As ransomware attacks gained momentum in the mid-2010s, Microsoft sought to provide Windows users and administrators with tools to protect their PCs against such attacks. With its October 2017 feature update, the company added a feature called Controlled Folder Access to Windows 10.
On paper, controlled access to records sounds like a great protection for consumers, individuals, and small businesses with limited resources. As defined by Microsoft, "Controlled Folder Access helps protect your valuable data from malicious apps and threats like ransomware. Controlled Folder Access protects your data by matching apps against a list compatible with Windows Server 2019, Windows Server 2022, Windows 10, and Windows 11, Controlled Folder Access can be enabled using the Windows Security app, Microsoft Endpoint Configuration Manager, or Intune (for managed devices).
Microsoft goes on to say, “Controlled folder access works by allowing only trusted apps to access protected folders. Protected folders are specified when configuring controlled folder access. In general, commonly used folders, such as those used for documents, images, downloads, etc., are included in the list of watched folders.
Specifically protected folders include:
c:Users
c:UsersPublicDocuments
c:Users
c:UsersPublicImages
c:UsersPublicVideos
c:Users
c:Users
c:UsersPublicMusic
c:Users
unintended consequences
So, we all spread out, right? Well, not so fast. Askwoody forum user Astro46 recently pointed out that he was trying to use controlled folder access and that he was causing side effects by using it. As he recounted:
I figured I'd soon work on the various access notifications and everything would settle down. It never happened. I am often faced with an unexplained problem with a program not working properly, ultimately resulting in it being denied access to a folder. It might not be so bad if you had seen a notification when it happened. But sometimes yes, sometimes no. And it seemed that the programs I previously gave access to were causing problems again. Because the program was updated and Controlled Folder Access couldn't solve it? Frustration and loss of time overcame the supposed security.As the PDQ blog points out, there can be side effects that can block remote administration tools and other technologies. When you have Controlled Folder Access enabled, what you will see during software installation is the interaction between the protection and the installation process when the installer attempts to access certain folders. You may get notices such as "Unauthorized changes blocked" or "Software name.exe blocked from making changes. Click to view settings.
When using controlled folder access, you may need to use it in audit mode instead of fully enabling the process. Enabling controlled folder access in full enforcement mode can be time consuming and add exclusions. There are many anecdotal posts about computer users having to spend hours researching access and adding exclusions. One such poster (several years ago) revealed that it had to add what it considered to be normal Microsoft applications, such as Notepad and Paint, to the opt-out process.
track problems
Unfortunately, because the user interface is minimal, controlled folder conflicts are primarily discovered on standalone desktops through system tray alerts when a folder is protected and an application tries to access the location. You can also access the event logs, but before you can see the details, you need to import an event xml file.
As mentioned in the Microsoft Tech Community blog, you need to download the evaluation package file and extract cfa-events.xml to your downloads folder. Or you can copy and paste the following lines into a Notepad file and save it as cfa-events.xml:
Now import this xml file into your event viewer so you can more easily view and sort controlled folder access events. Paste Events viewer in the Start menu to open Windows Event Viewer. In the left pane, under Actions, select Import Custom View. Browse to where you extracted cfa-events.xml and select it. You can also directly copy the XML. Select OK.
Next, check the event log for the following events:
5007 Event when parameters are changed
1124 Audited Controlled Folder Access Event
1123 Event Controlled Folder Access Locked
You'll want to focus on 1124 if you're in audit mode or 1123 if you have controlled folder access fully enabled for testing. Once you've reviewed the event logs, it should show any additional folders you need to adjust for your applications to fully function.
Some software may need access to additional files that you did not expect. This is where the problem with the tool lies. Although many apps have already been approved by Microsoft and therefore work perfectly with Controlled Folder Access enabled, other apps or older apps may not work properly. It has often surprised me which files and folders don't need tweaking and which ones need tweaking.
Similar to attack surface reduction rules, this is one of those technologies that you wish had a better standalone interface for individual workstations. While businesses with Defender for Endpoint can investigate issues fairly easily, stand-alone desktops still have to rely on system tray messages.
At the end of the line
If you rely on Defender for your antivirus needs, consider evaluating Controlled Folder Access for additional ransomware protection. However, my recommendation is to really evaluate it, not just implement it. You will need to activate it in audit mode and take your time to review the impact. Depending on your applications, you may find it more impressive than you think.
For those who have Defender for Endpoint, you can enable Controlled Folder Access as follows: In Microsoft Endpoint Configuration Manager, go to Assets & Compliance > Endpoint Protection > Windows Defender Exploit Guard. Select Start, then Create Exploit Protection Policy. Enter a name and description, select Controlled folder access, and then select Next. Choose to block or audit changes, allow more apps, or add more folders, then select Next.
You can also manage it with PowerShell, Group Policy, and even registry keys. In a network scenario, you can manage the apps that you add to the trusted list by using Configuration Manager or Intune. Additional settings can be made from the Microsoft 365 Defender portal.
There is often a trade-off between the risk of attacks and the impact of security systems on computers. Take the time to assess your balance and whether you have an acceptable overhead for your needs.
Copyright © 2022 IDG Communications, Inc.