Controlled folder access что это
Контролируемый доступ к папкам для защиты от шифровальщиков в Windows 10
В Windows 10 Fall Creators Update (1709) появилась новая функция Controlled Folder Access (CFA, «Контролируемый доступ к папкам»), позволяющая обеспечить новый уровень защиты данных пользователей от актуальной в последние несколько лет угрозы вирусов класса шифровальщики-вымогатели (WCry, BadRabbit).
Функция «Контролируемый доступ к папкам» является частью Windows Defender Exploit Guard и позволяет отслеживать изменения, которые пытаются внести сторонние приложения в определенные папки, помеченные пользователем как защищенные. При попытке доступа к таким папкам любым приложением, оно проверяется встроенным антивирусом Windows Defender, и, если оно не определяется как доверенное, пользователь получает уведомление, о том, что попытка внести изменения в защищаемую папку была заблокирована.
В Windows 10 Fall Creators Update поддерживаются разные способы управления настройками контролируемого доступа к папкам:
Управление через приложение Windows Defender Security Center
Активируйте переключатель Controlled folder access.
Теперь нажмите на ссылку Protected folders и добавьте защищаемые папки, доступ к которым со стороны недоверенных приложений нужно ограничивать.
Аналогичным образом в разделе Allow an app through Controlled folder access можно добавить список доверенных приложений, которым разрешено вносить изменения в защищаемые папки. 
Теперь при попытке изменения файлов в защищенных папках со стороны недоверенного приложения появляется уведомление о блокировке доступа.
Virus & threat protection
Unauthorized changes blocked
Защита от вирусов и угроз
Недопустимые изменения заблокированы
Настройки Controlled Folder Access в реестре
Включить Controlled folder access можно, если создать в ветке реестра
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exploit Guard\Controlled Folder Access параметр типа DWORD с именем EnableControlledFolderAccess и значением 1.
Список защищаемых папок хранится в ветке реестре HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exploit Guard\Controlled Folder Access\GuardedFolders.
Список доверенных приложений в ветке HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exploit Guard\Controlled Folder Access\AllowedApplications.
Настройка Controlled Folder Access с помощью групповых политик
Включите политику Configure Controlled folder access и измените значение опции Configure the guard my folder feature на Enable.
Управление функцией «Контролируемого доступа к папкам» через PowerShell
Чтобы настроить Контролируемый доступ к папкам через PowerShell, воспользуйтесь командой Set-MpPreference для изменения параметров Windows Defender. Включаем функцию.
Добавить новую папку в список защищаемых можно так:
Если нужно добавить доверенное приложение, выполните такую команду:
Таким образом, функция контролируемого доступа к файлам позволит обеспечить дополнительный уровень защиты от угрозы со стороны вирусов и шифровальщиков. Использование данной функции разумно только в виде дополнительного эшелона обороны в комплексе с другими методами (своевременая установка обновлений, использование актуальных антвирусных баз, отключение ненужных служб и протоколов, блокировка исполнямых файлов через политики SRP, использование теневых копий и т.д.).
Контролируемый доступ к папкам в Windows 10
Наверняка, вы могли слышать о том, что в последнее время, участились случаи, когда в пользовательский компьютер проникает вирус, который не просто уничтожает системные файлы или же что-то передает в сеть, а производит архивирование защищённых системой папок. Для того, чтоб подобного рода ситуации не происходили столь часто, компания Майкрософт решила ужесточить уровень безопасности системы и добавила новую функцию Контролируемый доступ к папкам в Windows 10, который производит постоянны мониторинг системных папок и как только, какой-то сторонний софт пытается что-то зашифровать, то он тут же оказывается заблокированным / отрезанным от папки. Вот только не смотря на то, что новые защитные возможности ОС хороши, но еще не все пользователи знают о том, как их можно активировать и мы решили рассказать вам об способах активации.
Активация функции «Контролируемый доступ к папкам» через интерфейс в Windows 10
Для начала, вам необходимо попасть в «Центр безопасности Защитника Windows» → переходим в раздел с названием «Защита от вирусов и угроз» → продолжаем передвижение и переходим в «Параметры защиты от вирусов и других угроз» → остается только отыскать опцию, которая имеет название «Контролируемый доступ к папкам» для того, чтоб повести переключатель в положение «Вкл.» → под кнопкой, «Вкл.» есть ссылка «Защищённые папки», вы должны по ней кликнуть → и вот только в этом окне, у вас появится возможность самостоятельно создать, так называемый «Белый список приложений», который позволит вам открыть доступ конкретным приложениям к системным папкам.
Обратите внимание, что создаваемый вами список, не должен иметь все системные папки / весь системный диск, так как это непременно приведет к проблемам, которые затронут встроенные приложения. Именно по этой причине, помните, что встроенные приложения: «Видео», «Документы», «Изображения», «Музыка» и им подобные, имеют системную защиту по умолчанию.
Активация функции «Контролируемый доступ к папкам» через Редактор реестра в Windows 10
Если вам удобнее работать через «Редактор реестра», то воспользуйтесь командой «regedit», которая позволит получить доступ к следующему пути: «HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access». Обратите свое внимание, что здесь вам придется самостоятельно создать DWORD-параметр, который необходимо назвать «EnableControlledFolderAccess» и задать ему числовое значение равное «1».
Если вам необходимо добавить Контролируемый доступ к папкам в Windows 10, зайдите в следующий подраздел «Controlled Folder Access ProtectedFolders» и самостоятельно создайте DWORD-параметр, имя которого, будет идентично пути к защищаемому каталогу.
Если вас интересует возможность добавления «доверенного приложения», то по аналогии то, что описано выше, вы должны проделать то же самое, но только в подразделе «AllowedApplications».
Активация функции «Контролируемый доступ к папкам» через PowerShell в Windows 10
Производим запуск консоли PowerShell с повышенными правами.
Вот так, относительно просто и весьма быстро, можно активировать Контролируемый доступ к папкам в Windows 10, чтоб в несколько раз сильнее обезопасить свою операционную систему, которая сможет стать более скрытной и подконтрольной только вам!
Enable controlled folder access
Applies to:
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is included with Windows 10, Windows 11, and Windows Server 2019. Controlled folder access is also included as part of the modern, unified solution for Windows Server 2012R2 and 2016.
You can enable controlled folder access by using any of these methods:
Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the device.
Group Policy settings that disable local administrator list merging will override controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through controlled folder access. These policies include:
Windows Security app
Open the Windows Security app by selecting the shield icon in the task bar. You can also search the start menu for Windows Security.
Select the Virus & threat protection tile (or the shield icon on the left menu bar) and then select Ransomware protection.
Set the switch for Controlled folder access to On.
*This method is not available on Windows Server 2012R2 or 2016.
If controlled folder access is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device. If the feature is set to Audit mode with any of those tools, the Windows Security app will show the state as Off. If you are protecting user profile data, we recommend that the user profile should be on the default Windows installation drive.
Endpoint Manager
Sign in to the Endpoint Manager and open Endpoint Security.
Go to Attack Surface Reduction > Policy.
Select Platform, choose Windows 10 and later, and select the profile Attack Surface Reduction rules > Create.
Name the policy and add a description. Select Next.
Scroll down to the bottom, select the Enable Folder Protection drop-down, and choose Enable.
Select List of additional folders that need to be protected and add the folders that need to be protected.
Select List of apps that have access to protected folders and add the apps that have access to protected folders.
Select Exclude files and paths from attack surface reduction rules and add the files and paths that need to be excluded from attack surface reduction rules.
Select the profile Assignments, assign to All Users & All Devices, and select Save.
Select Next to save each open blade and then Create.
Wildcards are supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
Mobile Device Management (MDM)
Microsoft Endpoint Configuration Manager
In Microsoft Endpoint Configuration Manager, go to Assets and Compliance > Endpoint Protection > Windows Defender Exploit Guard.
Select Home > Create Exploit Guard Policy.
Enter a name and a description, select Controlled folder access, and select Next.
Choose whether block or audit changes, allow other apps, or add other folders, and select Next.
Wildcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
Review the settings and select Next to create the policy.
After the policy is created, Close.
Group Policy
On your Group Policy management device, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and select Edit.
In the Group Policy Management Editor, go to Computer configuration and select Administrative templates.
Expand the tree to Windows components > Microsoft Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access.
Double-click the Configure Controlled folder access setting and set the option to Enabled. In the options section you must specify one of the following options:
To fully enable controlled folder access, you must set the Group Policy option to Enabled and select Block in the options drop-down menu.
PowerShell
Type powershell in the Start menu, right-click Windows PowerShell and select Run as administrator.
Enter the following cmdlet:
Stopping ransomware where it counts: Protecting your data with Controlled folder access
Windows Defender Exploit Guard is a new set of host intrusion prevention capabilities included with Windows 10 Fall Creators Update. One of its features, Controlled folder access, stops ransomware in its tracks by preventing unauthorized access to your important files.
The trend towards increasingly sophisticated malware behavior, highlighted by the use of exploits and other attack vectors, makes older platforms so much more susceptible to ransomware attacks. From June to November 2017, Windows 7 devices were 3.4 times more likely to encounter ransomware compared to Windows 10 devices.
Read our latest report: A worthy upgrade: Next-gen security on Windows 10 proves resilient against ransomware outbreaks in 2017
Encryption should protect your data and files. Ransomware twists the power of encryption against you and uses it to take files hostage. This means losing control of your data: documents, precious photos and videos, and other important files.
For enterprises and small businesses, losing access to files can mean disrupted operations. Worse, for critical infrastructure, ransomware infection can halt the delivery of services. Just this year, successive ransomware campaigns and no less than two global outbreaks immobilized hospitals, transport systems, and other high-tech facilities.
Ransomware continues to evolve and impact many types of devices in different environments. At Microsoft, we continue to harden Windows 10 against ransomware and other threats. Our end-to-end security suite integrates multiple next-generation defense technologies that help our customers prevent, detect, and respond to ransomware attacks.
Controlled folder access adds another layer of real-time protection against ransomware.
Crackdown on unauthorized encryption
Ransomware campaigns continue to grow and thrive as they are a lucrative business for cybercriminals. Ransomware gets into a victim’s device, encrypting files and data. Because these files are held hostage, cybercriminals can extort money from their victims.
Controlled folder access brings you right back in control of determining what programs can access your data. This feature protects your files from tampering, in real-time, by locking folders so that ransomware and other unauthorized apps can’t access them. It’s like putting your crown jewels in a safe whose key only you hold.
Cybercriminals can’t extort money if they can’t encrypt your files. Controlled folder access is a powerful tool that can render ransomware attacks worthless.
How Controlled folder access works
Controlled folder access locks down folders, allowing only authorized apps to access files. Unauthorized apps, including malicious executable files, DLLs, and scripts are denied access to folders.
This feature can be enabled in Windows Defender Security Center app in Windows 10.
By default, Controlled folder access protects common folders where documents and other important data are stored. But it’s also flexible. You can add additional folders to protect, including those on other drives. You can also allow apps that you trust to access protected folders, so if you’re using unique or custom programs, your productivity is not affected.
When enabled, Controlled folder access prevents access by unauthorized apps and notifies you of an attempt to access or modify files in protected folders. It delivers this protection in real-time.
Enabling and managing Controlled folder access in enterprise networks
In enterprise environments, Controlled folder access can also be enabled and managed using Group Policy, PowerShell, or configuration service providers for mobile device management.
The Controlled folder access feature seamlessly integrates with Windows Defender Advanced Threat Protection. Every time Controlled folder access blocks an attempt to make changes to protected folders, an alert is generated on Windows Defender ATP. This notifies security operations personnel to take quick response actions, including quarantining affected machines or blocking the unauthorized app from running on other machines.
As with the other Windows Defender Exploit Guard features, administrators can customize notifications that appear on endpoints in the event of an intrusion attempt. Customized notifications then allow employees to call, email, or IM their company’s help desk.
Controlled folder access and other Windows Defender Exploit Guard features include an audit mode that administrators can use to evaluate these security features in enterprise networks. In audit mode, the Controlled folder feature does not block attempts to modify files on protected folders, but logs all events, so administrators can assess Windows Defender Exploit Guard capabilities without impacting operations.
A comprehensive suite of advanced ransomware protection in Windows 10
Ransomware attacks grow more and more sophisticated every day. To keep you safe, we are continually improving Windows to protect against ransomware and other threats. Windows 10 is the safest version of Windows yet. Controlled folder access is designed to help reduce the risk of ransomware attacks, keeping your user and businesses data safe.
To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free trial.
Principal Group Manager, Windows Defender Research
Note these additional Windows security features
Windows 10 S is a configuration of Windows 10 that’s streamlined for security and performance. Windows 10 S provides Microsoft-vetted security by working exclusively with apps from the Windows Store and by using Microsoft Edge as the default browser.
Windows 10 customers are also protected from ransomware with Windows Defender Antivirus. With advanced machine learning models, as well as generic and heuristic techniques Windows Defender Antivirus detects new as well as never-before-seen ransomware in real-time.
Microsoft Edge blocks ransomware infection from the web by opening pages within low privilege app containers and by using reputation-based blocking of malicious downloads. Microsoft Edge has been providing industry-leading online protection for Windows 10 customers since its release. This year, Microsoft Edge is now available on iOS and Android, so users of these platforms can start benefiting from browser security beyond sandboxing.
In enterprise environments there are additional layers of protection. Device Guard provides virtualization-based lockdown security. It blocks all types of unauthorized content, stopping ransomware and other threats from reaching the machine.
In addition to Microsoft Edge, enterprises can also ensure online safety by blocking ransomware attacks that begin with email. Microsoft Exchange Online Protection (EOP) uses built-in anti-spam filtering capabilities that help protect Office 365 customers. Office 365 Advanced Threat Protection helps secure mailboxes against email attacks by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection.
Windows Defender ATP powers security operations personnel to detect and respond to malware outbreaks in their organization. Windows Defender ATP’s enhanced behavioral and machine learning detection libraries flag malicious behavior across the ransomware infection process. The new process tree visualization and improvements in machine isolation help security operations to investigate and respond to ransomware and other malicious attacks.
Controlled folder access is a new piece to this growing stack of next-gen solutions that help you prevent, detect, and respond to ransomware and other modern attacks.
Controlled folder access, Exploit Protection, Attack surface reduction, and Network protection make up the host intrusion prevention capabilities in Windows Defender Exploit Guard. These features and all the other next-gen security technologies that ship with the Fall Creators Update continue to make Windows 10 the safest, most secure Windows ever.
Learn more about Windows 10 Fall Creators Update
Get the latest information on ransomware
Our ransomware FAQ page summarizes the latest developments in the ransomware landscape. It has information about the most prevalent ransomware families like Cerber, WannaCrypt, Spora, Teerac (also known as Crypt0L0cker or CryptoLocker), and Locky, as well as the latest notable ransomware families like Tibbar (also known as Bad Rabbit), Ronggolawe, Petya (also referred to as NotPetya), Erebus, and others.
Talk to us
Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.
Evaluate controlled folder access
Applies to:
Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.
Controlled folder access is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019, Windows Server 2022, Windows 10, and windows 11 clients.
It is especially useful in helping protect against ransomware that attempts to encrypt your files and hold them hostage.
This article helps you evaluate controlled folder access. It explains how to enable audit mode so you can test the feature directly in your organization.
You can also visit the Microsoft Defender for Endpoint demo scenario website at demo.wd.microsoft.com to confirm the feature is working and see how it works.
Use audit mode to measure impact
Enable the controlled folder access in audit mode to see a record of what would have happened if it was fully enabled. Test how the feature will work in your organization to ensure it doesn’t affect your line-of-business apps. You can also get an idea of how many suspicious file modification attempts generally occur over a certain period of time.
To enable audit mode, use the following PowerShell cmdlet:
If you want to fully audit how controlled folder access will work in your organization, you’ll need to use a management tool to deploy this setting to devices in your network(s). You can also use Group Policy, Intune, mobile device management (MDM), or Microsoft Endpoint Manager to configure and deploy the setting, as described in the main controlled folder access topic.
Review controlled folder access events in Windows Event Viewer
The following controlled folder access events appear in Windows Event Viewer under Microsoft/Windows/Windows Defender/Operational folder.
| Event ID | Description |
|---|---|
| 5007 | Event when settings are changed |
| 1124 | Audited controlled folder access event |
| 1123 | Blocked controlled folder access event |
You can configure a Windows Event Forwarding subscription to collect the logs centrally.
Customize protected folders and apps
During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files.
See Protect important folders with controlled folder access for configuring the feature with management tools, including Group Policy, PowerShell, and MDM configuration service providers (CSPs).