How to use Protected Folders in Windows 10
Ransomware is one of the biggest threats faced by organizations today. After encrypting all files on servers and desktops, ransomware perpetrators demand payment before decrypting what are often business-critical systems and data.
Application whitelisting and the removal of local administrator access from day-to-day user accounts are two of the best ways to prevent the installation of ransomware applications. However, these approaches are not always technologically or politically possible. Windows 10 controlled folder access is another option for organizations.
Controlled folder access (CFA) prevents untrusted applications from making changes to essential folders. Deployed as part of Windows Defender, CFA can prevent malicious applications installed by users from encrypting files in folders identified by Microsoft and the organization.
How CFA works
According to Chris Hoffman, writing for How-To Geek, CFA is primarily intended to protect against ransomware. It prevents executable files, scripts and DLLs from making changes to files in the protected folders. Malware can still read and copy files in those folders.
CFA is not enabled by default. Instead, it is an opt-in feature that requires the implementation of Windows Defender Antivirus real-time protection.
Microsoft writes that all commonly trusted applications can still make changes to the protected folders. This includes Microsoft Office applications and other major vendor products. I was unable to find a definitive list of what is or is not allowed. As described later in this article, not knowing what works is a good reason to enable audit mode when first enabling CFA.
Like most Windows security configurations, how you approach implementing CFA depends on the size of your organization and how you manage CFA policy exceptions. We’ll take a look at three methods: Windows Defender Security Center configuration, use of PowerShell and configuration of group policy.
Regardless of the approach, organizations should always consider first implementing CFA in audit mode. When in audit mode, CFA logs application attempts to change files in protected folders but does not block these actions. Security teams can then review the logs and add additional approved applications to prevent business operation interruptions.
Windows Defender Security Center implementation
Select windows defender security center
2 Under the “Turn Windows Security on or off” tab, select Open Windows Security settings.
3 Select Manage settings.
4 Select Manage Controlled folder access.
5 Turn on Controlled folder access. This brings up the window shown in Step 6.
6 This is a helpful list of folders protected by default. I set this up on a Windows 10 virtual machine that shares folders with its host. As you can see, CFA also protects default VM shared folders. If you need to add additional folders for protection, click on the ‘+’ next to Add a protected folder. Select a folder, and CFA immediately begins protection. The folder selected here is already protected under Documents, but you get the idea.
7 Once you turn on CFA, you can add applications allowed to change files in protected folders from the window first displayed in Steps 5 and 6 above. You can quickly review all applications that CFA recently denied. This allows easy identification of applications you might need to approve and applications you might want to investigate immediately. This information is available by selecting Block history.
Security teams can use PowerShell scripts to set up and manage CFA. Mauro Huculak provides examples:
- Set-MpPreference -EnableControlledFolderAccess Enabled — enables CFA on the device
- Add-MpPreference -ControlledFolderAccessProtectedFolders “D:folderpathtoadd” — adds folders for which you want CFA protection
- Disable-MpPreference -ControlledFolderAccessProtectedFolders “D:folderpathtoremove” — removes a folder from CFA protection
- Set-MpPreference -EnableControlledFolderAccess Disabled — disables CFA on the device
Group Policy implementation
Organizations larger than SOHOs should consider using group policy to manage CFA.
1 Open Group Policy Editor → Administrative Templates → Windows Components → Windows Defender Antivirus → Windows Defender Antivirus → Windows Defender Exploit Guard → Controlled Folder Access
2 Select Configure Controlled folder access. Enable CFA and select the desired mode. Again, Microsoft recommends selecting Audit Mode until you identify any application access challenges.
3 If you wish to identify additional folders to protect, go back to the main CFA window and select Configure protected folders. Select the Enable radio button and click on Show. Add the path to each folder you wish to protect. Place a zero in the Value column.
4 Many organizations have internally developed or third-party applications not included on Microsoft’s list of trusted applications. These are identified during the initial auditing period and added to the trusted application list by selecting Configure allowed applications from the CFA group policy window. Select the Enabled radio button and then click on Show. Add the full path for each trusted application and place a zero in the corresponding Value column.
During both Audit Mode and Block Mode, organizations can easily monitor application attempts to access protected folders. Microsoft provides details on how to set this up in this article.
Reviewing event logs or integrating log results into a more comprehensive log management solution provides an additional window into possible malware activities on your network.
Ransomware is a serious threat to the operation of organizations of any size. Controlled folder access helps prevent malware from making unwanted changes to files in protected folders.
Organizations can easily implement CFA in one of three ways: via the Windows Defender Security Center, PowerShell or group policy. Group policy is a good approach when enforcing centralized management and monitoring.
Integrating CFA logs into an organization’s overall log management procedures helps identify suspicious applications attempting to modify protected files. This is one more perspective on what is happening on an organization’s network.