使用軟體限制原則規則Work with Software Restriction Policies Rules

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

本主題描述憑證路徑,網際網路區域和 hash 規則使用軟體限制原則處理程序。This topic describes procedures working with certificate, path, internet zone and hash rules using Software Restriction Policies.

簡介Introduction

使用軟體限制原則,您可以找出並指定哪些軟體允許執行的軟體受信任保護您的電腦環境。With software restriction policies, you can protect your computing environment from untrusted software by identifying and specifying what software is allowed to run. 您可以定義預設安全性層級的限制不允許]群組原則物件 (GPO),或不是允許的軟體允許執行預設的。You can define a default security level of Unrestricted or Disallowed for a Group Policy Object (GPO) so that software is either allowed or not allowed to run by default. 您可以讓這個預設的安全性等級例外建立軟體限制原則規則特定的軟體。You can make exceptions to this default security level by creating software restriction policies rules for specific software. 例如,如果設為預設的安全性等級不允許],您可以建立規則允許特定的軟體,才能執行。For example, if the default security level is set to Disallowed, you can create rules that allow specific software to run. 種規則如下:The types of rules are as follows:

有關如何管理軟體限制原則其他工作,請查看管理軟體限制原則For information about other tasks to manage Software Restriction Policies, see Administer Software Restriction Policies.

使用憑證規則Working with certificate rules

軟體限制原則也可以其專屬的簽署憑證來辨識的軟體。Software restriction policies can also identify software by its signing certificate. 您可以建立憑證規則辨識軟體和可或不允許的軟體執行,而定安全性層級。You can create a certificate rule that identifies software and then allows or does not allow the software to run, depending on the security level. 例如,您可以使用的憑證規則自動不提示使用者信任的網域信任的來源的軟體。For example, you can use certificate rules to automatically trust software from a trusted source in a domain without prompting the user. 您也可以使用的憑證規則執行不允許您的作業系統區域中的檔案。You can also use certificate rules to run files in disallowed areas of your operating system. 預設不會支援憑證規則。Certificate rules are not enabled by default.

使用群組原則的網域規則建立,您必須建立或修改群組原則物件的權限。When rules are created for the domain using Group Policy, you must have permissions to create or modify a Group Policy Object. 如果您要建立本機電腦規則,您必須管理認證的電腦上。If you are creating rules for the local computer, you must have administrative credentials on that computer.

若要建立的憑證規則To create a certificate rule

  1. 打開軟體限制原則。Open Software Restriction Policies.

  2. 在主機樹或詳細資料窗格中,以滑鼠右鍵按一下其他規則,然後按一下 [新的憑證規則In either the console tree or the details pane, right-click Additional Rules, and then click New Certificate Rule.

  3. 按一下瀏覽],然後選取 [已簽署的檔案或憑證。Click Browse, and then select a certificate or signed file.

  4. 安全性層級,按一下不允許]限制In Security level, click either Disallowed or Unrestricted.

  5. 描述,輸入此規則、 描述,然後按[確定]In Description, type a description for this rule, and then click OK.

注意

  • 它可能需要如果您擁有已經執行此動作,建立新的軟體限制原則設定的群組原則物件 (GPO)。It might be necessary to create a new software restriction policy setting for the Group Policy Object (GPO) if you have not already done so.
  • 預設不會支援憑證規則。Certificate rules are not enabled by default.
  • 檔案類型,只會受到憑證規則的這些會列在指定的檔案類型在詳細資料窗格中的軟體限制原則。The only file types that are affected by certificate rules are those that are listed in Designated file types in the details pane for Software Restriction Policies. 還有一個共用的所有規則指定的檔案類型的清單。There is one list of designated file types that is shared by all rules.
  • 軟體限制原則才會生效,使用者必須更新原則設定登出並登入他們的電腦。For software restriction policies to take effect, users must update policy settings by logging off from and logging on to their computers.
  • 多個軟體限制原則規則套用原則設定時,有時的處理衝突規則的優先順序。When more than one software restriction policies rule is applied to policy settings, there is a precedence of rules for handling conflicts.

讓憑證規則Enabling certificate rules

您有不同的程序,讓您的環境根據憑證規則:There are different procedures for enabling certificate rules depending on your environment:

若要讓您的本機電腦的憑證規則To enable certificate rules for your local computer

  1. 打開本機安全性設定。Open Local Security Settings.

  2. 主控台中,按一下 [安全性選項位於 [安全性設定/本機原則。In the console tree, click Security Options located under Security Settings/Local Policies.

  3. 在詳細資料窗格中,按兩下 [系統設定: 使用軟體限制原則的 Windows 可執行檔憑證規則In the details pane, double-click System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies.

  4. 執行下列其中一項,然後按一下[確定]:Do one of the following, and then click OK:

    • 若要讓憑證規則,按一下 [啟用To enable certificate rules, click Enabled.

    • 若要停用憑證規則,請按一下停用To disable certificate rules, click Disabled.

憑證規則,以便適用於群組原則物件,而您有已經加入網域的伺服器上To enable certificate rules For a Group Policy Object, and you are on a server that is joined to a domain

  1. 打開 Microsoft Management Console (MMC)。Open Microsoft Management Console (MMC).

  2. 檔案功能表上,按一下 [新增/移除嵌入式管理單元,然後按一下 [新增On the File menu, click Add/Remove snap-in, and then click Add.

  3. 按一下本機群組原則物件編輯器,然後按一下 [新增]Click Local Group Policy Object Editor, and then click Add.

  4. 選取的群組原則物件,按一下 [瀏覽]In Select Group Policy Object, click Browse.

  5. 群組原則物件的瀏覽,選取適當的網域、 網站或組織單位群組原則物件 (GPO)-或建立新的 homegroup,然後按完成In Browse for a Group Policy Object, select a Group Policy Object (GPO) in the appropriate domain, site, or organizational unit-or create a new one, and then click Finish.

  6. 按一下關閉,然後按[確定]Click Close, and then click OK.

  7. 主控台中,按一下 [安全性選項底下位於GroupPolicyObject [電腦名稱] 原則日電腦設定日 Windows 設定日安全性設定/本機原則日。In the console tree, click Security Options located under GroupPolicyObject [ComputerName] Policy/Computer Configuration/Windows Settings/Security Settings/Local Policies/.

  8. 在詳細資料窗格中,按兩下 [系統設定: 使用軟體限制原則的 Windows 可執行檔憑證規則In the details pane, double-click System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies.

  9. 如果尚未定義這項原則設定,請選取定義這些原則設定核取方塊。If this policy setting has not yet been defined, select the Define these policy settings check box.

  10. 執行下列其中一項,然後按一下[確定]:Do one of the following, and then click OK:

    • 若要讓憑證規則,按一下 [啟用To enable certificate rules, click Enabled.

    • 若要停用憑證規則,請按一下停用To disable certificate rules, click Disabled.

讓憑證規則適用於群組原則物件,與您的網域控制站或工作站有安裝遠端伺服器管理工具To enable certificate rules for a Group Policy Object, and you are on a domain controller or on a workstation that has the Remote Server Administration Tools installed

  1. 打開 Active Directory 使用者與電腦。Open Active Directory Users and Computers.

  2. 在主機上按一下滑鼠右鍵群組原則物件 (GPO) 您想要讓憑證規則。In the console tree, right-click the Group Policy Object (GPO) for which you want to enable certificate rules.

  3. 按一下屬性,然後按群組原則索引標籤。Click Properties, and then click the Group Policy tab.

  4. 按一下編輯打開 GPO,您要編輯。Click Edit to open the GPO that you want to edit. 您也可以按一下新增]以建立新的 GPO,然後按編輯You can also click New to create a new GPO, and then click Edit.

  5. 主控台中,按一下 [安全性選項底下位於GroupPolicyObject[電腦名稱] 原則日電腦設定日 Windows 設定日安全性設定/本機原則。In the console tree, click Security Options located under GroupPolicyObject[ComputerName] Policy/Computer Configuration/Windows Settings/Security Settings/Local Policies.

  6. 在詳細資料窗格中,按兩下 [系統設定: 使用軟體限制原則的 Windows 可執行檔憑證規則In the details pane, double-click System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies.

  7. 如果尚未定義這項原則設定,請選取定義這些原則設定核取方塊。If this policy setting has not yet been defined, select the Define these policy settings check box.

  8. 執行下列其中一項,然後按一下[確定]:Do one of the following, and then click OK:

    • 若要讓憑證規則,按一下 [啟用To enable certificate rules, click Enabled.

    • 若要停用憑證規則,請按一下停用To disable certificate rules, click Disabled.

憑證規則只網域控制站,而且您的網域控制站或已安裝遠端伺服器管理工具工作站,可讓To enable certificate rules for only domain controllers, and you are on a domain controller or on a workstation that has the Remote Server Administration Tools installed

  1. 左網域控制站的安全性設定。Open Domain Controller Security Settings.

  2. 主控台中,按一下 [安全性選項底下位於GroupPolicyObject [電腦名稱] 原則日電腦設定日 Windows 設定日安全性設定/本機原則。In the console tree, click Security Options located under GroupPolicyObject [ComputerName] Policy/Computer Configuration/Windows Settings/Security Settings/Local Policies.

  3. 在詳細資料窗格中,按兩下 [系統設定: 使用軟體限制原則的 Windows 可執行檔憑證規則In the details pane, double-click System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies.

  4. 如果尚未定義這項原則設定,請選取定義這些原則設定核取方塊。If this policy setting has not yet been defined, select the Define these policy settings check box.

  5. 執行下列其中一項,然後按一下[確定]:Do one of the following, and then click OK:

    • 若要讓憑證規則,按一下 [啟用To enable certificate rules, click Enabled.

    • 若要停用憑證規則,請按一下停用To disable certificate rules, click Disabled.

注意

您必須先憑證規則才會生效,來執行這個程序。You must perform this procedure before certificate rules can take effect.

設定受信任的發行者選項Set trusted publisher options

軟體簽署正越來越多的軟體的發行者和應用程式開發人員,以驗證其應用程式,來自信任的來源。Software signing is being used by a growing number of software publishers and application developers to verify that their applications come from a trusted source. 不過,許多使用者不了解,或與他們所安裝的應用程式相關聯的專屬的簽署憑證來小注意。However, many users do not understand or pay little attention to the signing certificates associated with applications that they install.

中的原則設定受信任的發行者索引標籤上的憑證路徑驗證原則讓系統管理員控制可接受的憑證來自信任的發行者。The policy settings in the Trusted Publishers tab of the certificate path validation policy allows administrators to control which certificates can be accepted as coming from a trusted publisher.

若要設定的本機電腦的受信任的發行者原則設定To configure the trusted publishers policy settings for a local computer
  1. [開始]畫面中,輸入gpedit.msc ,然後按 ENTER 鍵。On the Start screen, typegpedit.msc and then press ENTER.

  2. 在下方主控台本機電腦電腦原則 \ \windows 安全性設定設定,按一下 [公開原則In the console tree under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings, click Public Key Policies.

  3. 按兩下憑證路徑驗證設定,然後按一下 [受信任的發行者索引標籤。Double-click Certificate Path Validation Settings, and then click the Trusted Publishers tab.

  4. 選取 [定義這些原則設定核取方塊,選取您想要適用的選項,然後按一下 [原則設定] [確定]套用新的設定。Select the Define these policy settings check box, select the policy settings that you want to apply, and then click OK to apply the new settings.

若要設定的網域信任的發行者原則設定To configure the trusted publishers policy settings for a domain
  1. 開放群組原則管理Open Group Policy Management.

  2. 在主控台按兩下 [群組原則物件的樹系和網域包含預設網域原則群組原則物件 (GPO) 您想要編輯。In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy Object (GPO) that you want to edit.

  3. 以滑鼠右鍵按一下預設網域原則GPO,然後再按一下編輯Right-click the Default Domain Policy GPO, and then click Edit.

  4. 在下方主控台電腦 \windows \ 安全性設定,按一下 [公開原則In the console tree under Computer Configuration\Windows Settings\Security Settings, click Public Key Policies.

  5. 按兩下憑證路徑驗證設定,然後按一下 [受信任的發行者索引標籤。Double-click Certificate Path Validation Settings, and then click the Trusted Publishers tab.

  6. 選取 [定義這些原則設定核取方塊,選取您想要適用的選項,然後按一下 [原則設定] [確定]套用新的設定。Select the Define these policy settings check box, select the policy settings that you want to apply, and then click OK to apply the new settings.

若要允許管理憑證登入本機電腦的程式碼所使用的系統管理員To allow only administrators to manage certificates used for code signing for a local computer
  1. [開始]畫面中,輸入, gpedit.msc搜尋程式及檔案或 Windows 8 上的桌面,然後按下 ENTER。On the Start screen, type, gpedit.msc in the Search programs and files or in Windows 8, on the Desktop, and then press ENTER.

  2. 在主機樹預設網域原則本機電腦原則,按兩下 [電腦設定Windows 設定,和的安全性設定,,然後按一下 [公用原則In the console tree under Default Domain Policy or Local Computer Policy, double-click Computer Configuration, Windows Settings, and Security Settings, and then click Public Key Policies.

  3. 按兩下憑證路徑驗證設定,然後按一下 [受信任的發行者索引標籤。Double-click Certificate Path Validation Settings, and then click the Trusted Publishers tab.

  4. 選取 [定義這些原則設定核取方塊。Select the Define these policy settings check box.

  5. 受信任的發行者管理,按一下 [只允許所有系統管理員,管理受信任的發行者,然後按一下 [ [確定]套用新的設定。Under Trusted publisher management, click Allow only all administrators to manage Trusted Publishers, and then click OK to apply the new settings.

若要允許管理使用的程式碼簽章網域憑證的系統管理員To allow only administrators to manage certificates used for code signing for a domain
  1. 開放群組原則管理Open Group Policy Management.

  2. 在主控台按兩下 [群組原則物件的樹系和網域包含預設網域原則GPO,您要編輯。In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy GPO that you want to edit.

  3. 以滑鼠右鍵按一下預設網域原則GPO,然後再按一下編輯Right-click the Default Domain Policy GPO, and then click Edit.

  4. 在下方主控台電腦 \windows \ 安全性設定,按一下 [公開原則In the console tree under Computer Configuration\Windows Settings\Security Settings, click Public Key Policies.

  5. 按兩下憑證路徑驗證設定,然後按一下 [受信任的發行者索引標籤。Double-click Certificate Path Validation Settings, and then click the Trusted Publishers tab.

  6. 選取定義這些原則設定核取方塊,實作的變更,然後按[確定]來套用新的設定。Select the Define these policy settings check box, implement the changes you want, and then click OK to apply the new settings.

使用 hash 規則Working with hash rules

Hash 是一系列位元組辨識軟體程式或檔案的修正長度。A hash is a series of bytes with a fixed length that uniquely identifies a software program or file. 湊計算 hash 演算法。The hash is computed by a hash algorithm. 軟體程式建立 hash 規則之後,軟體限制原則計算 hash 的程式。When a hash rule is created for a software program, software restriction policies calculate a hash of the program. 當使用者嘗試開放的軟體程式時,hash 的程式會比較現有 hash 規則軟體限制原則與。When a user tries to open a software program, a hash of the program is compared to existing hash rules for software restriction policies. 湊的軟體程式都相同,無論程式在電腦上的所在位置。The hash of a software program is always the same, regardless of where the program is located on the computer. 不過,如果軟體程式以任何方式改變,其 hash 也會變更,並不會再比對雜 hash 規則的軟體限制原則。However, if a software program is altered in any way, its hash also changes, and it no longer matches the hash in the hash rule for software restriction policies.

例如,您可以建立 hash 規則,並將安全性設定層級,以不允許]以防止使用者執行特定檔案。For example, you can create a hash rule and set the security level to Disallowed to prevent users from running a certain file. 可以重新命名或移動到另一個資料夾的檔案和仍然會導致湊相同。A file can be renamed or moved to another folder and still result in the same hash. 不過,本身檔案的任何變更也變更其 hash 值,並允許檔案略過限制。However, any changes to the file itself also change its hash value and allow the file to bypass restrictions.

若要建立 hash 規則To create a hash rule

  1. 打開軟體限制原則。Open Software Restriction Policies.

  2. 在主機樹或詳細資料窗格中,以滑鼠右鍵按一下其他規則,然後按一下 [新 Hash 規則In either the console tree or the details pane, right-click Additional Rules, and then click New Hash Rule.

  3. 按一下瀏覽]若要尋找的檔案。Click Browse to find a file.

    注意

    在 Windows XP 貼上預先計算的雜可能會檔案 hashIn Windows XP it is possible to paste a pre-calculated hash in File hash. 在 Windows Server 2008 R2、 Windows 7 和較新版本,此選項無法使用。In Windows Server 2008 R2 , Windows 7 and later versions, this option is not available.

  4. 安全性層級,按一下不允許]限制In Security level, click either Disallowed or Unrestricted.

  5. 描述,輸入此規則、 描述,然後按[確定]In Description, type a description for this rule, and then click OK.

注意

  • 它可能需要如果您擁有已經執行此動作,建立新的軟體限制原則設定的群組原則物件 (GPO)。It may be necessary to create a new software restriction policy setting for the Group Policy Object (GPO) if you have not already done so.
  • 病毒或禁止執行特洛伊木馬可以建立 hash 規則。A hash rule can be created for a virus or a Trojan horse to prevent them from running.
  • 如果您想要使用 hash 規則,因此無法執行病毒其他人,計算病毒的湊使用軟體限制原則,以電子郵件給其他人 hash 值。If you want other people to use a hash rule so that a virus cannot run, calculate the hash of the virus by using software restriction policies, and then e-mail the hash value to the other people. 從未電子郵件傳送本身病毒。Never e-mail the virus itself.
  • 如果您透過電子郵件已傳送病毒,您也可以建立路徑規則,以避免執行的電子郵件附件。If a virus has been sent through e-mail, you can also create a path rule to prevent execution of e-mail attachments.
  • 重新命名或移動到另一個資料夾結果,在同一個湊檔案。A file that is renamed or moved to another folder results in the same hash. 會導致不同 hash 本身檔案的任何變更。Any change to the file itself results in a different hash.
  • 檔案類型,才會受到 hash 規則的所列出的指定的檔案類型在詳細資料窗格中的軟體限制原則。The only file types that are affected by hash rules are those that are listed in Designated File Types in the details pane for Software Restriction Policies. 還有一個共用的所有規則指定的檔案類型的清單。There is one list of designated file types that is shared by all rules.
  • 軟體限制原則才會生效,使用者必須更新原則設定登出並登入他們的電腦。For software restriction policies to take effect, users must update policy settings by logging off from and logging on to their computers.
  • 多個軟體限制原則規則套用原則設定時,有時的處理衝突規則的優先順序。When more than one software restriction policies rule is applied to policy settings, there is a precedence of rules for handling conflicts.

使用網際網路區規則Working with Internet Zone rules

網際網路時區規則僅適用於 Windows 的安裝程式的套件。Internet zone rules apply only to Windows Installer packages. 時區規則找出從 Internet Explorer 透過指定區域的軟體。A zone rule can identify software from a zone that is specified through Internet Explorer. 這些區域而網際網路、 近端、 限制的網站、 信任的網站,我的電腦。These zones are Internet, Local intranet, Restricted sites, Trusted sites, and My Computer. 網際網路時區規則的設計目的是讓使用者無法下載並安裝軟體。An Internet Zone rule is designed to prevent users from downloading and installing software.

若要新增網際網路區規則To create an Internet zone rule

  1. 打開軟體限制原則。Open Software Restriction Policies.

  2. 主機樹或詳細資料窗格中,以滑鼠右鍵按一下其他規則,然後按一下 [新的網際網路區規則In either the console tree or the details pane, right-click Additional Rules, and then click New Internet Zone Rule.

  3. 網際網路區域,按一下 [網際網路區域。In Internet zone, click an Internet zone.

  4. 安全性層級,按一下不允許不受限制 \,然後按一下[確定]In Security level, click either Disallowed or Unrestricted, and then click OK.

注意

  • 它可能需要如果您擁有已經執行此動作,建立新的軟體限制原則設定的群組原則物件 (GPO)。It may be necessary to create a new software restriction policy setting for the Group Policy Object (GPO) if you have not already done so.
  • 使用.msi 檔案類型,檔案是 Windows 安裝程式套件只適用於時區規則。Zone rules only apply to files with an .msi file type, which are Windows Installer packages.
  • 軟體限制原則才會生效,使用者必須更新原則設定登出並登入他們的電腦。For software restriction policies to take effect, users must update policy settings by logging off from and logging on to their computers.
  • 多個軟體限制原則規則套用原則設定時,有時的處理衝突規則的優先順序。When more than one software restriction policies rule is applied to policy settings, there is a precedence of rules for handling conflicts.

工作的路徑規則Working with path rules

路徑規則辨識軟體利用檔案路徑。A path rule identifies software by its file path. 例如,如果您有電腦,並具有預設安全性層級的不允許],您仍然可以授與不受限制的存取特定資料夾每一位使用者。For example, if you have a computer that has a default security level of Disallowed, you can still grant unrestricted access to a specific folder for each user. 您可以使用的檔案路徑,並將設定的路徑規則的安全性等級建立的路徑規則未限制You can create a path rule by using the file path and setting the security level of the path rule to Unrestricted. 一些常見的路徑規則這種是 %userprofile%、 %windir%、 appdata %、 %programfiles%和暫存 %。Some common paths for this type of rule are %userprofile%, %windir%, %appdata%, %programfiles%, and %temp%. 您也可以建立登錄其路徑使用登錄金鑰軟體的路徑規則。You can also create registry path rules that use the registry key of the software as its path.

本規則指定的路徑,如果移軟體程式,因為不再適用的路徑規則。Because these rules are specified by the path, if a software program is moved, the path rule no longer applies.

若要建立的路徑規則To create a path rule

  1. 打開軟體限制原則。Open Software Restriction Policies.

  2. 在主機樹或詳細資料窗格中,以滑鼠右鍵按一下其他規則,然後按一下 [新的路徑規則In either the console tree or the details pane, right-click Additional Rules, and then click New Path Rule.

  3. 路徑,輸入路徑,或按一下 [瀏覽]來尋找的檔案或資料夾。In Path, type a path, or click Browse to find a file or folder.

  4. 安全性層級,按一下不允許]限制In Security level, click either Disallowed or Unrestricted.

  5. 描述,輸入此規則、 描述,然後按[確定]In Description, type a description for this rule, and then click OK.

警告

  • 特定資料夾中,Windows 資料夾中,例如安全性設定層級到不允許] ,可能會影響您的作業系統的作業。On certain folders, such as the Windows folder, setting the security level to Disallowed can adversely affect the operation of your operating system. 請確定您不允許的作業系統或其相關程式的其中一個重要且具元件。Make sure that you do not disallow a crucial component of the operating system or one of its dependent programs.

注意

  • 它可能需要如果您擁有已經執行此動作,建立新的軟體限制原則適用於群組原則物件 (GPO)。It may be necessary to create new software restriction policies for the Group Policy Object (GPO) if you have not already done so.
  • 如果您建立軟體的路徑規則的安全性等級的不允許],使用者仍然可以執行的軟體,將它複製到另一個位置。If you create a path rule for software with a security level of Disallowed, users can still run the software by copying it to another location.
  • 支援的路徑規則萬用字元是 * 和?The wildcard characters that are supported by the path rule are * and ?.
  • 您可以在路徑規則使用環境變數,例如 %programfiles%或 systemroot %。You can use environment variables, such as %programfiles% or %systemroot%, in the path rule.
  • 如果您想要建立軟體的路徑規則,您不知道其會儲存在電腦上,但您擁有其登錄金鑰時,您可以建立登錄路徑規則。If you want to create a path rule for software when you do not know where it is stored on a computer but you have its registry key, you can create a registry path rule.
  • 若要防止使用者執行電子郵件附件,您可以建立您的電子郵件附件 directory 阻擋執行的電子郵件附件使用者的路徑規則。To prevent users from executing e-mail attachments, you can create a path rule for your e-mail program's attachment directory that prevents users from running e-mail attachments.
  • 檔案類型,只會受到影響的路徑規則的這些會列在指定的檔案類型在詳細資料窗格中的軟體限制原則。The only file types that are affected by path rules are those that are listed in Designated File Types in the details pane for Software Restriction Policies. 還有一個共用的所有規則指定的檔案類型的清單。There is one list of designated file types that is shared by all rules.
  • 軟體限制原則才會生效,使用者必須更新原則設定登出並登入他們的電腦。For software restriction policies to take effect, users must update policy settings by logging off from and logging on to their computers.
  • 多個軟體限制原則規則套用原則設定時,有時的處理衝突規則的優先順序。When more than one software restriction policies rule is applied to policy settings, there is a precedence of rules for handling conflicts.

若要建立登錄路徑規則To create a registry path rule

  1. [開始]畫面中,輸入 regedit。On the Start screen, type regedit.

  2. 在主控台以滑鼠右鍵按一下您想要建立的規則,然後按一下 [登錄鍵複製按鍵名稱In the console tree, right-click the registry key that you want to create a rule for, and then click Copy Key Name. 記下值詳細資料窗格中。Note the value name in the details pane.

  3. 打開軟體限制原則。Open Software Restriction Policies.

  4. 在主機樹或詳細資料窗格中,以滑鼠右鍵按一下其他規則,然後按一下 [新的路徑規則In either the console tree or the details pane, right-click Additional Rules, and then click New Path Rule.

  5. 路徑,貼上登錄名稱是後面值名稱。In Path, paste the registry key name, followed by the value name.

  6. 住百分比符號 (%),例如 %hkey_local_machine\software\microsoft\platformsdk\directories\installdir%登錄路徑。Enclose the registry path in percent signs (%), for example, %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PlatformSDK\Directories\InstallDir%.

  7. 安全性層級,按一下不允許]限制In Security level, click either Disallowed or Unrestricted.

  8. 描述,輸入此規則、 描述,然後按[確定]In Description, type a description for this rule, and then click OK.