Strategies to Configure and Monitor Controlled Folder Access to Protect Against Ransomwares

%3CLINGO-SUB%20id%3D%22lingo-sub-1332297%22%20slang%3D%22en-US%22%3EStrategies%20to%20Configure%20and%20Monitor%20Controlled%20Folder%20Access%20to%20Protect%20Against%20Ransomwares%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1332297%22%20slang%3D%22en-US%22%3E%3CP%20class%3D%22lia-align-justify%22%3EOne%20of%20concerns%20for%20IT%20Professionals%20is%20to%20make%20sure%20their%20PC%20won%E2%80%99t%20be%20infected%20with%20%3CSTRONG%3Eransomwares%3C%2FSTRONG%3E.%20Windows%20Defender%20has%20a%20great%20feature%20called%20%3CSTRONG%3EControlled%20Folder%20Access%3C%2FSTRONG%3E%20which%20provides%20greater%20protection%20against%20%3CSTRONG%3Eransomwares%3C%2FSTRONG%3E.%20However%2C%20it%20is%20important%20to%20make%20sure%20it%20won%E2%80%99t%20be%20against%20production.%20Sometimes%2C%20when%20you%20enable%20this%20policy%2C%20then%20it%20might%20block%20legitimate%20changes%20by%20trusted%20programs.%20Therefore%2C%20it%20is%20important%20to%20work%20on%20proper%20planning%20to%20make%20sure%20it%20provides%20protection%20while%20it%20won%E2%80%99t%20harm%20production.%20You%20could%20manage%20%3CSTRONG%3EControlled%20Folder%20Access%3C%2FSTRONG%3E%20using%20%3CSTRONG%3EGroup%20Policy%20%3C%2FSTRONG%3Eand%20you%20could%20navigate%20to%20%3CSTRONG%3EComputer%20Configuration%20%26gt%3B%20Administrative%20Templates%20%26gt%3B%20Windows%20Components%20%26gt%3B%20Windows%20Defender%20Antivirus%20%26gt%3B%20Windows%20Defender%20Exploit%20Guard%20%26gt%3B%20Controlled%20Folder%20Access%20%3C%2FSTRONG%3Eand%20there%20you%20could%20set%20policies%20to%20manage%20%3CSTRONG%3EControlled%20Folder%20Access.%20%3C%2FSTRONG%3EYou%20will%20have%20three%20configurations%20here%3A%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-justify%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-justify%22%3E%3CSTRONG%3EConfigure%20allowed%20applications%3A%20%3C%2FSTRONG%3EIn%20case%2C%20if%20there%20is%20a%20change%20made%20by%20trusted%20program%20and%20it%20has%20been%20blocked%20by%20%3CSTRONG%3EControlled%20Folder%20Access%3C%2FSTRONG%3E%2C%20then%20you%20could%20create%20whitelist%20and%20add%20those%20applications%20here.%20Make%20sure%20they%20are%20trusted%20application%20and%20test%20application%20before%20add%20it%20to%20allowed%20list.%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-justify%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-justify%22%3E%3CSTRONG%3EConfigure%20Controlled%20folder%20access%3A%20%3C%2FSTRONG%3EThis%20is%20important%20configuration%20where%20you%20could%20enable%20this%20and%20you%20will%20have%20multiple%20modes.%20It%20is%20recommended%20to%20enable%20it%20in%20testing%20environment%20with%20your%20applications%20to%20see%20if%20there%20is%20any%20incorrect%20detection%20(to%20discover%20if%20you%20need%20to%20add%20any%20application%20to%20allowed%20list)%20and%20then%20enable%20audit%20mode%20for%20group%20of%20users%20and%20once%20you%20make%20sure%20your%20policy%20is%20working%20as%20expected%2C%20then%20deploy%20policy%20to%20enable%20it%20and%20keep%20monitoring%20and%20testing%20and%20deploy%20it%20in%20larger%20groups.%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-justify%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-justify%22%3E%3CSTRONG%3EConfigure%20protected%20folders%3A%20%3C%2FSTRONG%3EBy%20default%2C%20when%20this%20setting%20is%20enabled%20it%20will%20protect%20Windows%20folders%20including%20%3CSTRONG%3EDocuments%2C%20Pictures%2C%20Videos%2C%20Music%20%3C%2FSTRONG%3Eand%20%3CSTRONG%3EFavorites%3C%2FSTRONG%3E.%20However%2C%20if%20you%20want%20to%20protect%20additional%20folder%20like%20folders%20which%20are%20being%20used%20for%20company%E2%80%99s%20project%20or%20any%20other%20sensitive%20folders%2C%20then%20it%20is%20place%20where%20you%20could%20define%20it.%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-justify%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-justify%22%3ENow%20let%E2%80%99s%20go%20back%20to%20deployment%20strategy%2C%20first%20try%20to%20setup%20a%20testing%20PCs%20and%20simulate%20your%20environment%20and%20use%20all%20applications%20which%20you%20are%20using%20in%20your%20company%20on%20these%20testing%20PCs%20and%20see%20if%20there%20is%20any%20application%20which%20you%20will%20need%20to%20add%20in%20allowed%20list.%20Make%20sure%20add%20all%20folders%20that%20you%20are%20using%20in%20%3CSTRONG%3EConfigure%20protected%20folders.%3C%2FSTRONG%3E%20Then%20you%20will%20need%20to%20setup%20%3CSTRONG%3EConfigure%20Controlled%20folder%20access%20%3C%2FSTRONG%3Eand%20you%20will%20see%20the%20following.%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-justify%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22CFA.JPG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F186120i502191628B8D2B3F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22CFA.JPG%22%20alt%3D%22Configured%20Controlled%20folder%20access%20in%20Group%20Policy%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EConfigured%20Controlled%20folder%20access%20in%20Group%20Policy%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-justify%22%3EIt%20is%20recommended%20to%20first%20set%20it%20to%20%3CSTRONG%3EAudit%20disk%20modification%20only%20%3C%2FSTRONG%3Eand%20monitor%20users%20and%20look%20for%20any%20incorrect%20blocking%2C%20then%20enable%20%3CSTRONG%3EAudit%20Mode%20%3C%2FSTRONG%3Eand%20do%20monitoring%20and%20observe%20if%20there%20are%20any%20additional%20unwanted%20changes.%20One%20you%20have%20list%20of%20incorrect%20detection%20which%20you%20might%20need%20to%20add%20them%20to%20trusted%20app%20and%20you%20believe%20you%20have%20most%20of%20applications%20under%20your%20list%2C%20then%20configure%20%3CSTRONG%3EBlock%20disk%20modification%20only%3C%2FSTRONG%3E%20and%20in%20this%20case%2C%20it%20is%20not%20only%20about%20auditing%20but%20it%20will%20start%20blocking%20unauthorized%20changes%20and%20you%20will%20need%20to%20observe%20in%20this%20mode%20and%20if%20everything%20was%20okay%2C%20then%20set%20%3CSTRONG%3EBlock%20%3C%2FSTRONG%3Eand%20you%20have%20protection.%20You%20should%20do%20this%20with%20small%20group%20of%20people%20in%20different%20division%20in%20company%20and%20then%20expand%20it%20to%20everyone.%20Take%20a%20note%20that%20if%20company%20is%20making%20change%20to%20software%20or%20installing%20new%20programs%2C%20you%20might%20need%20to%20investigate%20and%20switch%20to%20audit%20mode%20again.%20Note%20that%20all%20log%20files%20including%20the%20one%20for%20auditing%20will%20be%20placed%20on%20%3CSTRONG%3EApplications%20and%20Services%20Logs%20%26gt%3B%20Microsoft%20%26gt%3B%20Windows%20%26gt%3B%20Windows%20Defender%20%26gt%3B%20Operational%20%3C%2FSTRONG%3Ein%20the%20%3CSTRONG%3EEvent%20Viewer%20%3C%2FSTRONG%3Eand%20you%20should%20look%20for%20event%20IDs%20%3CSTRONG%3E1123%3C%2FSTRONG%3E%20and%20%3CSTRONG%3E1124%3C%2FSTRONG%3E.%20These%20settings%20are%20proactive%20measurements%20against%200-days%20ransomwares.%20Please%20take%20a%20note%20that%20enabling%20%3CSTRONG%3EControlled%20Folder%20Access%20%3C%2FSTRONG%3Eis%20%3CSTRONG%3ENOT%3C%2FSTRONG%3E%20replacement%20for%20other%20protection%20strategies%20like%20deploying%20%3CSTRONG%3EWindows%20Update%20%3C%2FSTRONG%3E%C2%B8%20%3CSTRONG%3EAnti-Malware%20signature%2C%3C%2FSTRONG%3E%20%3CSTRONG%3ESmartScreen%20filer%3C%2FSTRONG%3E%2C%20%3CSTRONG%3EAnti-Spam%20Policy%2C%3C%2FSTRONG%3E%20%3CSTRONG%3EBackup%2C%3C%2FSTRONG%3E%20etc.%20However%2C%20it%20could%20be%20considered%20as%20additional%20defense%20layer%20against%20%3CSTRONG%3Eransomwares%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-justify%22%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-justify%22%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-justify%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-justify%22%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Valued Contributor

One of concerns for IT Professionals is to make sure their PC won’t be infected with ransomwares. Windows Defender has a great feature called Controlled Folder Access which provides greater protection against ransomwares. However, it is important to make sure it won’t be against production. Sometimes, when you enable this policy, then it might block legitimate changes by trusted programs. Therefore, it is important to work on proper planning to make sure it provides protection while it won’t harm production. You could manage Controlled Folder Access using Group Policy and you could navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access and there you could set policies to manage Controlled Folder Access. You will have three configurations here:

 

Configure allowed applications: In case, if there is a change made by trusted program and it has been blocked by Controlled Folder Access, then you could create whitelist and add those applications here. Make sure they are trusted application and test application before add it to allowed list.

 

Configure Controlled folder access: This is important configuration where you could enable this and you will have multiple modes. It is recommended to enable it in testing environment with your applications to see if there is any incorrect detection (to discover if you need to add any application to allowed list) and then enable audit mode for group of users and once you make sure your policy is working as expected, then deploy policy to enable it and keep monitoring and testing and deploy it in larger groups.

 

Configure protected folders: By default, when this setting is enabled it will protect Windows folders including Documents, Pictures, Videos, Music and Favorites. However, if you want to protect additional folder like folders which are being used for company’s project or any other sensitive folders, then it is place where you could define it.

 

Now let’s go back to deployment strategy, first try to setup a testing PCs and simulate your environment and use all applications which you are using in your company on these testing PCs and see if there is any application which you will need to add in allowed list. Make sure add all folders that you are using in Configure protected folders. Then you will need to setup Configure Controlled folder access and you will see the following.

Configured Controlled folder access in Group PolicyConfigured Controlled folder access in Group Policy

It is recommended to first set it to Audit disk modification only and monitor users and look for any incorrect blocking, then enable Audit Mode and do monitoring and observe if there are any additional unwanted changes. One you have list of incorrect detection which you might need to add them to trusted app and you believe you have most of applications under your list, then configure Block disk modification only and in this case, it is not only about auditing but it will start blocking unauthorized changes and you will need to observe in this mode and if everything was okay, then set Block and you have protection. You should do this with small group of people in different division in company and then expand it to everyone. Take a note that if company is making change to software or installing new programs, you might need to investigate and switch to audit mode again. Note that all log files including the one for auditing will be placed on Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational in the Event Viewer and you should look for event IDs 1123 and 1124. These settings are proactive measurements against 0-days ransomwares. Please take a note that enabling Controlled Folder Access is NOT replacement for other protection strategies like deploying Windows Update ¸ Anti-Malware signature, SmartScreen filer, Anti-Spam Policy, Backup, etc. However, it could be considered as additional defense layer against ransomwares.

 

 

 

 

0 Replies