Windows File Server Ransomware Protection

What is controlled folder access?

You can protect your data from malware and other threats with controlled folder access. By comparing trusted apps to your apps, controlled folder access helps protect your data. Controlled folder access is available on Windows Server 2019 clients and Windows 10 clients. It can be turned off using the Windows Security App or Microsoft Endpoint Configuration manager, or Intune for managed devices.

Notification

Scripting engines cannot be trusted, and they can’t have access to protected folders. For example, PowerShell is not trusted by controlled folder access, even if you allow it with certificate and file indicators.

Microsoft Defender for Endpoint is the best tool to control folder access. It provides detailed reporting on controlled folder access events and blockages as part of the normal alert investigation scenarios.

Tip

Controlled folder access blocks don’t generate alerts in the Alerts queue. You can still view information about controlled folder block access blocks in the device timeline view if you use advanced hunting or have custom detection rules.

What is controlled folder access?

By allowing only trusted apps to access protected folders, controlled folder access can be achieved. When controlled folder access is set up, protected folders can be specified. Commonly, folders that are frequently used, such as files, photos, and downloads, are included in the control folders.

With a trusted list of apps, controlled folder access is possible. The trusted software apps work as expected. Apps not on the list cannot make any changes to files in protected folders.

Based on their popularity and reputation, apps are added to this list. Trustworthy apps are those that are widely used in your company and have not displayed any malicious behavior. These apps are automatically added to the list.

You can manually add apps to the trusted list using Intune or Configuration Manager. Additional actions, such as adding a file indicator for an app, can be performed from the Security Center Console.

Why controlled folder access is important

Controlled folder access is especially useful in helping to protect your documents and information from ransomware. Ransomware attacks can cause files to be encrypted and taken hostage. A notification is displayed on the computer if an app attempts to modify a file within a protected folder. You can customize the notification with your company details and contact information. To customize the techniques that the feature monitors, you can also set the rules.

You can also add folders to the protected folders. You can also allow apps to give them access to the protected folders.

You can use audit mode to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Test ground website at demo.wd.microsoft.com to confirm the feature is working and see how it works.

Windows 10 and later versions support controlled folder access:

  • Windows 10, version 1709 and later
  • Windows Server 2019

Windows system folders are protected by default

Windows system folders, as well as many other folders, are automatically protected.

Notification

You can add folders to be protected but cannot delete the Windows system folders that have been protected by default.

Requirements for controlled folder access

Controlled folder access requires enabling Microsoft Defender Antivirus real-time protection.

Review controlled folder access events in the Microsoft 365 Defender portal

Defender for Endpoint provides detailed reporting into events and blocks as part of its alert investigation scenarios in the Microsoft 365 Defender portal. (See Microsoft Defender for Endpoint in Microsoft 365 Defender.)

You can query Microsoft Defender for Endpoint data by using Advanced hunting. Advanced hunting can be used if audit mode is enabled to determine how restricted folder access settings might affect your environment.

Review controlled folder access events in Windows Event Viewer

To see the events created by controlled folder access blocks or audits, you can check the Windows Event Log.

  1. Download the Evaluation Package. Extract the file cfa_events.xml and place it in an easily accessible spot on your device.
  2. TypeEvent viewer clicks the Start Menu to open Windows Event Viewer.
  3. Under the panel on the left take ActionSelectImport custom views…
  4. Navigate to where you extracted CFA-events.xml and select it. Alternatively, copy the XML directly.
  5. ChooseOK.

Below is a table that shows events related to controlled file access.

View or change the list of protected folders

To view the folders protected by controlled access folder access, you can use Windows Security to see them.

  1. Open the Windows Security app on your Windows 10 device.
  2. ChooseProtection against viruses and other threats.
  3. BelowProtection against ransomwareSelectProtect yourself from ransomware.
  4. You will need to activate controlled folder access if it is disabled. ChooseProtected folders.
  5. One of the following steps should be taken:
    • Select the appropriate option to add a folder.+ Add a protected file.
    • Select the folder to be deleted and then click on the “Remove” button. Take out.