내보내기(0) 인쇄
모두 확장

Maintain AppLocker Policies

게시: 2012년 4월

업데이트 날짜: 2012년 5월

적용 대상: Windows 8, Windows Server 2012

This topic describes how to maintain rules within AppLocker policies in Windows Server 2012 and Windows 8.

Common AppLocker maintenance scenarios include:

  • A new application is deployed, and you need to update an AppLocker policy.

  • A new version of an application is deployed, and you need to either update an AppLocker policy or create a new rule to update the policy.

  • An application is no longer supported by your organization, so you need to prevent it from being used.

  • An application appears to be blocked but should be allowed.

  • An application appears to be allowed but should be blocked.

  • A single user or small subset of users needs to use a specific application that is blocked.

There are two methods you can use to maintain AppLocker policies:

As new applications are deployed or existing applications are removed by your organization or updated by the software publisher, you might need to make revisions to your rules and update the Group Policy Object (GPO) to ensure that your policy is current.

You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the AppLocker policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of GPOs, such as Microsoft Advanced Group Policy Management (AGPM). For more information about AGPM, see Advanced Group Policy Management Overview (http://go.microsoft.com/fwlink/?LinkId=145013).

Caution주의
You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.

For every scenario, the steps to maintain an AppLocker policy distributed by Group Policy include the following tasks.

Before modifying a policy, evaluate how the policy is currently implemented. For example, if a new version of the application is deployed, you can use Test-AppLockerPolicy to verify the effectiveness of your current policy for that application. To read the procedures necessary to understand the current behavior of the policy, see Discovering the Effect of an AppLocker Policy. Updating your AppLocker planning document will help you track your findings. For information about creating this document, see Creating Your AppLocker Planning Document. For information about Test-AppLockerPolicy and examples of how to use it, see Test-AppLockerPolicy (http://go.microsoft.com/fwlink/?LinkId=169000).

note참고
These documents apply to Windows Server 2012, Windows Server 2008 R2, Windows 8, and Windows 7 operating systems.

Updating an AppLocker policy that is currently enforced in your production environment can have unintended results. Therefore, export the policy from the GPO and update the rule or rules by using AppLocker on your AppLocker reference or test computer. To prepare an AppLocker policy for modification, see Export an AppLocker Policy from a GPO

After the AppLocker policy has been exported from the GPO into the AppLocker reference or test computer, or has been accessed on the local computer, the specific rules can be modified as required.

To modify AppLocker rules, see the following:

You should test each collection of rules to ensure that the rules perform as intended. (Because AppLocker rules are inherited from linked GPOs, you should deploy all rules for simultaneous testing in all test GPOs.) For steps to perform this testing, see Test and Update an AppLocker Policy.

After testing, import the AppLocker policy back into the GPO for implementation. To update the GPO with a modified AppLocker policy, see Import an AppLocker Policy into a GPO.

After deploying a policy, evaluate the policy's effectiveness. For steps to understand the new behavior of the policy, see Discovering the Effect of an AppLocker Policy.

For every scenario, the steps to maintain an AppLocker policy by using the Local Group Policy Editor or the Local Security Policy snap-in include the following tasks.

Before modifying a policy, evaluate how the policy is currently implemented. To read the procedures necessary to understand the current behavior of the policy, see Monitor Application Usage with AppLocker. Updating your AppLocker planning document will help you track your findings. For information about creating this document, see Creating Your AppLocker Planning Document.

note참고
The AppLocker Planning Guide applies to Windows Server 2012, Windows Server 2008 R2, Windows 8 and Windows 7.

Rules are grouped into a collection, which can have the policy enforcement setting applied to it. By default, AppLocker rules do not allow users to open or run any files that are not specifically allowed.

To modify AppLocker rules, see the appropriate topic listed on Administering AppLocker.

You should test each collection of rules to ensure that the rules perform as intended. For steps to perform this testing, see Test and Update an AppLocker Policy.

You can export and then import AppLocker policies to deploy the policy to other computers running Windows 8 or Windows Server 2012. To perform this task, see Export an AppLocker Policy to an XML File and Import an AppLocker Policy from Another Computer.

After deploying a policy, evaluate the policy's effectiveness. For steps to understand the new behavior of the policy, see Discovering the Effect of an AppLocker Policy in Discovering the Effect of an AppLocker Policy.

note참고
This topic applies to Windows Server 2012, Windows Server 2008 R2, Windows 8 and Windows 7.

참고 항목

이 정보가 도움이 되었습니까?
(1500자 남음)
의견을 주셔서 감사합니다.

커뮤니티 추가 항목

추가
Microsoft는 MSDN 웹 사이트에 대한 귀하의 의견을 이해하기 위해 온라인 설문 조사를 진행하고 있습니다. 참여하도록 선택하시면 MSDN 웹 사이트에서 나가실 때 온라인 설문 조사가 표시됩니다.

참여하시겠습니까?
표시:
© 2014 Microsoft