This is a continuation of a series of articles on operational engineering aspects of Azure public cloud computing that included the most recent discussion on controlled folder access. This article talks about customization.

Controlled folder access helps protect valuable data from malicious apps and threats, such as ransomware. There are four ways to customize this control which include:

1) Protecting additional folders

2) Adding applications that should be allowed to access protected folders.

3) Allowing signed executables files to access protected folders.

4) Customizing the notification

Controlled folder access applies to system folders and default locations, but they cannot be changed to any alternate locations. Adding other folders can be helpful to cases where the default location has changed. It could also include mapped network drives. Environment variables and wild cards are also supported. These folders can be specified from Windows security application, with Group Policy or with PowerShell. MDM configuration service providers can also be used to protect additional folders.

Specific applications can also be allowed to make changes to controlled folders. Write access to files in protected folders must be protected. Allowing applications can be useful if a specific application must override the controlled folder access. An application can be specified by its location. If the location changes, it is no longer trustworthy and cannot be allowed to override the controlled folder access. Application exceptions can also be specified via the Windows Security application, Group Policy. PowerShell or with MDM configuration service providers.

When a rule is triggered and an application or file is blocked, the alert notifications can be customized in the Microsoft Defender for the Endpoint. Notifications can be in the form of emails to a group of individuals. If we are using role-based access control, recipients will only receive notifications based on the device groups that were configured in the notification rule.

Signed executable files can be allowed to access protected folders. We use indicators based on certificates for scenarios where we write rules for attack surface reduction and controlled folder access but need to permit signed applications by adding their certificates to the allow list. Indicators can also be used to block signed applications from running.

Rules can also be suppressed to avoid alerts and notifications that are noisy. A suppression rule will display status, scope, action, number of matching alerts, created by and date when the rule was created.