AppLockerAppLocker

適用對象Applies to

  • Windows 10Windows10
  • Windows ServerWindows Server

本主題提供 AppLocker 的描述,並協助您判斷您的組織是否能藉由部署 AppLocker 應用程式控制原則受益。This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker 可協助您控制使用者可執行哪些應用程式和檔案。AppLocker helps you control which apps and files users can run. 這些包含可執行檔檔案、指令碼、Windows Installer 檔案,動態連結程式庫 (DLL)、已封裝的應用程式,和已封裝的應用程式安裝程式。These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.

注意

AppLocker 無法控制在任何作業系統的系統帳戶下執行的進程。AppLocker is unable to control processes running under the system account on any operating system.

AppLocker 可以協助您:AppLocker can help you:

  • 根據檔案屬性定義規則,讓所有應用程式持續更新,例如發行者名稱 (由簽章衍生)、產品名稱、檔案名稱和檔案版本等。Define rules based on file attributes that persist across app updates, such as the publisher name (derived from the digital signature), product name, file name, and file version. 您也可以根據檔案路徑和雜湊建立規則。You can also create rules based on the file path and hash.
  • 指派規則給安全性群組或個別使用者。Assign a rule to a security group or an individual user.
  • 建立規則的例外狀況。Create exceptions to rules. 例如,您可以建立一個規則,允許所有使用者執行除了登錄編輯程式 (Regedit.exe) 以外的所有 Windows 二進位檔。For example, you can create a rule that allows all users to run all Windows binaries, except the Registry Editor (regedit.exe).
  • 在強制執行原則之前,使用僅稽核模式部署原則並了解其影響。Use audit-only mode to deploy the policy and understand its impact before enforcing it.
  • 在暫存伺服器上建立規則、測試,接著將規則匯出到您的實際執行環境,並將它們匯入到群組原則物件。Create rules on a staging server, test them, then export them to your production environment and import them into a Group Policy Object.
  • 使用 Windows PowerShell 簡化建立和管理 AppLocker 規則。Simplify creating and managing AppLocker rules by using Windows PowerShell.

AppLocker 可透過減少因使用者執行未經核准的應用程式向支援人員尋求協助的次數,來協助減輕系統管理負荷和組織管理電腦運算資源的成本。AppLocker helps reduce administrative overhead and helps reduce the organization's cost of managing computing resources by decreasing the number of Help Desk calls that result from users running unapproved apps. AppLocker 可處理下列應用程式安全性案例:AppLocker addresses the following app security scenarios:

  • 應用程式清查Application inventory

    AppLocker 能夠以僅稽核模式強制執行其原則,並將所有應用程式存取活動收集在事件記錄檔中。AppLocker has the ability to enforce its policy in an audit-only mode where all app access activity is registered in event logs. 這些事件可收集供進一步的分析。These events can be collected for further analysis. Windows PowerShell Cmdlets 也可以協助您以程式設計方式分析這項資料。Windows PowerShell cmdlets also help you analyze this data programmatically.

  • 保護不受垃圾軟體危害Protection against unwanted software

    AppLocker 可以拒絕執行您在允許的應用程式清單中排除的應用程式。AppLocker has the ability to deny apps from running when you exclude them from the list of allowed apps. 當在實際執行環境中強制執行 AppLocker 規則後,允許規則中未涵蓋的任何應用程式都將無法執行。When AppLocker rules are enforced in the production environment, any apps that are not included in the allowed rules are blocked from running.

  • 符合授權法規Licensing conformance

    AppLocker 可以協助您建立規則,以防止使用者執行未授權的軟體,並限制只有授權的使用者可以使用授權軟體。AppLocker can help you create rules that preclude unlicensed software from running and restrict licensed software to authorized users.

  • 軟體標準化Software standardization

    AppLocker 原則可設定成只允許受支援或核准的應用程式在事業群內的電腦執行。AppLocker policies can be configured to allow only supported or approved apps to run on computers within a business group. 這允許更一致的應用程式部署。This permits a more uniform app deployment.

  • 管理性改進Manageability improvement

    與之前的軟體限制原則相比,AppLocker 針對管理性進行了一些改良。AppLocker includes a number of improvements in manageability as compared to its predecessor Software Restriction Policies. 匯入與匯出原則、從多個檔案自動產生規則、僅稽核模式部署以及 Windows PowerShell Cmdlet,這些都是優於軟體限制原則 (SRP) 的改良功能。Importing and exporting policies, automatic generation of rules from multiple files, audit-only mode deployment, and Windows PowerShell cmdlets are a few of the improvements over Software Restriction Policies.

使用 AppLocker 的時機When to use AppLocker

在許多組織中,資訊是最寶貴的資產,因此必須確保只有核准的使用者才能存取該資訊。In many organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative. 存取控制技術,例如 Active Directory 版權管理服務(ADRMS)和存取控制清單(Acl),協助控制允許存取的使用者。Access control technologies, such as Active Directory Rights Management Services (ADRMS) and access control lists (ACLs), help control what users are allowed to access.

不過,在使用者執行處理程序時,該處理程序與使用者使用相同的資料存取層級。However, when a user runs a process, that process has the same level of access to data that the user has. 因此,敏感資訊可能由於使用者有意或無意執行惡意軟體而輕易刪除或從組織傳出。As a result, sensitive information could easily be deleted or transmitted out of the organization if a user knowingly or unknowingly runs malicious software. AppLocker 藉由限制使用者或群組可執行的檔案,協助減少這些類型的安全性漏洞。AppLocker can help mitigate these types of security breaches by restricting the files that users or groups are allowed to run. 軟體發行者開始建立更多可由非系統管理員使用者安裝的應用程式。Software publishers are beginning to create more apps that can be installed by non-administrative users. 這可能違反組織的書面安全性原則,並規避倚賴限制使用者安裝應用程式的傳統應用程式控制解決方案。This could jeopardize an organization's written security policy and circumvent traditional app control solutions that rely on the inability of users to install apps. 藉由建立核准的檔案和應用程式允許清單,AppLocker 有助於防止執行這類的使用者應用程式。By creating an allowed list of approved files and apps, AppLocker helps prevent such per-user apps from running. 因為 AppLocker 可以控制 DLL,所以這對控制可安裝並執行 ActiveX 控制項的對象來說也非常有用。Because AppLocker can control DLLs, it is also useful to control who can install and run ActiveX controls.

AppLocker 極適合目前使用群組原則管理其電腦的組織。AppLocker is ideal for organizations that currently use Group Policy to manage their PCs.

以下是可使用 AppLocker 的案例範例:The following are examples of scenarios in which AppLocker can be used:

  • 您組織的安全性原則規定只能使用授權軟體,因此您必須防止使用者執行未授權的軟體,並限制只有授權的使用者可以使用授權軟體。Your organization's security policy dictates the use of only licensed software, so you need to prevent users from running unlicensed software and also restrict the use of licensed software to authorized users.
  • 組織已不再支援某個應用程式,因此您必須讓所有人都無法使用這個應用程式。An app is no longer supported by your organization, so you need to prevent it from being used by everyone.
  • 垃圾軟體進入環境的機率很高,因此您必須降低此威脅。The potential that unwanted software can be introduced in your environment is high, so you need to reduce this threat.
  • 組織中應用程式的授權已被撤銷或過期,因此您必須讓所有人都無法使用這個應用程式。The license to an app has been revoked or it is expired in your organization, so you need to prevent it from being used by everyone.
  • 新應用程式或新版的應用程式已經部署,您必須防止使用者使用舊版本。A new app or a new version of an app is deployed, and you need to prevent users from running the old version.
  • 組織內不允許使用特定軟體工具,或是應限制只有特定使用者才能存取這些工具。Specific software tools are not allowed within the organization, or only specific users should have access to those tools.
  • 單一使用者或使用者小組必須使用所有其他使用者或群組無法存取的特定應用程式。A single user or small group of users needs to use a specific app that is denied for all others.
  • 組織內的某些電腦由擁有不同軟體使用需要的人員共用,因此您需要保護特定應用程式。Some computers in your organization are shared by people who have different software usage needs, and you need to protect specific apps.
  • 除了其他措施之外,您還必須透過應用程式使用情形來控制敏感資料的存取。In addition to other measures, you need to control the access to sensitive data through app usage.

注意

AppLocker 是縱深防禦的安全性功能,安全性界限AppLocker is a defense-in-depth security feature and not a security boundary. 當目標是針對威脅提供強健的防護,且預期不會受到任何設計限制來避免安全性功能達到這個目標時,就應該使用Windows Defender 應用程式控制項Windows Defender Application Control should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.

AppLocker 可協助您保護組織內的數位資產、降低惡意軟體進入環境的威脅,以及改進應用程式控制的管理和應用程式控制原則的維護。AppLocker can help you protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies.

安裝 AppLockerInstalling AppLocker

AppLocker 隨附於企業層級的 Windows 版本中。AppLocker is included with enterprise-level editions of Windows. 您可以為單一電腦或一組電腦編寫 AppLocker 規則。You can author AppLocker rules for a single computer or for a group of computers. 對於單一電腦,您可以使用本機安全性原則編輯器 (secpol.msc) 來編寫規則。For a single computer, you can author the rules by using the Local Security Policy editor (secpol.msc). 對於電腦群組,您可以使用群組原則管理主控台 (GPMC) 編寫群組原則物件 (GPO) 的規則。For a group of computers, you can author the rules within a Group Policy Object by using the Group Policy Management Console (GPMC).

注意

只有安裝遠端伺服器管理工具,才能在執行 Windows 的用戶端電腦上使用 GPMC。The GPMC is available in client computers running Windows only by installing the Remote Server Administration Tools. 在執行 WindowsServer 的電腦上,您必須安裝群組原則管理功能。On computer running Windows Server, you must install the Group Policy Management feature.

在 Server Core 上使用 AppLockerUsing AppLocker on Server Core

不支援在 Server Core 安裝上使用 AppLockerAppLocker on Server Core installations is not supported.

虛擬考量Virtualization considerations

您可以使用符合前述所有系統需求的虛擬 Windows 執行個體來管理 AppLocker 原則。You can administer AppLocker policies by using a virtualized instance of Windows provided it meets all the system requirements listed previously. 您也可以在虛擬執行個體中執行群組原則。You can also run Group Policy in a virtualized instance. 不過,如果虛擬執行個體遭到移除或失敗,您就會面臨失去所建立和維護原則的風險。However, you do risk losing the policies that you created and maintain if the virtualized instance is removed or fails.

安全性考量Security considerations

應用程式控制原則會指定允許在本機電腦上執行的程式。Application control policies specify which apps are allowed to run on the local computer.

惡意軟體各式各樣的偽裝形式,讓使用者難以區分什麼是安全的程式。The variety of forms that malicious software can take make it difficult for users to know what is safe to run. 惡意軟體啟用後會損壞硬碟上的內容、以大量要求癱瘓網路因而導致拒絕服務 (DoS) 攻擊、將機密資訊傳送到網際網路或是危害電腦安全性。When activated, malicious software can damage content on a hard disk drive, flood a network with requests to cause a denial-of-service (DoS) attack, send confidential information to the Internet, or compromise the security of a computer.

因應此問題的對策,是在組織的使用者電腦上設計完善的應用程式控制原則,然後先在實驗室環境中徹底測試原則,再將它們部署到實際執行環境。The countermeasure is to create a sound design for your application control policies on PCs in your organization, and then thoroughly test the policies in a lab environment before you deploy them in a production environment. AppLocker 可以成為應用程式控制策略的一部份,因為您可以控制允許在電腦上執行的軟體。AppLocker can be part of your app control strategy because you can control what software is allowed to run on your computers.

有缺陷的應用程式控制原則實作可能會停用必要的應用程式,或者是允許惡意軟體或垃圾軟體執行。A flawed application control policy implementation can disable necessary applications or allow malicious or unintended software to run. 因此,組織應該提供充分的資源來針對這類原則的實作進行管理和疑難排解。Therefore, it is important that organizations dedicate sufficient resources to manage and troubleshoot the implementation of such policies.

如需特定安全性問題的詳細資訊,請參閱 AppLocker 的安全性考量For additional information about specific security issues, see Security considerations for AppLocker.

使用 AppLocker 建立應用程式控制原則時,應注意下列幾項安全性考量:When you use AppLocker to create application control policies, you should be aware of the following security considerations:

  • 誰有權限設定 AppLocker 原則?Who has the rights to set AppLocker policies?
  • 如何確認原則是否已強制執行?How do you validate that the policies are enforced?
  • 應稽核哪些事件?What events should you audit?

下表提供安裝了 AppLocker 功能的用戶端電腦的基準設定,做為您規劃安全性時的參考:For reference in your security planning, the following table identifies the baseline settings for a PC with AppLocker installed:

設定Setting 預設值Default value
建立的帳戶Accounts created None
驗證方法Authentication method 不適用Not applicable
管理介面Management interfaces 可以使用 Microsoft Management Console 嵌入式管理單元、群組原則管理以及 Windows PowerShell 來管理 AppLockerAppLocker can be managed by using a Microsoft Management Console snap-in, Group Policy Management, and Windows PowerShell
開啟的連接埠Ports opened None
需要的最低權限Minimum privileges required 本機電腦上的系統管理員;網域管理;或允許您建立、編輯或散佈群組原則物件的任一組權限。Administrator on the local computer; Domain Admin, or any set of rights that allow you to create, edit and distribute Group Policy Objects.
使用的通訊協定Protocols used 不適用Not applicable
排定的工作Scheduled Tasks 會將 Appidpolicyconverter.exe 放在排定的工作中,以便應要求執行。Appidpolicyconverter.exe is put in a scheduled task to be run on demand.
安全性原則Security Policies 無必要。None required. AppLocker 會建立安全性原則。AppLocker creates security policies.
需要的系統服務System Services required 應用程式識別服務 (appidsvc) 會在 LocalServiceAndNoImpersonation 底下執行。Application Identity service (appidsvc) runs under LocalServiceAndNoImpersonation.
認證儲存區Storage of credentials None

本節內容In this section

主題Topic 說明Description
管理 AppLockerAdminister AppLocker 此適用於 IT 專業人員的主題,將提供管理 AppLocker 原則時需使用之特定程序的連結。This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies.
AppLocker 設計指南AppLocker design guide 此適用於 IT 專業人員的主題介紹使用 AppLocker 部署應用程式控制原則所需之設計和規劃的步驟。This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker.
AppLocker 部署指南AppLocker deployment guide 此 IT 專業人員適用的主題介紹部署 AppLocker 原則的概念,並描述所需步驟。This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies.
AppLocker 技術參考AppLocker technical reference 這個適用於 IT 專業人員的概觀主題提供技術參考中各主題的連結。This overview topic for IT professionals provides links to the topics in the technical reference.