Windows 10 Will Soon Protect Files and Folders From Ransomware

Microsoft is making some interesting security-related changes to Windows 10 with the next Fall Creators Update, expected to debut in September. From a report: Windows 10 testers can now access a preview of the changes that include a new controlled folder access feature. It's designed to only allow specific apps to access and read / write to a folder. If enabled, the default list prevents apps from accessing the desktop, pictures, movies, and documents folders. "Controlled folder access monitors the changes that apps make to files in certain protected folders," explains Dona Sarkar, head of Microsoft's Windows Insiders program. "If an app attempts to make a change to these files, and the app is blacklisted by the feature, you'll get a notification about the attempt."

SMB / MSI / psexec are not "Apps"...

But the recent malware attacks weren't simply malicious trojaned apps changing each other's files. It was spread by compromising / using system services that are meant to be used to access a broad array of files. I don't see how changing the permissions model to block inter-app accesses will fix this...

Re:Put another band aid on...

[arth1]

Mandatory or role based access control is no more sane than the configuration of it. The problem is that Joe Schmoe want to open his files in RandomApp without having to learn how to add rules for it.
Convenience wins over security any time.

Re:Specific apps?

[Oswald+McWeany]

I'm just entirely shocked that Microsoft's stock price hasn't cratered into the pit it deserves. Don't think that the current wave isn't the last or best; ransomware will be iteratively released until bitcoin shoots past $10,000/coin.

Because it's not really hurting Microsoft's pocket. There isn't really a legitimate alternative for windows. The general public seemed baffled by Linux (and Linux isn't getting the marketing spent to promote it). Apple is a walled garden that nobody wants.

Many business apps only run on windows. Microsoft's customers aren't going anywhere.

Re:Specific apps?

[James+Carnley]

I know it's fun to hate on Microsoft but it's worth noting that Linux has no protection from this kind of malware either. With this change the user directory on Windows will actually be more secure than the user directory in Linux.

Re:Specific apps?

[bluefoxlucid]

You're baffled by Windows. Let's see you set up a corporate network with active directory domains using an all-Microsoft environment, complete with patch management, group policy, and the like. Then replicate that in linux.

You can't.

I run DevOps software on Linux. We develop stuff here, we deploy it, we run it in Docker containers, we put it on Linux. I got Linux to connect to the Active Directory domain via Samba--it's rickety, fickle, and hard to debug, as well as basically-independent because it doesn't do any of the actual active directory stuff. You can't push configurations down through Samba. Samba isn't Puppet.

I've been fighting that battle for 10 years. I tell people we need robust, integrated enterprise network and configuration management like a Microsoft Domain; they tell me nobody wants that, and that Samba can already provide single sign-on. The freaking Social Security Administration investigated replacing much of their workstation deployments with Linux and deemed it unacceptable because you can't do anything like SCCM or GPO. Oh, you can now, if you want to develop Puppet or Chef modules in-house, with no standards to work from.

The operational risk of running Linux, the sheer cost of administrating and securing a giant network of dumb workstations, is just ridiculous. Your network will never be in a known state. This is an easy problem to fix, except the people who want it fixed are either unable to do it themselves (yeah I'm not any form of programmer you want writing production code) or able to get a better, faster result by just buying COTS like Microsoft Active Directory and SCCM.

Oh, and many business applications only run on Windows. That's not really a big deal today--not with O365 and all--and a mixed environment is acceptable if you can manage it sanely.

The Linux ecosystem is filled with people who manage isolated servers or somehow got LDAP working for single sign-on and think that's acceptable. There's a nebulous push for things like Puppet and Pulp, in its isolated world, learning no lessons from large enterprise deployments of Novell (in the past), Windows, and so forth. People think that some rickety, slap-dash work that's not even up Windows NT 3.51 standards is somehow ready to take over the world, except that the applications aren't ported to it; in reality, the applications are hardly a barrier at all, and the complete lack of support for wide enterprise deployments is the big killer.

Get some perspective.