How to use Protected Folders in Windows 10
Introduction
Ransomware is one of the biggest threats faced by organizations today. After encrypting all files on servers and desktops, ransomware perpetrators demand payment before decrypting what are often business-critical systems and data.
Application whitelisting and the removal of local administrator access from day-to-day user accounts are two of the best ways to prevent the installation of ransomware applications. However, these approaches are not always technologically or politically possible. Windows 10 controlled folder access is another option for organizations.
Learn Windows 10 Host Security
Controlled folder access (CFA) prevents untrusted applications from making changes to essential folders. Deployed as part of Windows Defender, CFA can prevent malicious applications installed by users from encrypting files in folders identified by Microsoft and the organization.
How CFA works
According to Chris Hoffman, writing for How-To Geek, CFA is primarily intended to protect against ransomware. It prevents executable files, scripts and DLLs from making changes to files in the protected folders. Malware can still read and copy files in those folders.
CFA is not enabled by default. Instead, it is an opt-in feature that requires the implementation of Windows Defender Antivirus real-time protection.
Microsoft writes that all commonly trusted applications can still make changes to the protected folders. This includes Microsoft Office applications and other major vendor products. I was unable to find a definitive list of what is or is not allowed. As described later in this article, not knowing what works is a good reason to enable audit mode when first enabling CFA.
Implement CFA
Like most Windows security configurations, how you approach implementing CFA depends on the size of your organization and how you manage CFA policy exceptions. We’ll take a look at three methods: Windows Defender Security Center configuration, use of PowerShell and configuration of group policy.
Regardless of the approach, organizations should always consider first implementing CFA in audit mode. When in audit mode, CFA logs application attempts to change files in protected folders but does not block these actions. Security teams can then review the logs and add additional approved applications to prevent business operation interruptions.
Windows Defender Security Center implementation
Select windows defender security center
2 Under the “Turn Windows Security on or off” tab, select Open Windows Security settings.
3 Select Manage settings.
4 Select Manage Controlled folder access.
5 Turn on Controlled folder access. This brings up the window shown in Step 6.
6 This is a helpful list of folders protected by default. I set this up on a Windows 10 virtual machine that shares folders with its host. As you can see, CFA also protects default VM shared folders. If you need to add additional folders for protection, click on the ‘+’ next to Add a protected folder. Select a folder, and CFA immediately begins protection. The folder selected here is already protected under Documents, but you get the idea.
7 Once you turn on CFA, you can add applications allowed to change files in protected folders from the window first displayed in Steps 5 and 6 above. You can quickly review all applications that CFA recently denied. This allows easy identification of applications you might need to approve and applications you might want to investigate immediately. This information is available by selecting Block history.
PowerShell implementation
Security teams can use PowerShell scripts to set up and manage CFA. Mauro Huculak provides examples:
- Set-MpPreference -EnableControlledFolderAccess Enabled — enables CFA on the device
- Add-MpPreference -ControlledFolderAccessProtectedFolders "D:folderpathtoadd" — adds folders for which you want CFA protection
- Disable-MpPreference -ControlledFolderAccessProtectedFolders "D:folderpathtoremove” — removes a folder from CFA protection
- Set-MpPreference -EnableControlledFolderAccess Disabled — disables CFA on the device
Group Policy implementation
Organizations larger than SOHOs should consider using group policy to manage CFA.
1 Open Group Policy Editor → Administrative Templates → Windows Components → Windows Defender Antivirus → Windows Defender Antivirus → Windows Defender Exploit Guard → Controlled Folder Access
2 Select Configure Controlled folder access. Enable CFA and select the desired mode. Again, Microsoft recommends selecting Audit Mode until you identify any application access challenges.
3 If you wish to identify additional folders to protect, go back to the main CFA window and select Configure protected folders. Select the Enable radio button and click on Show. Add the path to each folder you wish to protect. Place a zero in the Value column.
4 Many organizations have internally developed or third-party applications not included on Microsoft’s list of trusted applications. These are identified during the initial auditing period and added to the trusted application list by selecting Configure allowed applications from the CFA group policy window. Select the Enabled radio button and then click on Show. Add the full path for each trusted application and place a zero in the corresponding Value column.
Log monitoring
During both Audit Mode and Block Mode, organizations can easily monitor application attempts to access protected folders. Microsoft provides details on how to set this up in this article.
Reviewing event logs or integrating log results into a more comprehensive log management solution provides an additional window into possible malware activities on your network.
Learn Windows 10 Host Security
Conclusion
Ransomware is a serious threat to the operation of organizations of any size. Controlled folder access helps prevent malware from making unwanted changes to files in protected folders.
Organizations can easily implement CFA in one of three ways: via the Windows Defender Security Center, PowerShell or group policy. Group policy is a good approach when enforcing centralized management and monitoring.
Integrating CFA logs into an organization’s overall log management procedures helps identify suspicious applications attempting to modify protected files. This is one more perspective on what is happening on an organization’s network.
Sources
Learn Windows 10 Host Security
See how your organization can benefit by protecting Windows computers from malware, wireless hacking, open firewall ports and more. What you'll learn:- Authentication mechanisms
- Hardening techniques
- Backup and recovery
- Data security
- And more
In this Series
- How to use Protected Folders in Windows 10
- Comparing Linux+ and RHCSA/RHCE operating system security certifications
- Android security: Everything you need to know [Updated 2021]
- Application sideloading in Windows 10
- Web Browser Security in Windows 10
- How to use Local Group Policy to secure Windows 10
- How to use Microsoft DirectAccess
- How to protect a Windows 10 host against malware
- CA Installation and Use in Windows 10
- Certificates overview and use in Windows 10
- How to Use Windows 10 Action Center and Security & Maintenance App for Hardening
- Data Security in Windows 10: NTFS Permissions (Standard)
- 6 windows event log IDs to monitor now
- How to audit Windows 10 security logs
- How to audit Windows 10 system logs
- App isolation in Windows 10
- Windows Supported wireless encryption types
- How to use Assigned Access in Windows 10
- How to configure password policies in Windows 10
- Data execution prevention (DEP) in Windows 10
- How to use Windows 10 quick recovery options
- How to use Disk Quotas in Windows 10
- Data Security in Windows 10
- How to use AppLocker in Windows 10
- How to configure internet options for local group policy
- How to configure Windows 10 firewall
- Windows 10 security features
- How To Use Microsoft Edge Security Features
- How to use BitLocker in Windows 10 (with or without TPM)
- Encrypted file system (EFS) in windows 10
- Share permissions in Windows 10
- How to audit windows 10 application logs
- Understanding Windows Services
- Windows 10 Auditing Features
- How to configure VPN in Windows 10
- How to configure UAC in Windows 10
- Domain vs workgroup accounts in Windows 10
- Bluetooth security in Windows 10
- Single Sign-On in Windows 10
- Connecting to secure wireless networks in Windows 10
- MAC filtering in Windows 10
- Admin vs non-admin accounts in Windows 10
- Types of user accounts in Windows 10 (local, domain, Microsoft)
- How to use Windows Recovery Environment
- How to use Windows Backup and Restore Utility
- How to use Microsoft passport in Windows 10
- Driver Security in Windows 10
- How to use Credential Manager in Windows 10
- How to configure Picture Passwords and PINs in Windows 10
- How to use credential guard in Windows 10
- Application Management in Windows 10
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Operating system security
Comparing Linux+ and RHCSA/RHCE operating system security certifications
Operating system security
Android security: Everything you need to know [Updated 2021]
Operating system security
Operating system security