Windows 10 Will Soon Protect Files and Folders From Ransomware (theverge.com)

← Back to Stories (view on slashdot.org)

Windows 10 Will Soon Protect Files and Folders From Ransomware (theverge.com)

Posted by msmash on Thursday June 29, 2017 @05:40AM from the smart-move dept.

Microsoft is making some interesting security-related changes to Windows 10 with the next Fall Creators Update, expected to debut in September. From a report: Windows 10 testers can now access a preview of the changes that include a new controlled folder access feature. It's designed to only allow specific apps to access and read / write to a folder. If enabled, the default list prevents apps from accessing the desktop, pictures, movies, and documents folders. "Controlled folder access monitors the changes that apps make to files in certain protected folders," explains Dona Sarkar, head of Microsoft's Windows Insiders program. "If an app attempts to make a change to these files, and the app is blacklisted by the feature, you'll get a notification about the attempt."

22 of 219 comments (clear)

Min score:

Reason:

Sort:

Petty useful by qbast · 2017-06-29 05:45 · Score: 4, Interesting

It should prove quite useful, especially for backups. Currently even doing a backup every day I am risking that malware will become active during the process and encrypt backups on connected external disk along with everything else. With this feature I can specify that only backup program can have access to the external drive.
1. Re:Petty useful by willy_me · 2017-06-29 07:49 · Score: 2
  
  Use a NAS in place of a USB backup drive. Run ZFS or (I assume) btrfs and take snapshots on a regular basis. If any software on your PC decides to encrypt your NAS share, you can revert to a previous snapshot.
SMB / MSI / psexec are not "Apps"... by Anonymous Coward · 2017-06-29 05:47 · Score: 5, Insightful

But the recent malware attacks weren't simply malicious trojaned apps changing each other's files. It was spread by compromising / using system services that are meant to be used to access a broad array of files. I don't see how changing the permissions model to block inter-app accesses will fix this...
Specific apps? by aglider · 2017-06-29 05:48 · Score: 2

So it'd be enough for ransomware to impersonate those specific apps or just get into the party list. Shouldn't it?

--
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
1. Re:Specific apps? by postbigbang · 2017-06-29 06:00 · Score: 5, Interesting
  
  It's just one more slap-dash fix in a creaky operating system riddled with legacy APIs that are now being easily strangled with NSA-ware. Adding strict user space is what made XP SP2 somewhat tenable, but this is just one more embarrassing and glaring hole, and IMHO, a great reason to take a serious look at devops and agile as software development models. Windows 10 isn't new; it's the lipstick on a pig made from thousands and thousands of attempts to get it right.
  I'm just entirely shocked that Microsoft's stock price hasn't cratered into the pit it deserves. Don't think that the current wave isn't the last or best; ransomware will be iteratively released until bitcoin shoots past $10,000/coin.
  
  --
  ---- Teach Peace. It's Cheaper Than War.
2. Re:Specific apps? by Oswald+McWeany · 2017-06-29 06:09 · Score: 2, Insightful
  
  I'm just entirely shocked that Microsoft's stock price hasn't cratered into the pit it deserves. Don't think that the current wave isn't the last or best; ransomware will be iteratively released until bitcoin shoots past $10,000/coin.
  Because it's not really hurting Microsoft's pocket. There isn't really a legitimate alternative for windows. The general public seemed baffled by Linux (and Linux isn't getting the marketing spent to promote it). Apple is a walled garden that nobody wants.
  Many business apps only run on windows. Microsoft's customers aren't going anywhere.
  
  --
  "That's the way to do it" - Punch
3. Re:Specific apps? by James+Carnley · 2017-06-29 06:19 · Score: 2, Insightful
  
  I know it's fun to hate on Microsoft but it's worth noting that Linux has no protection from this kind of malware either. With this change the user directory on Windows will actually be more secure than the user directory in Linux.
4. Re:Specific apps? by postbigbang · 2017-06-29 06:44 · Score: 2
  
  Not hating on Microsoft. They're their own worst enemy. And I have quite a bit of difficulty with your determination that this makes Windows more secure than Linux. Remember: Microsoft only recently even considered the concept of user space. Everything was root. Everything before XP SP2 was admin. Only now are they trying to protect user space in rational ways. And they're failing.
  Why are they failing? Lack of rigorous testing made impossible by legacy APIs, horrific driver control, proprietary transports, and management that is more interested share price than product integrity.
  When you say that Linux has no protection from this kind of malware, I'd ask you to obtain further education to fill in the gaps in your knowledge. Linux isn't inviolate, no doubt. But it's not swiss cheese, correctly implemented, either.
  
  --
  ---- Teach Peace. It's Cheaper Than War.
5. Re:Specific apps? by postbigbang · 2017-06-29 07:18 · Score: 2
  
  You make the mistake of believing that I espouse Linux as a secure operating system. It's better than the mutt called Windows in security, and has been for quite sometime. It's not invulnerable. Almost nothing is.
  Do you understand concepts like SE Linux? If not, then there is no rational discussion from here; you're a Windows fanboi and will not be swayed.
  Windows is prevalent in a large part of the business world. But as they're systematically held hostage by ransomware, cracks that leak billions of dollars (stated in regulatory fines, not to mention personal data protection damage), and consistently over time, one cannot help believe that other choices might be made, and lessons learned, other platforms chosen.
  The charlatans that once cursed Linux as an abomination now freely promote it, embrace it, and love it within the top offices of Microsoft. Moreover, *BSD version are doing surprisingly well, too. Just how many ransomware victims (as an example) do you need until you recognize the rot within?
  
  --
  ---- Teach Peace. It's Cheaper Than War.
6. Re:Specific apps? by TheFakeTimCook · 2017-06-29 07:21 · Score: 3, Interesting
  
  I'm just entirely shocked that Microsoft's stock price hasn't cratered into the pit it deserves. Don't think that the current wave isn't the last or best; ransomware will be iteratively released until bitcoin shoots past $10,000/coin.
  Because it's not really hurting Microsoft's pocket. There isn't really a legitimate alternative for windows. The general public seemed baffled by Linux (and Linux isn't getting the marketing spent to promote it). Apple is a walled garden that nobody wants.
  Many business apps only run on windows. Microsoft's customers aren't going anywhere.
  At least for the Apple case, you are incorrect:
  In general:
  http://www.vertoanalytics.com/... ...and, more specifically...
  "IBM began replacing PCs with Macs in early 2015, when it began giving employees the choice to upgrade to a Mac when their company kit needed upgrading. The data speaks for itself, at IBM an astonishing 73 percent of employees will choose a Mac when they get the chance to choose for themselves"
  http://www.computerworld.com/a...
7. Re:Specific apps? by Anubis+IV · 2017-06-29 07:56 · Score: 2
  
  Apple is a walled garden that nobody wants.
  Come again? While iOS may be a walled garden, macOS has no meaningful restrictions on what you can run. If you can download it, you can run it, regardless of source, author, or whether they're registered with Apple. I'll grant that the default setting these days is to disallow unsigned apps (i.e. apps not signed by a registered Apple developer), which makes sense as a default, given that this is an OS being used by untrained masses, but for someone such as yourself, you can easily bypass the restriction on a permanent basis by simply toggling the relevant security settings in System Preferences (or you could bypass it on a one-off basis via the context menu for the app).
  Perhaps you're confused about the Mac App Store and think it's the only way to download apps for Mac? Again, while that sort of thing may be true on iOS, that's never been the case on the Mac.
8. Re:Specific apps? by bluefoxlucid · 2017-06-29 08:33 · Score: 5, Insightful
  
  You're baffled by Windows. Let's see you set up a corporate network with active directory domains using an all-Microsoft environment, complete with patch management, group policy, and the like. Then replicate that in linux.
  You can't.
  I run DevOps software on Linux. We develop stuff here, we deploy it, we run it in Docker containers, we put it on Linux. I got Linux to connect to the Active Directory domain via Samba--it's rickety, fickle, and hard to debug, as well as basically-independent because it doesn't do any of the actual active directory stuff. You can't push configurations down through Samba. Samba isn't Puppet.
  I've been fighting that battle for 10 years. I tell people we need robust, integrated enterprise network and configuration management like a Microsoft Domain; they tell me nobody wants that, and that Samba can already provide single sign-on. The freaking Social Security Administration investigated replacing much of their workstation deployments with Linux and deemed it unacceptable because you can't do anything like SCCM or GPO. Oh, you can now, if you want to develop Puppet or Chef modules in-house, with no standards to work from.
  The operational risk of running Linux, the sheer cost of administrating and securing a giant network of dumb workstations, is just ridiculous. Your network will never be in a known state. This is an easy problem to fix, except the people who want it fixed are either unable to do it themselves (yeah I'm not any form of programmer you want writing production code) or able to get a better, faster result by just buying COTS like Microsoft Active Directory and SCCM.
  Oh, and many business applications only run on Windows. That's not really a big deal today--not with O365 and all--and a mixed environment is acceptable if you can manage it sanely.
  The Linux ecosystem is filled with people who manage isolated servers or somehow got LDAP working for single sign-on and think that's acceptable. There's a nebulous push for things like Puppet and Pulp, in its isolated world, learning no lessons from large enterprise deployments of Novell (in the past), Windows, and so forth. People think that some rickety, slap-dash work that's not even up Windows NT 3.51 standards is somehow ready to take over the world, except that the applications aren't ported to it; in reality, the applications are hardly a barrier at all, and the complete lack of support for wide enterprise deployments is the big killer.
  Get some perspective.
  
  --
  Support my political activism on Patreon.
will be used to block steam unless you buy gamer by Joe_Dragon · 2017-06-29 05:54 · Score: 3, Interesting

will be used to block steam unless you buy windows 10 pro gamer
Great, so... by Smidge204 · 2017-06-29 05:54 · Score: 5, Interesting

..the next generation of Ransomware will exploit a vulnerability in this new service to prevent YOU from accessing these folders and files.
How very convenient!
=Smidge=
Re:Put another band aid on... by MightyMartian · 2017-06-29 05:58 · Score: 2, Interesting

And what would a sane security model look like? Ransomware runs under the credentials of the user that has executed the malware, so if the user has read/write access to files and folders, then those folders are vulnerable. It's not that much different than someone accidentally deleting a bunch of files they have access to. I suppose you could put some quantity monitoring, as in if x number of files are altered or deleted, then suspend the process that is doing the file system changes, but that would probably interfere with any program that does a lot of file system changes, like an installer.
In general, what's needed to protect data, whether it's through intentional destruction like ransomware, or through inadvertent destruction like someone deleting a file tree or a file system or physical media becoming corrupted, is backups, mirroring and the like. There's no perfect solution that's going to guarantee every file is recoverable, but what I've seen from file system or disk meltdowns is that in most cases as long as you have a good nightly backup, you're going to get most of it back.
So long as users are basically allowed to run any code they want, ransomware is going to be a reality, and even in walled gardens malware can still find a way in, so it's best to think in terms of worst case scenarios; and whenever I do it always brings me back to the old standards; frequent backups; both on and offsite.

--
The world's burning. Moped Jesus spotted on I50. Details at 11.
Re:Put another band aid on... by ShanghaiBill · 2017-06-29 06:04 · Score: 2

Why not implement a sane security model instead
Because a "sane security model" uses defense in depth. There no one single "silver bullet" solution. Any security layer can fail, so you need additional layers to contain or mitigate the damage.
Your first layer of defense is your firewall ... your last layer is your offsite backups. You should have many more layers in between.
Re:Put another band aid on... by arth1 · 2017-06-29 06:07 · Score: 4, Insightful

Mandatory or role based access control is no more sane than the configuration of it. The problem is that Joe Schmoe want to open his files in RandomApp without having to learn how to add rules for it.
Convenience wins over security any time.
Specific apps? by csimpkin · 2017-06-29 07:00 · Score: 5, Informative

You can use SELinux to accomplish a similar setup. You can ensure that a given application only has access to specific directories or files. Having spent a little time with it I can say it has an obscene learning curve.
Re:Put another band aid on... by michelcolman · 2017-06-29 07:22 · Score: 2

On a Mac, App Store apps have restricted access to a very limited set of folders (as described by the entitlements list that has to be approved by Apple) BUT they can open any file from any folder if the user drags it onto the app or selects it from a standard system file selector within the app. That makes it totally transparent to the user for the vast majority of apps while remaining secure because the app cannot fake the user interaction that allows access to the files.
For the moment, only App Store apps are required to have such an entitlements list but I can see them extend it to all apps at some point in the future, certainly with the current wave of ransomware apps going around. Not sure how it's going to work for command line executables, though. For those, a whole lot of rules editing may become necessary.
Protect from ransomware by Dunbal · 2017-06-29 07:34 · Score: 3, Funny

All you need to do is send $300 worth of bitcoin to Redmond every few years if you want to keep using your computer.

--
Seven puppies were harmed during the making of this post.
What could possilby go wrong? by Comboman · 2017-06-29 08:01 · Score: 2

I'm imagining a hard drive riddled with undeletable files and folders created by apps that failed to uninstall correctly.

--
Support Right To Repair Legislation.
Why can't they just use Volume Shadow Copy Service by Miamicanes · 2017-06-29 09:32 · Score: 2

There's an even easier way Microsoft could solve the problem that already exists and has probably 99% of the work already done for them: Volume Shadow Copy Service.
Set aside 100 gigs of a 500+ gig hard drive, and designate one or more folders for protection.
Any changes to files in the protected folders get journaled to that 100-gig area.
If the journal fills up, the hard drive gets write-protected, with the exception of a 1-2 gig area where the user can create and save NEW files, but can't overwrite/delete existing files (so there will always be somewhere to save open files if the rest of the drive gets write-locked).
Add some extra logic to warn the user as the journal reaches certain milestone sizes. Allow users to override the limits... but treat it like the safes used for change at convenience stores... you can override the limit NOW, but it won't take effect for 24 hours (and maybe up to a week, with warnings leading up to its execution, for more radical overrides).
Need to write lots of temp files? Do it to a directory that's not protected. Or get a bigger hard drive, and make policy changes (that have to either be set at installation time, or get delayed by a period of time to give adequate advance warning).
The only real difference between how it's used now would be the setting of hard thresholds that couldn't be exceeded without write-protecting the drive to give the user time to take action. It would probably create some new denial of service opportunities (some, accidental rather than malicious), but it would be a fairly effective safeguard against the current #1 mode of action used by ransomware (mass-encryption in the background of files over a short period of time).