hash for Portable Executables (Exe and Dll) and Windows Installers and a SHA1 flat file hash for the rest.
不同的安全性等級的支援Support for different security levels 使用 SRP 系統管理員可以指定的應用程式可以執行的權限。With SRP administrators can specify the permissions with which an app can run. 因此,系統管理員可以設定此類規則該記事本一律會執行的受限權限和從未使用系統管理員權限。So, an administrator can configure a rule such that notepad always runs with restricted permissions and never with administrative privileges.

Windows Vista 或更早版本 SRP 支援多安全性層級。SRP on Windows Vista and earlier supported multiple security levels. Windows 7 該清單是限於只兩種層級: 允許並不受限制 (基本的使用者轉換到不允許)。On Windows 7 that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).
AppLocker 不支援的安全性層級。AppLocker does not support security levels.
管理 Packaged 應用程式及 Packaged 應用程式安裝程式Manage Packaged apps and Packaged app installers 無法Unable .appx 是有效的檔案類型,可以管理 AppLocker。.appx is a valid file type which AppLocker can manage.
目標使用者或群組中的使用者規則Targeting a rule to a user or a group of users SRP 規則適用於特定電腦上所有使用者。SRP rules apply to all users on a particular computer. AppLocker 規則可以鎖定特定的使用者或群組中的使用者。AppLocker rules can be targeted to a specific user or a group of users.
支援規則例外Support for rule exceptions SRP 不支援規則例外SRP does not support rule exceptions AppLocker 規則能讓系統管理員例如建立規則例外:允許所有 windows Regedit.exe 除了章節。AppLocker rules can have exceptions which allow administrators to create rules such as ???????Allow everything from Windows except for Regedit.exe??????.
稽核模式的支援Support for audit mode SRP 不支援稽核模式。SRP does not support audit mode. 測試 SRP 原則的唯一方式是設定測試環境,以及執行一些實驗。The only way to test SRP policies is to set up a test environment and run a few experiments. AppLocker 支援稽核模式可讓系統管理員實際執行環境中測試他們原則的影響,而不影響的使用者體驗。AppLocker supports audit mode which allows administrators to test the effect of their policy in the real production environment without impacting the user experience. 一旦您滿意結果,就可以開始執行的原則。Once you are satisfied with the results, you can start enforcing the policy.
支援匯出與匯入原則Support for exporting and importing policies SRP 不支援原則匯入匯出。SRP does not support policy import/export. AppLocker 支援匯入及匯出的原則。AppLocker supports the importing and exporting of policies. 這可讓您建立 AppLocker 原則範例在電腦上,測試然後匯出該原則和匯入想要 GPO 回。This allows you to create AppLocker policy on a sample computer, test it out and then export that policy and import it back into the desired GPO.
執法規則Rule enforcement 內部,SRP 規則執法交貨使用者-模式中的較不安全。Internally, SRP rules enforcement happens in the user-mode which is less secure. 內部,AppLocker Exe 和 Dll 規則的執行核心模式,比使用者模式中執行這些更安全。Internally, AppLocker rules for Exes and Dlls are enforced in the kernel-mode which is more secure than enforcing them in the user-mode.

系統需求System requirements

軟體限制原則可只在與套用到電腦,最少執行 Windows Server 2003,而至少 Windows XP。Software restriction policies can only be configured on and applied to computers running at least Windows Server 2003, and at least Windows XP. 群組原則,才能散發包含軟體限制原則的群組原則物件。Group Policy is required to distribute Group Policy Objects that contain software restriction policies.

軟體限制原則元件和架構Software restriction policies components and architecture

軟體限制原則提供機制作業系統和應用程式的軟體限制原則與相容限制執行階段的執行的軟體程式。Software restriction policies provide a mechanism for the operating system and applications compliant with software restriction policies to restrict the runtime execution of software programs.

高階,軟體限制原則包含下列元件:At a high level, software restriction policies consist of the following components:

  • 軟體限制原則 API。Software restriction policies API. 應用程式介面 (Api) 用來建立和設定的軟體限制原則構成規則。The Application Programming Interfaces (APIs) are used to create and configure the rules that constitute the software restriction policy. 也有軟體限制原則 Api 的查詢、 處理,並執行的軟體限制原則。There also are software restriction policies APIs for querying, processing, and enforcing software restriction policies.

  • 軟體限制原則管理工具。A software restriction policies management tool. 這包含軟體限制原則的擴充功能本機群組原則物件編輯器嵌入式管理單元,建立和編輯軟體限制原則的系統管理員使用。This consists of the Software Restriction Policies extension of the Local Group Policy Object Editor snap-in, which administrators use to create and edit the software restriction policies.

  • 一組作業系統的 Api 和應用程式,將軟體限制原則提供執法軟體限制原則執行階段 Api。A set of operating system APIs and applications that call the software restriction policies APIs to provide enforcement of the software restriction policies at runtime.

  • Active Directory,群組原則。Active Directory and Group Policy. 傳播軟體限制原則的 Active Directory 戶端適當,以及範圍及篩選這些原則的應用程式的適當的目標電腦的群組原則基礎結構軟體限制原則而定。Software restriction policies depend on the Group Policy infrastructure to propagate the software restriction policies from the Active Directory to the appropriate clients, and for scoping and filtering the application of these policies to the appropriate target computers.

  • 驗證碼與 WinVerify 信任 Api 可用來處理簽署的可執行檔。Authenticode and WinVerify Trust APIs which are used to process signed executable files.

  • 事件檢視器。Event Viewer. 使用軟體限制原則登入事件的事件檢視器登的功能。The functions used by software restriction policies log events to the Event Viewer logs.

  • 結果設定的原則 (RSoP),可協助有效的原則,將會套用到 client 的診斷。Resultant Set of Policies (RSoP), which can aid in the diagnosing of the effective policy that will be applied to a client.

如需有關 SRP 架構方式 SRP 管理規則處理程序,互動,查看如何軟體限制原則運作Windows Server 2003 技術的媒體櫃中。For more information about SRP architecture, how SRP manages rules, processes and interactions, see How Software Restriction Policies Work in the Windows Server 2003 Technical Library.

最佳做法Best practices

請勿修改預設網域原則。Do not modify the default domain policy.

  • 如果您未進行編輯預設網域原則,您隨時可以選擇若發生使用您的自訂的網域原則套用預設網域原則。If you do not edit the default domain policy, you always have the option of reapplying the default domain policy if something goes wrong with your customized domain policy.

建立不同的群組原則物件的軟體限制原則。Create a separate Group Policy Object for software restriction policies.

  • 如果您建立不同群組原則物件 (GPO) 軟體限制原則,您可以停用您的網域原則的其餘部分不來停用緊急軟體限制的原則。If you create a separate Group Policy Object (GPO) for software restriction policies, you can disable software restriction policies in an emergency without disabling the rest of your domain policy.

如果您遇到套用的原則設定的問題時,「 安全模式重新開機。If you experience problems with applied policy settings, restart Windows in Safe Mode.

  • Windows 開始使用 「 安全模式時,不會套用軟體限制原則。Software restriction policies do not apply when Windows is started in Safe Mode. 如果您不小心鎖定工作站使用軟體限制原則,電腦重新開機到 「 安全模式、 在本機系統管理員身分登入,修改原則、 執行gpupdate、 重新開機,以及通常登入。If you accidentally lock down a workstation with software restriction policies, restart the computer in Safe Mode, log on as a local administrator, modify the policy, run gpupdate, restart the computer, and then log on normally.

定義不允許的預設設定時,請務必小心。Use caution when defining a default setting of Disallowed.

  • 當您定義的預設設定不允許,除了明確允許的軟體不被允許所有標示的軟體。When you define a default setting of Disallowed, all software is disallowed except for software that has been explicitly allowed. 有軟體限制原則規則,讓它開放對任何您想要開放的檔案。Any file that you want to open has to have a software restriction policies rule that allows it to open.

  • 若要防止退出系統鎖定時的預設安全性層級設定為系統管理員不允許、 四個會自動建立登錄路徑規則。To protect administrators from locking themselves out of the system, when the default security level is set to Disallowed, four registry path rules are automatically created. 您可以 delete 或修改這些登錄的路徑規則。不過,建議您不要。You can delete or modify these registry path rules; however, this is not recommended.

最佳的安全性,以搭配使用軟體限制原則與使用存取控制清單。For best security, use access control lists in conjunction with software restriction policies.

  • 使用者可能會嘗試重新命名或移動不允許的檔案或覆寫檔案不受限制避開軟體限制原則。Users might try to circumvent software restriction policies by renaming or moving disallowed files or by overwriting unrestricted files. 如此一來,建議您即可授權使用者所需執行這些工作,使用存取控制清單 (Acl)。As a result, it is recommended that you use access control lists (ACLs) to deny users the access necessary to perform these tasks.

先套用到您的網域原則設定測試環境中完全測試新原則設定。Test new policy settings thoroughly in test environments before applying the policy settings to your domain.

  • 新的原則設定可能會做原始預期的不同。New policy settings might act differently than originally expected. 測試減少您在網路上部署原則設定時遇到問題的機會。Testing diminishes the chance of encountering a problem when you deploy policy settings across your network.

  • 您可以設定測試網域中,您組織的網域中的測試新原則設定的不同。You can set up a test domain, separate from your organization's domain, in which to test new policy settings. 您也可以建立測試 GPO 並連結到測試組織單位測試原則設定。You can also test the policy settings by creating a test GPO and linking it to a test organizational unit. 當您擁有完全測試測試使用者的原則設定時,您可以將測試 GPO 連結到您的網域。When you have thoroughly tested the policy settings with test users, you can link the test GPO to your domain.

  • 程式集或檔案,因此不設定不允許以查看哪些可能會影響測試。Do not set programs or files to Disallowed without testing to see what the effect may be. 限制某些檔案可以嚴重會影響您的電腦或網路的作業。Restrictions on certain files can seriously affect the operation of your computer or network.

  • 輸入不正確的資訊或輸入錯誤,會導致並不會如預期般運作執行的原則設定。Information that is entered incorrectly or typing mistakes can result in a policy setting that does not perform as expected. 先套用測試新原則設定可防止未預期的行為。Testing new policy settings before applying them can prevent unexpected behavior.

篩選依據安全性群組成員資格使用者原則設定。Filter user policy settings based on membership in security groups.

  • 您可以指定的使用者或群組,您不想要清除套用原則設定適用於群組原則朗讀核取方塊,這位於安全性] 索引標籤的 [GPO。You can specify users or groups for which you do not want a policy setting to apply by clearing the Apply Group Policy and Read check boxes, which are located on the Security tab of the properties dialog box for the GPO.

  • 當遭拒朗讀權限時,原則設定不是電腦所下載。When the Read permission is denied, the policy setting is not downloaded by the computer. 如此一來,較少的頻寬耗用下載不必要原則設定可讓網路更快速地運作。As a result, less bandwidth is consumed by downloading unnecessary policy settings, which enables the network to function more quickly. 若要拒絕朗讀權限,選取 [拒絕朗讀核取方塊,這位於安全性索引標籤的 [GPO。To deny the Read permission, select Deny for the Read check box, which is located on the Security tab of the properties dialog box for the GPO.

  • 在另一部網域或網站 GPO 連結,會導致效能不佳。Linking to a GPO in another domain or site can result in poor performance.

其他資源Additional resources

內容類型Content type 資訊尋找參考資料References
規劃Planning 軟體限制原則技術參考Software Restriction Policies Technical Reference
作業Operations 管理軟體限制原則Administer Software Restriction Policies
疑難排解Troubleshooting 疑難排解 (2003) 軟體限制原則Software Restriction Policies Troubleshooting (2003)
安全性Security 威脅和措施的軟體限制原則 (2008)Threats and Countermeasures for Software Restriction Polices (2008)

威脅和措施的軟體限制原則 (2008 R2)Threats and Countermeasures for Software Restriction Polices (2008 R2)
工具和設定Tools and settings 軟體限制原則工具和設定 (2003)Software Restriction Policies Tools and Settings (2003)
社群資源Community resources 應用程式鎖定使用軟體限制原則Application Lockdown with Software Restriction Policies