Posey's Tips & Tricks
Easy Ransomware Protection for Data Stored Locally, Part 1
Windows 11's Controlled Folder Access offers a simple yet effective way to protect locally stored data from ransomware, even when AppLocker isn't in play.
When it comes to data storage, I have long advised storing data in a central location (such as on a file server or in the cloud) as opposed to storing data directly on a Windows device. Doing so makes the data easier to back up and it also helps to prevent data from being lost as a result of a device being lost, stolen or destroyed.
In spite of all of this, local data storage is sometimes unavoidable. Recently for example, I have been spending a lot of time on the road. I made the decision long ago to not allow my file server to be remotely accessible (for security reasons), and so all of the data that I create while traveling has to be stored locally until I get back home. Of course, this local data storage leads to concerns about the potential for data loss.
I do take steps reduce the chances of losing data. I always travel with a couple of external hard drives so that I can create backup copies of any data that I create while traveling. I also make it a point to store at least one backup copy in a separate bag, so that if my laptop is stolen, I have another copy of my data in my suitcase. I have also been known to email copies of Word documents to myself, so that a copy of the document exists in my mailbox in the cloud.
Although I take these and other precautions, ransomware remains an ever present threat. I have always been concerned about the possibility of accidentally unleashing a ransomware infection before I get the chance to back up newly created data. Fortunately however, there is a Windows 11 feature that, when enabled, can go a long way toward helping to protect any data that might be stored on your device. I am talking about Controlled Folder Access.
For those who might not be familiar with Controlled Folder Access, I tend to think of it as a less comprehensive, but easier to use, and possibly more effective alternative to Microsoft's AppLocker.
AppLocker is an application whitelisting tool that is built into some Windows editions. When properly configured, AppLocker makes it so that only authorized applications are allowed to execute on the protected system. That way, if the system were to come into contact with ransomware, the AppLocker rules would hopefully prevent the ransomware from being able to execute.
The problem with AppLocker is that although it provides very solid, granular protection against unauthorized applications, it can be difficult to configure. AppLocker is one of those things that is easy to configure, but difficult to configure well. Misconfigurations can lock out legitimate applications. More importantly, most of the real world AppLocker deployments that I have seen included accidental protection gaps whereby an attacker could potentially slip by the AppLocker rules by disguising their wares too look like a trusted application. It's also common for an attacker to be able to exploit overly broad rules and launch scripts from minimally protected locations such as C:\Windows\Temp or %LocalAppData%.
The reason why all of this matters is because AppLocker is designed to prevent unauthorized code from running. If an attacker does somehow manage to exploit a protection gap and launch something malicious, AppLocker does nothing to protect your system. Remember, AppLocker's only job is to prevent unauthorized code from running. If AppLocker determines that code is allowed to run, it takes no further action to protect your system against whatever that code is designed to do.
This is where Controlled Folder Access comes into play. Unlike AppLocker, which is designed to control which applications are allowed to run, Controlled Folder Access limits access to your data. This means that if ransomware does manage to execute on your system, Controlled Folder Access may protect your data from being encrypted. Better still, Controlled Folder Access is really easy to configure.
Now just to be clear, Controlled Folder Access and AppLocker should ideally be used together as a part of a defense in depth solution. The idea is that if a computer comes into contact with ransomware, AppLocker should prevent it from executing, but if AppLocker fails to stop the ransomware, Controlled Folder Access should help to protect your data. Even so, Controlled Folder Access is a great standalone solution for those who might not have access to AppLocker or who aren't sure if the AppLocker rules are properly configured.
Now that I have explained where Controlled Folder Access fits into the protection scheme, I want to spend Part 2 explaining how to implement and configure this helpful security feature.
About the Author
Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.