Jeremy Windmiller

JDTB: Enterprises, Minimize Ransomware Exposure with the Microsoft Tools Already in Your Toolbox

ransmoware header

If you follow security news blogs or security resources on Twitter you will have undoubtedly seen more that one headline (see graphic above) about yet another company/organization falling victim to a ransomware attack.  The attacks have grown in number so much that Google has decided to plot them as data point within their Maps product.

Google Ransomware

The reality is that in a lot of these attacks company/organization are not “Doing the Basics” and leveraging the tools that are already in their toolbox.  The remainder of this post will lay out the tools that most enterprises are already licensed for and how they can go about getting them implemented.

Windows 10 SmartScreen

Smartscreen is a tool within Windows 10 that helps protect the endpoint by:

SmartScreen determines whether a site is potentially malicious by:

  • Analyzing visited webpages looking for indications of suspicious behavior. If it finds suspicious pages, SmartScreen shows a warning page, advising caution.
  • Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, SmartScreen shows a warning to let the user know that the site might be malicious.

SmartScreen determines whether a downloaded app or app installer is potentially malicious by:

  • Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen shows a warning to let the user know that the site might be malicious.

  • Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn’t on that list, SmartScreen shows a warning, advising caution.

SmartScreen

Windows Defender Controlled Folders 

Most ransomware attacks “known folders” on Windows User and Server endpoints where sensitive files are stored.  Controlled Folder Access policy will block malicious files from tampering with these known folders and in the case of ransomware prevent the files from being encrypted.

protected folders

 

Windows 10 Application Guard

Enterprises have all different types of use cases for Windows computers but a majority have a footprint of devices that are single-purpose use and should have limited access to outside resources.  In these cases, Windows 10 Application Guard can be leveraged to open untrusted websites.  Application Guard launches it’s own virtual machine to access the untrusted website, therefore, preventing the local workstation from potentially being infected with Ransomware.

WDAG-3

AppLocker

AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.  It’s ideal to use AppLocker in the following scenarios:

  • Your organization’s security policy dictates the use of only licensed software, so you need to prevent users from running unlicensed software and also restrict the use of licensed software to authorized users.
  • An app is no longer supported by your organization, so you need to prevent it from being used by everyone.
  • The potential that unwanted software can be introduced in your environment is high, so you need to reduce this threat.
  • The license to an app has been revoked or it is expired in your organization, so you need to prevent it from being used by everyone.
  • A new app or a new version of an app is deployed, and you need to prevent users from running the old version.
  • Specific software tools are not allowed within the organization, or only specific users should have access to those tools.
  • A single user or small group of users needs to use a specific app that is denied for all others.
  • Some computers in your organization are shared by people who have different software usage needs, and you need to protect specific apps.
  • In addition to other measures, you need to control access to sensitive data through app usage.
  • Additional AppLocker details:  https://aka.ms/applicationlocker

applocker

Aaron Margosis at Microsoft recently created a solution called “Aaron Locker” that makes it easier for enterprises to implement and maintain AppLocker.  Details on this solution can be found in the following links.

How Do I get these Tools Implemented

You might be thinking to yourself, well these tools are something I need to leverage but how do I get them implemented.  Here’s another PSA for Microsoft customers, most of you have Premiere Support Agreements for the products that are in your license agreement.  The Premiere Agreement typically covers proactive hours to assist customers in getting various technologies planned out for implementation.  In the case of Ransomware, there’s a “POP – Protecting Against Ransomware” that is a 3-day engagement that runs through most, if not all, the tools mentioned above.

Hopefully, you found this post insightful in regards to tools that you probably already have and resources to better protect your enterprise.

AppLocker