Upcoming Webinar
Cayosoft Shows How Forest Recovery Tech Addresses Survey Issues
Join this webinar and not only learn about what your peers are doing, but also learn about a new patent-pending modern approach to AD forest recovery from Cayosoft.
New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

How to Audit and Test Windows 10 Controlled Folder Access

Ransomware has rarely been out of the headlines over the past few years and it is the most prevalent threat in 2020. WannaCry and NotPetya may be distant memories but the vulnerabilities they rely on are still exploited. And more recently, malware in the RobbinHood family has been used to target large organizations. First by getting access to networks using brute force attacks against RDP and then introducing a vulnerable kernel driver that lets hackers take full control of systems.

Microsoft Defender vs ransomware

Controlled Folder Access (CFA) was added to Windows 10 in the Fall Creators Update to protect users’ files in the event of a ransomware attack. Windows Defender Exploit Guard replaced the Enhanced Mitigation Experience Toolkit (EMET) in Windows 10. CFA is part of Exploit Guard and it helps users and organizations protect folders, such as Documents, from malicious apps.

CFA is disabled by default. However, users can enable it and receive better protection with the default settings. The protected folders list includes the Documents, Videos, Music, Favorites, and Pictures folders for all users. You can also add your own folders to the list. Network shares can also be protected, although the use of wildcards is not supported.

For more information about how to enable CFA, check out Controlled Folder Access in Windows 10 FCU on Petri.

Enable Controlled Folder Access in audit mode

Before you enable CFA in your organization, you can set it up in audit mode to assess the impact on endpoints. Audit mode can’t be enabled in the Windows 10 Settings app. You need to use PowerShell or Group Policy. To enable CFA in audit mode using PowerShell, run the following command in an elevated PowerShell window:

Set-MpPreference -EnableControlledFolderAccess AuditMode

When audit mode is enabled, check the Windows Defender/Operational folder in Event Viewer for the following events:

5007 – Event when settings are changed
1124 – Audit controlled folder access event
1123 – Blocked controlled folder access event

Group Policy gives you a bit more flexibility because there are two different types of audit mode. Audit Mode can be enabled using Group Policy, which logs events if an untrusted app tries to make changes to files in a protected folder. Additionally, Audit disk modification only can be set to log only attempts to write to protected disk sectors.

Image #1 Expand

Figure1 3 — How to Audit and Test Windows 10 Controlled Folder Access (Image Credit: Russell Smith)

You can enable Controlled Folder Access in audit more or block mode under Windows components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Configure Controlled folder access in Group Policy. If you don’t know how to work with Group Policy, read How to Create and Link a Group Policy Object in Active Directory on Petri.

Testing Controlled Folder Access

Microsoft provides a sample ransomware file that you can use to test CFA. You can access the file here. You’ll need to sign in to Microsoft to download the file and bypass any SmartScreen prompts that might prevent you from downloading the file in your browser.

Create a folder, C:\Demo, and add a text file to the demo folder. The sample ransomware needs something to encrypt. Add the C:\Demo folder to the CFA protected list. The quickest way is using the following PowerShell command:

Set-MpPreference -ControlledFolderAccessProtectedFolders C:\Demo\

Now run the ransomware sample (ransomware_testfile_unsigned.exe) you downloaded from Microsoft’s website. If CFA is working, within a few seconds, you should see a notification in the Action Center telling you that unauthorized changes were blocked.

Image #2 Expand

Figure2 2 — How to Audit and Test Windows 10 Controlled Folder Access (Image Credit: Russell Smith)

Now let’s see what happens if CFA is disabled. To turn off CFA, run the following command in an elevated PowerShell prompt:

Set-MpPreference -EnableControlledFolderAccess Disabled

Run the ransomware (ransomware_testfile_unsigned.exe) again. This time you should see a warning open in a browser window telling you that your files have been encrypted. Check the contents of the C:\Demo folder and you will see your file was encrypted.

Image #3 Expand

Figure3 1 — How to Audit and Test Windows 10 Controlled Folder Access (Image Credit: Russell Smith)

If you want to reenable CFA and run the malware again, you’ll need to run the following commands in an elevated PowerShell prompt to reset Attack Surface Reduction rules:

Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids D1E49AAC-8F56-4280-B9BA-993A6D77406C -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids C1DB55AB-C21A-4637-BB3F-A12568109D35 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-CD74-433A-B99E-2ECDC07BFC25 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 26190899-1602-49E8-8B27-EB1D0A1CE869 -AttackSurfaceReductionRules_Actions Disabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C -AttackSurfaceReductionRules_Actions Disabled

Controlled Folder Access as part of a defense in depth security strategy

Controlled Folder Access can’t protect Windows against ransomware in all situations. If a hacker gets elevated privileges on a system, by exploiting an unpatched vulnerability for example, or tricks a user that has admin rights, then it might be possible to disable CFA. But on systems that are properly secured, CFA provides a defense in depth protection against ransomware.

by Russell Smith
Dec 16, 2020

Editorial Director at Petri IT Knowledgebase. Russell has more than 20 years' experience working in IT. From small business to large government IT infrastructure projects. Russell started his writing career for Windows IT Pro magazine in the early...

What is a Roaming User Profile on Windows?

Sep 1, 2023
Oct 24, 2023
Microsoft to Release Windows 11 LTSC in the Second Half of 2024

Apr 28, 2023
How to Configure Windows LAPS in an Azure Active Directory Scenario

May 3, 2023
Jul 17, 2023

Take our survey

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.