终结点数据丢失防护
Windows 10实现有助于防止敏感文件数据丢失的机制。 终结点数据丢失防护 (DLP) API 允许应用程序在特定操作(例如打开或保存文件)之前和之后通知 OS。 这些通知充当“提示”,使系统能够优化数据丢失操作。
DLP dll 的位置
由于终结点 DLP dll 未与 Windows SDK 捆绑,应用程序需要在运行时手动加载 dll。 dll 位置的路径存储在注册表中。 下表列出了存储此信息的注册表项和值。 为了方便开发人员,下面提供的示例 endpointdlp.h 代码列表中将这些路径定义为常量。
常数 |
“值” |
说明 |
ENDPOINTDLP_DLL_NAME |
“EndpointDlp.dll” |
提供 API 的终结点 DLP DLL 的名称 |
ENDPOINTDLP_WINDOWS_DEFENDER_REGKEY |
“SOFTWARE\Microsoft\Windows Defender” |
Windows Defender存储某些终结点 DLP 设置的 HKLM 下的注册表项 |
ENDPOINTDLP_DLL_INSTALL_LOCATION_REGKEY |
ENDPOINTDLP_WINDOWS_DEFENDER_REGKEY 值 |
HKLM 密钥下的注册表路径,可从中获取EndpointDlp.dll安装位置 |
ENDPOINTDLP_DLL_INSTALL_LOCATION_REGVALUE |
“InstallLocation” |
存储EndpointDlp.dll安装位置的ENDPOINTDLP_DLL_INSTALL_LOCATION_REGKEY下的注册表值 |
ENDPOINTDLP_DLL_WOW64_X86_INSTALL_LOCATION_SUFFIX |
“x86” |
在 x64 平台上,连接此目录以获取 x86 版本的 EndpointDlp.dll |
检查终结点 DLP 是否已启用
若要确定是否在系统上启用了终结点 DLP,检查以下注册表项值。
常数 |
“值” |
说明 |
ENDPOINTDLP_ENABLED_FLAG_REGKEY |
“\Features” |
(HKLM 下已启用终结点 DLP 的标志键的路径) ENDPOINTDLP_WINDOWS_DEFENDER_REGKEY |
ENDPOINTDLP_ENABLED_FLAG_REGVALUE |
“SenseDlpEnabled” |
包含已启用 DLP 的标志注册表项ENDPOINTDLP_ENABLED_FLAG_REGKEY下的注册表值 |
终结点 DLP API
下表列出了终结点 DLP dll 提供的 API。
初始化和版本控制
文档操作
将另存为 操作
拖放操作
剪贴板操作
打印操作
由于终结点 DLP 标头不包含在 Windows SDK 中,因此必须自行创建头文件才能获取要在实现中使用的 API 签名。 为了方便起见,我们提供了示例代码,你可以将其复制并粘贴到应用程序中。 除了函数声明外,此代码列表还定义了有用的常量,例如版本控制信息和注册表项路径。
//
// EndpointDlp DLL name containing the Endpoint DLP API
//
#define ENDPOINTDLP_DLL_NAME L"EndpointDlp.dll"
//
// Windows Defender registry key under HKLM where some Endpoint DLP settings are stored
//
#define ENDPOINTDLP_WINDOWS_DEFENDER_REGKEY L"SOFTWARE\\Microsoft\\Windows Defender"
//
// EndpointDlp.dll install location can be obtained from the registry under the following HKLM key
//
#define ENDPOINTDLP_DLL_INSTALL_LOCATION_REGKEY ENDPOINTDLP_WINDOWS_DEFENDER_REGKEY
//
// EndpointDlp.dll install location is stored under ENDPOINTDLP_DLL_INSTALL_LOCATION_REGKEY in the following registry value
//
#define ENDPOINTDLP_DLL_INSTALL_LOCATION_REGVALUE L"InstallLocation"
//
// On x64 platforms, concatanate the following directory to obtain the x86 version of EndpointDlp.dll
//
#define ENDPOINTDLP_DLL_WOW64_X86_INSTALL_LOCATION_SUFFIX L"x86"
//
// Endpoint DLP enabled flag can be found under the following HKLM key
//
#define ENDPOINTDLP_ENABLED_FLAG_REGKEY ENDPOINTDLP_WINDOWS_DEFENDER_REGKEY L"\\Features"
//
// Endpoint DLP enabled flag can be found under ENDPOINTDLP_ENABLED_REGKEY in the following registry value
//
#define ENDPOINTDLP_ENABLED_FLAG_REGVALUE L"SenseDlpEnabled"
#define DLP_DOCUMENT_INFO_V_1 0x1
#define DLP_DOCUMENT_INFO_V_LATEST DLP_DOCUMENT_INFO_V_1
//
// Enlightened app enforcement capablities.
//
typedef enum _DlpAppEnforceLevel {
DlpAppEnforceLevelNone = 0, // No enforcement, DLP enforces operation.
DlpAppEnforceLevelNotify, // App send notifications on operation, DLP enforces operation.
DlpAppEnforceLevelPrevent, // Currently not supported (App allows or blocks operation, DLP enforces warning, eventing and UI).
DlpAppEnforceLevelFull, // Currently not supported (App handles all enforcement (blocks operation, enforces warning, UI), DLP will only handle auditing.)
DlpAppEnforceLevelCount,
}DlpAppEnforceLevel;
typedef enum
{
DlpActionTypeCopyToRemovableMedia = 0,
DlpActionTypeCopyToNetworkShare = 1,
DlpActionTypeCopyToClipboard = 2,
DlpActionTypePrint = 3,
DlpActionTypeScreenClip = 4,
DlpActionTypeAccessByUnallowedApp = 5,
DlpActionTypeCloudAppEgress = 6,
DlpActionTypeAccessByBluetoothApp = 7,
DlpActionTypeAccessByRDPApp = 8,
DlpActionTypeCount = 9
} DlpActionType;
//
// The stucture describes the enforcement level for each operation.
//
typedef struct _DLP_APP_OP_ENLIGHTENED_LEVEL{
DlpActionType Operation;
DlpAppEnforceLevel AppEnforcementLevel;
}DLP_APP_OP_ENLIGHTENED_LEVEL, *PDLP_APP_OP_ENLIGHTENED_LEVEL;
/*
Function description:
The application calls this functio to declares the enforcement level for each operation.
Parameters:
_In_ DWORD Count - Number of operations.
_In_reads_opt_(Count) PDLP_APP_OP_ENLIGHTENED_LEVEL* OperationEnforcement - Array indicating operations
supported by the application and enforcement level:
DlpAppEnforceLevelNone - No enforcement, DLP enforces operation.
DlpAppEnforceLevelNotify - App send notifications on operation, DLP enforces operation.
Return:
S_OK - Function completed successfully.
E_INVALIDARG - Invalid parameters passed to function.
E_OUTOFMEMORY - Memory allocation failed.
E_XXX - Varius error codes.
*/
HRESULT WINAPI DlpInitializeEnforcementMode(_In_ DWORD Count, _In_reads_(Count) PDLP_APP_OP_ENLIGHTENED_LEVEL OperationEnforcement);
/*
Function description:
Returns the version of the enforcement API.
MajorVersion indicates a new interfaces/API.
MinorVersion indicates changes to existing interfaces/API-s.
Parameters:
None.
Return:
S_OK - Function completed successfully
E_XXX - Varius error codes.
*/
HRESULT WINAPI DlpGetEnforcementApiVersion(_Out_ DWORD* MajorVersion, _Out_ DWORD* MinorVersion);
typedef struct _DLP_DOCUMENT_INFO {
//
// Information version. Always set it to DLP_DOCUMENT_INFO_V_LATEST
//
DWORD Version;
//
// Original path of the document.
//
LPCWSTR PersistentFileName;
//
// Path to the real backing file.
//
LPCWSTR LocalFileName;
}DLP_DOCUMENT_INFO, *PDLP_DOCUMENT_INFO;
//
// Post operation status information.
//
#define DLP_POSTOP_STATUS_V_1 0x1
#define DLP_POSTOP_STATUS_V_LATEST DLP_POSTOP_STATUS_V_1;
typedef struct _DLP_POSTOP_STATUS {
//
// Information version. Always set it to DLP_POSTOP_STATUS_V_LATEST
//
DWORD Version;
//
// Set to TRUE if app's operation succeeded, FALSE otherwise.
//
BOOL OperationSuccess;
} DLP_POSTOP_STATUS, *PDLP_POSTOP_STATUS;
#define DLP_PRINT_INFO_V_1 0x1
#define DLP_PRINT_INFO_V_LATEST DLP_PRINT_INFO_V_1;
typedef struct _DLP_PRINT_INFO {
//
// Information version. Always set it to DLP_PRINT_INFO_V_LATEST
//
DWORD Version;
//
// Destination printer.
//
LPCWSTR PrinterName;
//
// Print job name.
//
LPCWSTR JobName;
//
// Output file, if printing to file.
//
LPCWSTR OutputFileName;
}DLP_PRINT_INFO, *PDLP_PRINT_INFO;
void WINAPI DlpNotifyPreOpenDocument(_In_ const PDLP_DOCUMENT_INFO DocumentInfo);
void WINAPI DlpNotifyPostOpenDocument(_In_ const PDLP_DOCUMENT_INFO DocumentInfo, _In_ const PDLP_POSTOP_STATUS OpStatus);
void WINAPI DlpNotifyCloseDocument(_In_ const PDLP_DOCUMENT_INFO DocumentInfo);
void WINAPI DlpNotifyPreOpenDocumentFile(_In_ const PDLP_DOCUMENT_INFO DocumentInfo);
void WINAPI DlpNotifyPostOpenDocumentFile(_In_ const PDLP_DOCUMENT_INFO DocumentInfo, _In_ const PDLP_POSTOP_STATUS OpStatus);
void WINAPI DlpNotifyCloseDocumentFile(_In_ const PDLP_DOCUMENT_INFO DocumentInfo);
void WINAPI DlpNotifyPreSaveAsDocument(_In_ const PDLP_DOCUMENT_INFO DocumentInfo, _In_ LPCWSTR Destination);
void WINAPI DlpNotifyPostSaveAsDocument(_In_ const PDLP_DOCUMENT_INFO DocumentInfo, _In_ LPCWSTR Destination, _In_ const PDLP_POSTOP_STATUS OpStatus);
void WINAPI DlpNotifyPrePrint(_In_ const PDLP_DOCUMENT_INFO DocumentInfo, _In_ const PDLP_PRINT_INFO PrintInfo);
void WINAPI DlpNotifyPostStartPrint(_In_ const PDLP_DOCUMENT_INFO DocumentInfo, _In_ const PDLP_PRINT_INFO PrintInfo);
void WINAPI DlpNotifyPostPrint(_In_ const PDLP_DOCUMENT_INFO DocumentInfo, _In_ const PDLP_PRINT_INFO PrintInfo, _In_ const PDLP_POSTOP_STATUS OpStatus);
void WINAPI DlpNotifyPreCopyToClipboard(_In_ const PDLP_DOCUMENT_INFO DocumentInfo);
void WINAPI DlpNotifyPostCopyToClipboard(_In_ const PDLP_DOCUMENT_INFO DocumentInfo, _In_ const PDLP_POSTOP_STATUS OpStatus);
void WINAPI DlpNotifyPrePasteFromClipboard(_In_ const PDLP_DOCUMENT_INFO DocumentInfo);
void WINAPI DlpNotifyPostPasteFromClipboard(_In_ const PDLP_DOCUMENT_INFO DocumentInfo, _In_ const PDLP_POSTOP_STATUS OpStatus);
void WINAPI DlpNotifyPreStashClipboard();
void WINAPI DlpNotifyPostStashClipboard(_In_ const PDLP_POSTOP_STATUS OpStatus);
void WINAPI DlpNotifyPreDragDrop(_In_ const PDLP_DOCUMENT_INFO DocumentInfo);
void WINAPI DlpNotifyPostDragDrop(_In_ const PDLP_DOCUMENT_INFO DocumentInfo, _In_ const PDLP_POSTOP_STATUS OpStatus);
void WINAPI DlpNotifyEnterDropTarget(_In_ const PDLP_DOCUMENT_INFO DocumentInfo);
void WINAPI DlpNotifyLeaveDropTarget(_In_ const PDLP_DOCUMENT_INFO DocumentInfo, _In_ const PDLP_POSTOP_STATUS OpStatus);
/*
Function description:
Determines whether the app must pull the data from the system clipboard rather than taking it from its internal cache.
Parameters:
None
Return:
TRUE if calling into the OS clipboard is mandatory, FALSE otherwise
*/
BOOL WINAPI DlpMustPasteFromSystemClipboard();