我只想(在裝有 Windows 10 的某台電腦上)只執行那些 exe。文件,由安裝在電腦上的憑證簽署(可以是來自 CA 的憑證或我自己的測試憑證)。
我已經嘗試過這個解決方案(以及許多其他解決方案): 如何設定 Windows 使其不執行被篡改的二進位檔案?
但他們都沒有解決我的問題。
我編寫了兩個“HelloWorld”應用程式(帶有證書簽名和不含證書簽名)。但我嘗試過的所有解決方案都允許運行這兩個應用程式。
如何設定Windows10僅執行帶有憑證簽署的.exe?
有AppLocker配置:
<AppLockerPolicy Version="1">
<RuleCollection Type="Appx" EnforcementMode="NotConfigured" />
<RuleCollection Type="Dll" EnforcementMode="NotConfigured" />
<RuleCollection Type="Exe" EnforcementMode="Enabled">
<FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%PROGRAMFILES%\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%WINDIR%\*" />
</Conditions>
</FilePathRule>
<FilePublisherRule Id="d5c14ef6-5a5e-4863-aa49-a9ebbcab1afc" Name="Only run executables that are signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
<RuleCollection Type="Msi" EnforcementMode="NotConfigured" />
<RuleCollection Type="Script" EnforcementMode="NotConfigured" />
</AppLockerPolicy>