Think twice before deploying Windows’ Controlled Folder Access
Credit to Author: Susan Bradley| Date: Tue, 05 Jul 2022 07:29:00 -0700
As ransomware attacks gained steam in the mid-2010s, Microsoft sought to give Windows users and admins tools to protect their PCs from such attacks. With its October 2017 feature update, the company added a feature called Controlled Folder Access to Windows 10.
On paper, Controlled Folder Access sounds like a great protection for consumers, home users, and small businesses with limited resources. As defined by Microsoft, “Controlled folder access helps protect your valuable data from malicious apps and threats, such as ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Supported on Windows Server 2019, Windows Server 2022, Windows 10, and Windows 11 clients, controlled folder access can be turned on using the Windows Security App, Microsoft Endpoint Configuration Manager, or Intune (for managed devices).”
Microsoft goes on to say, “Controlled folder access works by only allowing trusted apps to access protected folders. Protected folders are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, and so on, are included in the list of controlled folders.”
Folders that are specifically protected include:
c:Users<username>Documents
c:UsersPublicDocuments
c:Users<username>Pictures
c:UsersPublicPictures
c:UsersPublicVideos
c:Users<username>Videos
c:Users<username>Music
c:UsersPublicMusic
c:Users<username>Favorites
So let’s all roll it out, right? Well, not so fast. Askwoody forum user Astro46 recently noted that he’s been trying to use Controlled Folder Access, and it’s been causing side effects in his use. As he related:
As the PDQ blog points out, there can be side effects that may block remote management tools and other technologies. When you have enabled Controlled Folder Access, what you will see when you install software is the interaction between the protection and the installer process as the installer attempts to gain access to certain folders. You may get prompts such as “Unauthorized changes blocked” or “Softwarename.exe blocked from making changes. Click to see settings.”
When using Controlled Folder Access, you may need to use it in audit mode rather than fully enable the process. Enabling Controlled Folder Access in full enforcement mode may result in you spending a lot of time running down and adding exclusions. There are many anecdotal posts about computer users having to spend hours tracking down access and adding exclusions. One such poster (several years ago) found that he had to add what he considered to be normal Microsoft applications such as Notepad and Paint to the exclusion process.
Unfortunately, because the user interface is minimal, the main way controlled folder conflicts are discovered on standalone workstations is via alerts that appear in the system tray when a folder is protected and an application is attempting to access the location. Alternatively, you can access the event logs, but before you can review the details, you have to import an event xml file.
As noted in Microsoft’s Tech Community blog, you have to download the evaluation package file and extract cfa-events.xml to your download folder. Or you can copy and paste the following lines to a Notepad file and save it as cfa-events.xml:
<QueryList>
<Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational">
<Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select>
<Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select>
</Query>
</QueryList>
Now import this xml file into your event viewer so you can more easily view and sort the Controlled Folder Access events. Type event viewer in the Start menu to open the Windows Event Viewer. On the left panel, under Actions, select Import custom view. Navigate to where you extracted cfa-events.xml and select it. Alternatively, copy the XML directly. Select OK.
Next, look in the event log for the following events:
5007 Event when settings are changed
1124 Audited controlled folder access event
1123 Blocked controlled folder access event
You’ll want to focus on 1124 if you are in audit mode or 1123 if you’ve fully enabled the Controlled Folder Access for testing. Once you review the event logs, it should showcase the additional folders that you need to adjust in order for your applications to fully function.
You may find that some software needs access to additional files that you weren’t expecting. Therein lies the issue with the tool. While Microsoft has many applications already approved, and thus they will work just fine with Controlled Folder Access enabled, other or older applications may not work well. It’s often been surprising to me which files and folders need no adjustments and which do require adjustments.
Similar to Attack Surface Reduction Rules, this is one of those technologies that I wish had a better standalone interface for individual workstations. While businesses with Defender for Endpoint can review the issues fairly easily, standalone workstations still have to rely on messages that pop up in the system tray.
If you rely on Defender for your antivirus needs, consider evaluating Controlled Folder Access for additional ransomware protection. However, my recommendation is to truly evaluate, not just deploy it. You’ll want to enable it in audit mode and take your time reviewing the impact. Depending on your applications, you may find it more impactful than you think.
For those with Defender for Endpoint, you can enable Controlled Folder Access as follows: In Microsoft Endpoint Configuration Manager, go to Assets and Compliance > Endpoint Protection > Windows Defender Exploit Guard. Select Home and then Create Exploit Guard Policy. Enter a name and a description, select Controlled folder access, and select Next. Choose whether to block or audit changes, allow other apps, or add other folders, and select Next.
Alternatively, you can manage it with PowerShell, Group Policy, and even registry keys. In a network scenario, you can manage the applications you add to the trusted list by using Configuration Manager or Intune. Additional configurations can be performed from the Microsoft 365 Defender portal.
Often, there is a balance between the risks of attacks and the impact of security systems on computers. Take the time to evaluate the balance and whether this has an acceptable overhead for your needs.