Implementing Anti-Ransomware Group Policy
When to Use
- Hardening a Windows Active Directory environment against ransomware execution and propagation
- Implementing defense-in-depth by blocking ransomware execution paths via Group Policy
- Configuring AppLocker or WDAC rules to prevent unauthorized executables from running in user-writable directories
- Enabling Controlled Folder Access to protect critical directories from unauthorized file modifications
- Restricting lateral movement vectors (RDP, SMB, WMI) that ransomware uses to spread across the domain
Do not use as a standalone ransomware defense. GPO settings complement but do not replace endpoint detection, backups, network segmentation, and user awareness training.
Prerequisites
- Windows Server 2016+ Active Directory environment with Group Policy Management Console (GPMC)
- Domain Admin or Group Policy Creator Owners privileges
- Windows 10/11 Enterprise or Education (required for AppLocker and WDAC)
- Microsoft Defender Antivirus enabled (required for Controlled Folder Access and ASR rules)
- Python 3.8+ for audit script that validates GPO compliance
- Test OU for validating GPO settings before domain-wide deployment
Workflow
Step 1: Block Ransomware Execution Paths with AppLocker
Configure AppLocker to prevent executables from running in common ransomware staging locations:
AppLocker GPO Path:
Computer Configuration → Policies → Windows Settings →
Security Settings → Application Control Policies → AppLocker
Key Rules:
━━━━━━━━━
1. DENY executable rules for user-writable paths:
- %USERPROFILE%\AppData\Local\Temp\* (email attachment extraction)
- %USERPROFILE%\AppData\Roaming\* (CryptoLocker staging)
- %USERPROFILE%\Downloads\* (web downloads)
- %TEMP%\* (temporary extraction)
- %USERPROFILE%\Desktop\* (social engineering drops)
2. ALLOW default rules:
- C:\Windows\* (signed by Microsoft)
- C:\Program Files\* and C:\Program Files (x86)\*
- Administrator group: all paths
3. Enable Application Identity service:
Computer Configuration → Policies → Windows Settings →
Security Settings → System Services →
Application Identity → Automatic
Step 2: Enable Controlled Folder Access
Protect critical directories from unauthorized modification:
Controlled Folder Access GPO Path:
Computer Configuration → Administrative Templates →
Windows Components → Microsoft Defender Antivirus →
Microsoft Defender Exploit Guard → Controlled Folder Access
Settings:
━━━━━━━━━
1. Configure Controlled folder access: Enabled → Block mode
2. Configure protected folders: Add custom paths
- \\fileserver\shares\finance
- \\fileserver\shares\hr
- C:\Users\*\Documents
- C:\Users\*\Desktop
3. Configure allowed applications: Whitelist trusted apps
- C:\Program Files\Microsoft Office\*
- C:\Program Files\Adobe\*
- Line-of-business applications
Default protected folders (automatic):
Documents, Pictures, Videos, Music, Desktop, Favorites
Step 3: Configure Attack Surface Reduction (ASR) Rules
Enable ASR rules that target ransomware delivery mechanisms:
ASR Rules GPO Path:
Computer Configuration → Administrative Templates →
Windows Components → Microsoft Defender Antivirus →
Microsoft Defender Exploit Guard → Attack Surface Reduction
Critical ASR Rules for Ransomware Prevention:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
GUID Rule
BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 Block executable content from email
D4F940AB-401B-4EFC-AADC-AD5F3C50688A Block Office apps from creating child processes
3B576869-A4EC-4529-8536-B80A7769E899 Block Office apps from creating executable content
75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 Block Office apps from injecting into processes
D3E037E1-3EB8-44C8-A917-57927947596D Block JavaScript/VBScript from launching downloads
5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Block execution of obfuscated scripts
92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B Block Win32 API calls from Office macros
01443614-CD74-433A-B99E-2ECDC07BFC25 Block executable files unless they meet prevalence criteria
Set each rule to: Block (1) or Audit (2) for initial testing
Step 4: Restrict Lateral Movement Vectors
Lock down SMB, RDP, and WMI to limit ransomware propagation:
Network Restrictions:
━━━━━━━━━━━━━━━━━━━━
1. Disable SMBv1:
Computer Configuration → Administrative Templates →
Network → Lanman Workstation → Enable insecure guest logons: Disabled
Computer Configuration → Administrative Templates →
MS Security Guide → Configure SMBv1 server: Disabled
2. Restrict Remote Desktop:
Computer Configuration → Administrative Templates →
Windows Components → Remote Desktop Services →
Remote Desktop Session Host → Connections →
Allow users to connect remotely: Disabled (or restricted to specific groups)
3. Disable remote WMI:
Windows Firewall → Inbound Rules →
Block Windows Management Instrumentation (WMI) inbound
4. Disable AutoPlay/AutoRun:
Computer Configuration → Administrative Templates →
Windows Components → AutoPlay Policies →
Turn off AutoPlay: Enabled (All drives)
5. Disable PowerShell remoting for non-admin users:
Computer Configuration → Administrative Templates →
Windows Components → Windows PowerShell →
Turn on Script Execution: Allow only signed scripts
Step 5: Audit and Validate GPO Compliance
Verify that GPO settings are applied correctly across the domain:
# Check GPO application on endpoint
gpresult /r /scope:computer
# Verify AppLocker rules
Get-AppLockerPolicy -Effective | Select-Object -ExpandProperty RuleCollections
# Check Controlled Folder Access status
Get-MpPreference | Select-Object EnableControlledFolderAccess
# List protected folders
Get-MpPreference | Select-Object -ExpandProperty ControlledFolderAccessProtectedFolders
# Check ASR rules
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Actions
Verification
- Run
gpresult /ron test endpoints to confirm GPO application - Attempt to run an executable from
%AppData%\Tempto verify AppLocker blocks it - Modify a file in a protected folder from an unlisted application to confirm CFA blocks it
- Test ASR rules by opening a macro-enabled document and verifying child process blocking
- Validate that legitimate applications in the allowlist still function correctly
- Check Windows Event Log for AppLocker events (Event IDs 8003, 8004) and CFA events (1123, 1124)
Key Concepts
| Term | Definition | |------|------------| | AppLocker | Windows application control feature that restricts which executables, scripts, and DLLs users can run based on publisher, path, or hash rules | | Controlled Folder Access | Microsoft Defender feature that prevents untrusted applications from modifying files in protected directories | | Attack Surface Reduction (ASR) | Set of rules in Microsoft Defender Exploit Guard that block specific attack behaviors like Office macro child processes | | Software Restriction Policies (SRP) | Legacy Windows feature (deprecated in Win 11) for restricting executables; replaced by AppLocker and WDAC | | WDAC | Windows Defender Application Control; the successor to AppLocker with stronger enforcement using code integrity policies |
Tools & Systems
- Group Policy Management Console (GPMC): Primary tool for creating and managing GPOs in Active Directory
- AppLocker: Built-in Windows application whitelisting and blacklisting engine
- Microsoft Defender Exploit Guard: Suite including CFA, ASR rules, and Network Protection
- GPResult: Command-line tool for verifying GPO application status on endpoints
- PowerShell Get-MpPreference: Cmdlet for querying Microsoft Defender configuration including ASR and CFA status