Implementing Anti-Ransomware Group Policy

When to Use

• Hardening a Windows Active Directory environment against ransomware execution and propagation
• Implementing defense-in-depth by blocking ransomware execution paths via Group Policy
• Configuring AppLocker or WDAC rules to prevent unauthorized executables from running in user-writable directories
• Enabling Controlled Folder Access to protect critical directories from unauthorized file modifications
• Restricting lateral movement vectors (RDP, SMB, WMI) that ransomware uses to spread across the domain

Do not use as a standalone ransomware defense. GPO settings complement but do not replace endpoint detection, backups, network segmentation, and user awareness training.

Prerequisites

• Windows Server 2016+ Active Directory environment with Group Policy Management Console (GPMC)
• Domain Admin or Group Policy Creator Owners privileges
• Windows 10/11 Enterprise or Education (required for AppLocker and WDAC)
• Microsoft Defender Antivirus enabled (required for Controlled Folder Access and ASR rules)
• Python 3.8+ for audit script that validates GPO compliance
• Test OU for validating GPO settings before domain-wide deployment

Workflow

Step 1: Block Ransomware Execution Paths with AppLocker

Configure AppLocker to prevent executables from running in common ransomware staging locations:

AppLocker GPO Path:
  Computer Configuration → Policies → Windows Settings →
  Security Settings → Application Control Policies → AppLocker

Key Rules:
━━━━━━━━━
1. DENY executable rules for user-writable paths:
   - %USERPROFILE%\AppData\Local\Temp\*     (email attachment extraction)
   - %USERPROFILE%\AppData\Roaming\*         (CryptoLocker staging)
   - %USERPROFILE%\Downloads\*               (web downloads)
   - %TEMP%\*                                (temporary extraction)
   - %USERPROFILE%\Desktop\*                 (social engineering drops)

2. ALLOW default rules:
   - C:\Windows\* (signed by Microsoft)
   - C:\Program Files\* and C:\Program Files (x86)\*
   - Administrator group: all paths

3. Enable Application Identity service:
   Computer Configuration → Policies → Windows Settings →
   Security Settings → System Services →
   Application Identity → Automatic

Step 2: Enable Controlled Folder Access

Protect critical directories from unauthorized modification:

Controlled Folder Access GPO Path:
  Computer Configuration → Administrative Templates →
  Windows Components → Microsoft Defender Antivirus →
  Microsoft Defender Exploit Guard → Controlled Folder Access

Settings:
━━━━━━━━━
1. Configure Controlled folder access: Enabled → Block mode
2. Configure protected folders: Add custom paths
   - \\fileserver\shares\finance
   - \\fileserver\shares\hr
   - C:\Users\*\Documents
   - C:\Users\*\Desktop

3. Configure allowed applications: Whitelist trusted apps
   - C:\Program Files\Microsoft Office\*
   - C:\Program Files\Adobe\*
   - Line-of-business applications

Default protected folders (automatic):
  Documents, Pictures, Videos, Music, Desktop, Favorites

Step 3: Configure Attack Surface Reduction (ASR) Rules

Enable ASR rules that target ransomware delivery mechanisms:

ASR Rules GPO Path:
  Computer Configuration → Administrative Templates →
  Windows Components → Microsoft Defender Antivirus →
  Microsoft Defender Exploit Guard → Attack Surface Reduction

Critical ASR Rules for Ransomware Prevention:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
GUID                                    Rule
BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550   Block executable content from email
D4F940AB-401B-4EFC-AADC-AD5F3C50688A   Block Office apps from creating child processes
3B576869-A4EC-4529-8536-B80A7769E899   Block Office apps from creating executable content
75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84   Block Office apps from injecting into processes
D3E037E1-3EB8-44C8-A917-57927947596D   Block JavaScript/VBScript from launching downloads
5BEB7EFE-FD9A-4556-801D-275E5FFC04CC   Block execution of obfuscated scripts
92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B   Block Win32 API calls from Office macros
01443614-CD74-433A-B99E-2ECDC07BFC25   Block executable files unless they meet prevalence criteria

Set each rule to: Block (1) or Audit (2) for initial testing

Step 4: Restrict Lateral Movement Vectors

Lock down SMB, RDP, and WMI to limit ransomware propagation:

Network Restrictions:
━━━━━━━━━━━━━━━━━━━━
1. Disable SMBv1:
   Computer Configuration → Administrative Templates →
   Network → Lanman Workstation → Enable insecure guest logons: Disabled

   Computer Configuration → Administrative Templates →
   MS Security Guide → Configure SMBv1 server: Disabled

2. Restrict Remote Desktop:
   Computer Configuration → Administrative Templates →
   Windows Components → Remote Desktop Services →
   Remote Desktop Session Host → Connections →
   Allow users to connect remotely: Disabled (or restricted to specific groups)

3. Disable remote WMI:
   Windows Firewall → Inbound Rules →
   Block Windows Management Instrumentation (WMI) inbound

4. Disable AutoPlay/AutoRun:
   Computer Configuration → Administrative Templates →
   Windows Components → AutoPlay Policies →
   Turn off AutoPlay: Enabled (All drives)

5. Disable PowerShell remoting for non-admin users:
   Computer Configuration → Administrative Templates →
   Windows Components → Windows PowerShell →
   Turn on Script Execution: Allow only signed scripts

Step 5: Audit and Validate GPO Compliance

Verify that GPO settings are applied correctly across the domain:

# Check GPO application on endpoint
gpresult /r /scope:computer

# Verify AppLocker rules
Get-AppLockerPolicy -Effective | Select-Object -ExpandProperty RuleCollections

# Check Controlled Folder Access status
Get-MpPreference | Select-Object EnableControlledFolderAccess

# List protected folders
Get-MpPreference | Select-Object -ExpandProperty ControlledFolderAccessProtectedFolders

# Check ASR rules
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Actions

Verification

• Run

  gpresult /r

  on test endpoints to confirm GPO application
• Attempt to run an executable from

  %AppData%\Temp

  to verify AppLocker blocks it
• Modify a file in a protected folder from an unlisted application to confirm CFA blocks it
• Test ASR rules by opening a macro-enabled document and verifying child process blocking
• Validate that legitimate applications in the allowlist still function correctly
• Check Windows Event Log for AppLocker events (Event IDs 8003, 8004) and CFA events (1123, 1124)

Key Concepts

Term	Definition
AppLocker	Windows application control feature that restricts which executables, scripts, and DLLs users can run based on publisher, path, or hash rules
Controlled Folder Access	Microsoft Defender feature that prevents untrusted applications from modifying files in protected directories
Attack Surface Reduction (ASR)	Set of rules in Microsoft Defender Exploit Guard that block specific attack behaviors like Office macro child processes
Software Restriction Policies (SRP)	Legacy Windows feature (deprecated in Win 11) for restricting executables; replaced by AppLocker and WDAC
WDAC	Windows Defender Application Control; the successor to AppLocker with stronger enforcement using code integrity policies

Tools & Systems

• Group Policy Management Console (GPMC): Primary tool for creating and managing GPOs in Active Directory
• AppLocker: Built-in Windows application whitelisting and blacklisting engine
• Microsoft Defender Exploit Guard: Suite including CFA, ASR rules, and Network Protection
• GPResult: Command-line tool for verifying GPO application status on endpoints
• PowerShell Get-MpPreference: Cmdlet for querying Microsoft Defender configuration including ASR and CFA status