Website under construction


Create code integrity policy for lockdown server



Download 13,37 Mb.
Pdf ko'rish
bet98/131
Sana27.03.2022
Hajmi13,37 Mb.
#512480
1   ...   94   95   96   97   98   99   100   101   ...   131
Bog'liq
9780735697744 Introducing Windows Server 2016 pdf

Create code integrity policy for lockdown server 
It is a similar process to create the code integrity policy on this category of servers, but with different 
level of control on the software you trust. For this type of server, we recommend using FilePublisher
to ensure only whitelisted files can be loaded on the server. To create the Code Integrity policy, run 
the following cmdlet: 
New-CIPolicy -Level FilePublisher -Fallback Hash -UserPEs -FilePath C:\CI\FilePublisher.xml 
This cmdlet creates the policy by scanning the files on the server and creates a safe-program list of 
the files by their name, version, and publisher info in the policy. Only the files are on the safe-program 
list with matching name, publisher, and version equal or greater is considered as trusted. In the case 
of software update, the update to the files covered by the policy will have a higher version number
therefore, you won’t need to regenerate CI policy. If there are new files added to the server, you will 
need to scan the new files, and merge it to the existing CI policy. 
The cmdlet creates the policy in Audit mode, you can validate the policy in the Audit mode first, 
ensuring that all the files you trust are covered by the CI policy. After you are comfortable with it, you 
can run the following cmdlet to change it to enforcement mode: 
Set-RuleOptions -FilePath C:\CI\FilePublisher.xml -Option 3 -delete 
Deploy code integrity policy 
The xml file created by the New-CIPolicy can’t be consumed by the system yet. To deploy the policy, it 
needs to be converted to binary format, and copied to the CodeIntegrity folder under system32. 
Run the following cmdlet to convert the xml file: 
ConvertFrom-CIPolicy C:\CI\FilePublisher.xml C:\CI\FilePublisher.bin 
Deploy CI policy: 
Copy-Item C:\CI\FilePublisher.bin C:\Windows\System32\CodeIntegrity\SiPolicy.p7b 
Reboot the server to allow code integrity service to load the policy.
More info For some basic information on how to get started with Code Integrity policies as well 
as further information about creating an audit policy and deploying it via Group Policy, go to 
https://technet.microsoft.com/library/mt463091(v=vs.85).aspx#code_integrity_policies


Download 13,37 Mb.

Do'stlaringiz bilan baham:
1   ...   94   95   96   97   98   99   100   101   ...   131



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish