This is a continuation of a series of articles on operational engineering aspects of Azure public cloud computing that included the most recent networking discussions on private connectivity. This article focuses on controlled folder access

Controlled folder access helps protect valuable data from malicious apps and threats, such as ransomware. It protects data by checking applications against a list of known trusted applications. Controlled folder access can be turned on using the Windows Security App, Microsoft Endpoint Connection manager, or Intune. The Microsoft Defender for endpoint can give detailed reporting into controlled folder access events and blocks which forms part of the usual alert investigation scenarios. It works by only allowing trusted applications to access protected folders which are specified when this access is configured. Apps that are not in the trusted list of applications are prevented from making any changes to files inside protected folders. Application can be added manually to the trusted list using the configuration manager or Intune. Additional actions can be performed from the Microsoft 365 defender portal.

The controller folder access is important to prevent tampering of files. Ransomware encrypts files so that it cannot be used. When this access is enabled, unauthorized usages pop up as notifications. The notification can be customized using the company details and contact information. Rules can be enabled individually to customize what criteria the feature monitors. The protected folders include common system folders which include boot sectors and additional user folders. Applications can be given access to protected folders. Audit mode can be used to evaluate how controlled folder access would impact the organization.

Attack surface reduction technique in the environment hinges on audit mode. In audit mode, we can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. It lets us see a record of what would happen if the feature had been enabled. The audit mode can be enabled when testing how the features will work. Since it is not part of business operations, this mode facilitates study of suspicious file modifications over a certain period. The features won’t block or prevent applications, scripts, or files from being modified but all those events will be recorded in the Windows Event Log. With audit mode, we can review the event log to see what effect the feature would have had if it was enabled. The Defender can help get details for each event. They are especially helpful for investigating attack surface reduction rules. It lets us investigate issues as part of the alert timeline and investigation scenarios. Audit mode can be used with Group Policy, PowerShell and configuration service providers.

When the audit applies to all events, the controlled folder access can be enabled to turn on the audit mode and the corresponding events can be viewed. When the audit applies to individual rules, the attack surface reduction rules can be tested, and the attack surface reduction can be viewed on the rules reporting page. When the audit applies to individual mitigations, the exploit protection can be enabled, and the corresponding events can be viewed. Custom views can be exported and imported. The events described in these scenarios can also be saved as xml.