關機: 清除虛擬記憶體分頁檔Shutdown: Clear virtual memory pagefile

適用於Applies to

  • Windows10Windows10

說明關閉的最佳做法、位置、值、原則管理和安全性考慮 :清除虛擬記憶體分頁檔安全性原則設定。Describes the best practices, location, values, policy management and security considerations for the Shutdown: Clear virtual memory pagefile security policy setting.

參考資料Reference

此原則設定決定了當裝置關閉時,是否會清除虛擬記憶體分頁檔案。This policy setting determines whether the virtual memory paging file is cleared when the device is shut down. 虛擬記憶體支援使用系統分頁檔案,在不使用記憶體頁面的情況中將其交換至磁片。Virtual memory support uses a system paging file to swap pages of memory to disk when they are not used. 在執行中的裝置上,此分頁檔案是由作業系統以獨佔方式開啟,且受到良好保護。On a running device, this paging file is opened exclusively by the operating system, and it is well protected. 不過,設定為允許其他作業系統啟動的裝置應該確認系統分頁檔案已在裝置關閉時清除。However, devices that are configured to allow other operating systems to start should verify that the system paging file is cleared as the device shuts down. 此確認可確保在關閉之後,系統不會將可能放在分頁檔案中的未授權使用者直接存取分頁檔案中的機密資訊。This confirmation ensures that sensitive information from process memory that might be placed in the paging file is not available to an unauthorized user who manages to directly access the paging file after shutdown.

在實際記憶體中保留的重要資訊,可能會定期寫入分頁檔案中。Important information that is kept in real memory might be written periodically to the paging file. 這可協助裝置處理多工功能。This helps devices handle multitasking functions. 有物理存取已關閉之伺服器的惡意使用者可以查看分頁檔案的內容。A malicious user who has physical access to a server that has been shut down can view the contents of the paging file. 攻擊者可以將系統音量移至不同的電腦,然後分析分頁檔案的內容。The attacker can move the system volume into a different computer and then analyze the contents of the paging file. 這是一個非常耗時的程式,但它可以公開從 RAM 緩存到分頁檔案的資料。This is a time-consuming process, but it can expose data that is cached from RAM to the paging file. 有物理存取伺服器的惡意使用者只要將伺服器從其電源撥出,就能略過這個對策。A malicious user who has physical access to the server can bypass this countermeasure by simply unplugging the server from its power source.

可能值Possible values

  • 啟用Enabled

    系統會在正常關閉時清除系統分頁檔案。The system paging file is cleared when the system shuts down normally. 此外,此原則設定也會強制電腦在便攜裝置上停用休眠時,清除休眠檔案(hiberfil)。Also, this policy setting forces the computer to clear the hibernation file (hiberfil.sys) when hibernation is disabled on a portable device.

  • 停用Disabled

  • 未定義Not defined

最佳做法Best practices

  • 將此原則設定為 [啟用]。Set this policy to Enabled. 這會導致 Windows 在系統關閉時清除分頁檔案。This causes Windows to clear the paging file when the system is shut down. 視分頁檔案的大小而定,此程式可能需要幾分鐘的時間,系統才會完全關閉。Depending on the size of the paging file, this process might take several minutes before the system completely shuts down. 在有大型分頁檔案的伺服器上,關閉伺服器時的延遲尤為明顯。This delay in shutting down the server is especially noticeable on servers with large paging files. 針對有 2 gb RAM 和 2 GB 分頁檔案的伺服器,此設定可能會在關閉程式中加上30分鐘以上的時間。For a server with 2 gigabytes (GB) of RAM and a 2-GB paging file, this setting can add more than 30 minutes to the shutdown process. 對於某些組織而言,這種停機時間違背其內部服務層級協定。For some organizations, this downtime violates their internal service level agreements. 在您的環境中執行這個對策時,請謹慎使用。Use caution when implementing this countermeasure in your environment.

位置Location

電腦 Configuration\Windows Settings\Security Settings\Local Policies\Security 選項Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

預設值Default values

下表列出此原則的實際及有效預設值。The following table lists the actual and effective default values for this policy. 預設值也會列在原則的屬性頁面上。Default values are also listed on the policy’s property page.

伺服器類型或 GPOServer type or GPO 預設值Default value
預設網域原則Default Domain Policy 未定義Not defined
預設網網域控制站原則Default Domain Controller Policy 未定義Not defined
獨立伺服器的預設設定Stand-Alone Server Default Settings 停用Disabled
DC 有效的預設設定DC Effective Default Settings 停用Disabled
成員伺服器有效的預設設定Member Server Effective Default Settings 停用Disabled
用戶端電腦有效的預設設定Client Computer Effective Default Settings 停用Disabled

群組原則管理Policy management

本節說明可協助您管理此原則的功能與工具。This section describes features and tools that are available to help you manage this policy.

重新啟動需求Restart requirement

無。None. 對這個原則所做的變更,在本機儲存或透過群組原則發佈時,不需要重新開機電腦,就能生效。Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.

安全性考量Security considerations

本節說明攻擊者如何惡意探索功能或其設定、如何實作因應對策,以及實作因應對策可能的負面後果。This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.

弱點Vulnerability

在實際記憶體中保留的重要資訊可能會定期寫入分頁檔案,以協助 Windows 處理多工功能。Important information that is kept in real memory may be written periodically to the paging file to help Windows handle multitasking functions. 擁有已關閉之伺服器之物理存取權的攻擊者可以查看分頁檔案的內容。An attacker who has physical access to a server that has been shut down could view the contents of the paging file. 攻擊者可以將系統音量移至不同的裝置,然後分析分頁檔案的內容。The attacker could move the system volume into a different device and then analyze the contents of the paging file. 雖然這個處理常式相當耗時,但它可能會公開從隨機存取記憶體(RAM)緩衝到分頁檔案的資料。Although this process is time consuming, it could expose data that is cached from random access memory (RAM) to the paging file.

注意: 如果攻擊者能以物理方式存取裝置,您可以從電源拔下電腦,以略過這個對策。Caution: An attacker who has physical access to the device could bypass this countermeasure by unplugging the computer from its power source.

因應對策Countermeasure

啟用關閉:清除虛擬記憶體頁面檔案設定。Enable the Shutdown: Clear virtual memory page file setting. 此設定會導致作業系統在裝置關閉時清除分頁檔案。This configuration causes the operating system to clear the paging file when the device is shut down. 完成這個處理常式所需的時間長度取決於頁面檔案的大小。The amount of time that is required to complete this process depends on the size of the page file. 由於程式會覆寫分頁檔案所使用的儲存區域數次,在裝置完全關閉前可能需要幾分鐘的時間。Because the process overwrites the storage area that is used by the page file several times, it could be several minutes before the device completely shuts down.

可能的影響Potential impact

關閉並重新啟動裝置需要較長的時間,特別是在有大型分頁檔案的裝置上。It takes longer to shut down and restart the device, especially on devices with large paging files. 針對有 2 gb RAM 和 2 GB 分頁檔案的裝置,此原則設定可能會將關閉程式增加超過30分鐘。For a device with 2 gigabytes (GB) of RAM and a 2-GB paging file, this policy setting could increase the shutdown process by more than 30 minutes. 針對某些組織,此停機時間違背其內部服務層級協定。For some organizations this downtime violates their internal service level agreements. 因此,在您的環境中執行這個對策之前,請務必小心。Therefore, use caution before you implement this countermeasure in your environment.

相關主題Related topics