ransomware defense

Implementing Anti-Ransomware Group Policy

Configures Windows Group Policy Objects (GPO) to prevent ransomware execution and limit its spread. Implements AppLocker rules, Software Restriction Policies, Controlled Folder Access, attack surface reduction rules, and network protection settings. Activates for requests involving Windows GPO hardening against ransomware, AppLocker configuration, Controlled Folder Access setup, or endpoint protection via Group Policy.

applockergroup-policyhardeningpreventionransomwarewindows
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

  • Hardening a Windows Active Directory environment against ransomware execution and propagation
  • Implementing defense-in-depth by blocking ransomware execution paths via Group Policy
  • Configuring AppLocker or WDAC rules to prevent unauthorized executables from running in user-writable directories
  • Enabling Controlled Folder Access to protect critical directories from unauthorized file modifications
  • Restricting lateral movement vectors (RDP, SMB, WMI) that ransomware uses to spread across the domain

Do not use as a standalone ransomware defense. GPO settings complement but do not replace endpoint detection, backups, network segmentation, and user awareness training.

Prerequisites

  • Windows Server 2016+ Active Directory environment with Group Policy Management Console (GPMC)
  • Domain Admin or Group Policy Creator Owners privileges
  • Windows 10/11 Enterprise or Education (required for AppLocker and WDAC)
  • Microsoft Defender Antivirus enabled (required for Controlled Folder Access and ASR rules)
  • Python 3.8+ for audit script that validates GPO compliance
  • Test OU for validating GPO settings before domain-wide deployment

Workflow

Step 1: Block Ransomware Execution Paths with AppLocker

Configure AppLocker to prevent executables from running in common ransomware staging locations:

AppLocker GPO Path:
  Computer Configuration → Policies → Windows Settings →
  Security Settings → Application Control Policies → AppLocker
 
Key Rules:
━━━━━━━━━
1. DENY executable rules for user-writable paths:
   - %USERPROFILE%\AppData\Local\Temp\*     (email attachment extraction)
   - %USERPROFILE%\AppData\Roaming\*         (CryptoLocker staging)
   - %USERPROFILE%\Downloads\*               (web downloads)
   - %TEMP%\*                                (temporary extraction)
   - %USERPROFILE%\Desktop\*                 (social engineering drops)
 
2. ALLOW default rules:
   - C:\Windows\* (signed by Microsoft)
   - C:\Program Files\* and C:\Program Files (x86)\*
   - Administrator group: all paths
 
3. Enable Application Identity service:
   Computer Configuration → Policies → Windows Settings →
   Security Settings → System Services →
   Application Identity → Automatic

Step 2: Enable Controlled Folder Access

Protect critical directories from unauthorized modification:

Controlled Folder Access GPO Path:
  Computer Configuration → Administrative Templates →
  Windows Components → Microsoft Defender Antivirus →
  Microsoft Defender Exploit Guard → Controlled Folder Access
 
Settings:
━━━━━━━━━
1. Configure Controlled folder access: Enabled → Block mode
2. Configure protected folders: Add custom paths
   - \\fileserver\shares\finance
   - \\fileserver\shares\hr
   - C:\Users\*\Documents
   - C:\Users\*\Desktop
 
3. Configure allowed applications: Whitelist trusted apps
   - C:\Program Files\Microsoft Office\*
   - C:\Program Files\Adobe\*
   - Line-of-business applications
 
Default protected folders (automatic):
  Documents, Pictures, Videos, Music, Desktop, Favorites

Step 3: Configure Attack Surface Reduction (ASR) Rules

Enable ASR rules that target ransomware delivery mechanisms:

ASR Rules GPO Path:
  Computer Configuration → Administrative Templates →
  Windows Components → Microsoft Defender Antivirus →
  Microsoft Defender Exploit Guard → Attack Surface Reduction
 
Critical ASR Rules for Ransomware Prevention:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
GUID                                    Rule
BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550   Block executable content from email
D4F940AB-401B-4EFC-AADC-AD5F3C50688A   Block Office apps from creating child processes
3B576869-A4EC-4529-8536-B80A7769E899   Block Office apps from creating executable content
75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84   Block Office apps from injecting into processes
D3E037E1-3EB8-44C8-A917-57927947596D   Block JavaScript/VBScript from launching downloads
5BEB7EFE-FD9A-4556-801D-275E5FFC04CC   Block execution of obfuscated scripts
92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B   Block Win32 API calls from Office macros
01443614-CD74-433A-B99E-2ECDC07BFC25   Block executable files unless they meet prevalence criteria
 
Set each rule to: Block (1) or Audit (2) for initial testing

Step 4: Restrict Lateral Movement Vectors

Lock down SMB, RDP, and WMI to limit ransomware propagation:

Network Restrictions:
━━━━━━━━━━━━━━━━━━━━
1. Disable SMBv1:
   Computer Configuration → Administrative Templates →
   Network → Lanman Workstation → Enable insecure guest logons: Disabled
 
   Computer Configuration → Administrative Templates →
   MS Security Guide → Configure SMBv1 server: Disabled
 
2. Restrict Remote Desktop:
   Computer Configuration → Administrative Templates →
   Windows Components → Remote Desktop Services →
   Remote Desktop Session Host → Connections →
   Allow users to connect remotely: Disabled (or restricted to specific groups)
 
3. Disable remote WMI:
   Windows Firewall → Inbound Rules →
   Block Windows Management Instrumentation (WMI) inbound
 
4. Disable AutoPlay/AutoRun:
   Computer Configuration → Administrative Templates →
   Windows Components → AutoPlay Policies →
   Turn off AutoPlay: Enabled (All drives)
 
5. Disable PowerShell remoting for non-admin users:
   Computer Configuration → Administrative Templates →
   Windows Components → Windows PowerShell →
   Turn on Script Execution: Allow only signed scripts

Step 5: Audit and Validate GPO Compliance

Verify that GPO settings are applied correctly across the domain:

# Check GPO application on endpoint
gpresult /r /scope:computer
 
# Verify AppLocker rules
Get-AppLockerPolicy -Effective | Select-Object -ExpandProperty RuleCollections
 
# Check Controlled Folder Access status
Get-MpPreference | Select-Object EnableControlledFolderAccess
 
# List protected folders
Get-MpPreference | Select-Object -ExpandProperty ControlledFolderAccessProtectedFolders
 
# Check ASR rules
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Actions

Verification

  • Run gpresult /r on test endpoints to confirm GPO application
  • Attempt to run an executable from %AppData%\Temp to verify AppLocker blocks it
  • Modify a file in a protected folder from an unlisted application to confirm CFA blocks it
  • Test ASR rules by opening a macro-enabled document and verifying child process blocking
  • Validate that legitimate applications in the allowlist still function correctly
  • Check Windows Event Log for AppLocker events (Event IDs 8003, 8004) and CFA events (1123, 1124)

Key Concepts

Term Definition
AppLocker Windows application control feature that restricts which executables, scripts, and DLLs users can run based on publisher, path, or hash rules
Controlled Folder Access Microsoft Defender feature that prevents untrusted applications from modifying files in protected directories
Attack Surface Reduction (ASR) Set of rules in Microsoft Defender Exploit Guard that block specific attack behaviors like Office macro child processes
Software Restriction Policies (SRP) Legacy Windows feature (deprecated in Win 11) for restricting executables; replaced by AppLocker and WDAC
WDAC Windows Defender Application Control; the successor to AppLocker with stronger enforcement using code integrity policies

Tools & Systems

  • Group Policy Management Console (GPMC): Primary tool for creating and managing GPOs in Active Directory
  • AppLocker: Built-in Windows application whitelisting and blacklisting engine
  • Microsoft Defender Exploit Guard: Suite including CFA, ASR rules, and Network Protection
  • GPResult: Command-line tool for verifying GPO application status on endpoints
  • PowerShell Get-MpPreference: Cmdlet for querying Microsoft Defender configuration including ASR and CFA status
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md3.9 KB

API Reference: Anti-Ransomware Group Policy

AppLocker PowerShell Cmdlets

Get Effective Policy

Get-AppLockerPolicy -Effective | Select-Object -ExpandProperty RuleCollections

Create AppLocker Rule

# Deny executables from AppData paths
New-AppLockerPolicy -RuleType Path -RuleNamePrefix "DenyAppData" `
  -Path "%USERPROFILE%\AppData\*" -Action Deny -User Everyone

Test AppLocker Policy

Test-AppLockerPolicy -Path "C:\Users\test\AppData\Local\Temp\malware.exe" `
  -XmlPolicy (Get-AppLockerPolicy -Effective -Xml)

AppLocker Event Log IDs

Event ID Log Description
8003 AppLocker/EXE Allowed executable
8004 AppLocker/EXE Blocked executable
8005 AppLocker/Script Allowed script
8006 AppLocker/Script Blocked script
8007 AppLocker/MSI Allowed installer
8008 AppLocker/MSI Blocked installer

Controlled Folder Access (CFA)

Enable CFA

Set-MpPreference -EnableControlledFolderAccess Enabled

CFA Modes

Value Mode Description
0 Disabled No protection
1 Enabled Block unauthorized modifications
2 Audit Log but do not block
6 BlockDiskModificationOnly Block disk-level changes only

Add Protected Folders

Add-MpPreference -ControlledFolderAccessProtectedFolders "C:\Finance"

Add Allowed Applications

Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files\App\app.exe"

CFA Event IDs

Event ID Log Description
1123 Defender/Operational Blocked file modification
1124 Defender/Operational Audited file modification

Attack Surface Reduction (ASR) Rules

Enable ASR Rule

Add-MpPreference -AttackSurfaceReductionRules_Ids <GUID> `
  -AttackSurfaceReductionRules_Actions Enabled

ASR Rule Actions

Value Action
0 Disabled
1 Block
2 Audit
6 Warn

Key Anti-Ransomware ASR Rule GUIDs

GUID Rule
BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 Block executable content from email
D4F940AB-401B-4EFC-AADC-AD5F3C50688A Block Office child processes
3B576869-A4EC-4529-8536-B80A7769E899 Block Office executable content creation
75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 Block Office code injection
D3E037E1-3EB8-44C8-A917-57927947596D Block JS/VBS downloaded executables
5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Block obfuscated scripts
92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B Block Win32 API from Office macros

ASR Event IDs

Event ID Log Description
1121 Defender/Operational ASR rule fired in block mode
1122 Defender/Operational ASR rule fired in audit mode

GPO Paths Reference

AppLocker

Computer Configuration → Policies → Windows Settings →
Security Settings → Application Control Policies → AppLocker

Controlled Folder Access

Computer Configuration → Administrative Templates →
Windows Components → Microsoft Defender Antivirus →
Microsoft Defender Exploit Guard → Controlled Folder Access

Attack Surface Reduction

Computer Configuration → Administrative Templates →
Windows Components → Microsoft Defender Antivirus →
Microsoft Defender Exploit Guard → Attack Surface Reduction

Network Restrictions

Computer Configuration → Administrative Templates →
Network → Lanman Workstation    (SMB settings)
Windows Components → Remote Desktop Services    (RDP settings)
Windows Components → AutoPlay Policies    (AutoPlay/AutoRun)

GPResult Verification

# Check applied GPOs
gpresult /r /scope:computer
 
# Generate HTML report
gpresult /h gpo_report.html
 
# Check specific policy RSoP
gpresult /z /scope:computer

Scripts 1

agent.py12.0 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Anti-ransomware Group Policy audit and configuration agent.

Audits Windows endpoints for GPO-based ransomware defenses including AppLocker
rules, Controlled Folder Access, Attack Surface Reduction rules, and network
restriction settings. Generates compliance reports against recommended baselines.
"""

import json
import os
import subprocess
import sys
from datetime import datetime

APPLOCKER_DENY_PATHS = [
    "%USERPROFILE%\\AppData\\Local\\Temp\\*",
    "%USERPROFILE%\\AppData\\Roaming\\*",
    "%USERPROFILE%\\Downloads\\*",
    "%TEMP%\\*",
    "%USERPROFILE%\\Desktop\\*",
]

ASR_RULES = {
    "BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550": {
        "name": "Block executable content from email client and webmail",
        "recommended": "Block",
        "category": "Email protection",
    },
    "D4F940AB-401B-4EFC-AADC-AD5F3C50688A": {
        "name": "Block all Office applications from creating child processes",
        "recommended": "Block",
        "category": "Office protection",
    },
    "3B576869-A4EC-4529-8536-B80A7769E899": {
        "name": "Block Office applications from creating executable content",
        "recommended": "Block",
        "category": "Office protection",
    },
    "75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84": {
        "name": "Block Office applications from injecting code into other processes",
        "recommended": "Block",
        "category": "Office protection",
    },
    "D3E037E1-3EB8-44C8-A917-57927947596D": {
        "name": "Block JavaScript or VBScript from launching downloaded executable content",
        "recommended": "Block",
        "category": "Script protection",
    },
    "5BEB7EFE-FD9A-4556-801D-275E5FFC04CC": {
        "name": "Block execution of potentially obfuscated scripts",
        "recommended": "Block",
        "category": "Script protection",
    },
    "92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B": {
        "name": "Block Win32 API calls from Office macros",
        "recommended": "Block",
        "category": "Macro protection",
    },
    "01443614-CD74-433A-B99E-2ECDC07BFC25": {
        "name": "Block executable files from running unless they meet a prevalence, age, or trusted list criterion",
        "recommended": "Block",
        "category": "Execution protection",
    },
}

CFA_RECOMMENDED_FOLDERS = [
    "Documents", "Desktop", "Pictures", "Videos", "Music", "Favorites",
]

GPO_CHECKS = {
    "applocker_enabled": {
        "description": "AppLocker Application Control is enabled",
        "check_command": ["powershell", "-Command",
                          "Get-AppLockerPolicy -Effective -ErrorAction SilentlyContinue | "
                          "ConvertTo-Json -Depth 3"],
        "priority": "Critical",
    },
    "cfa_enabled": {
        "description": "Controlled Folder Access is enabled",
        "check_command": ["powershell", "-Command",
                          "(Get-MpPreference).EnableControlledFolderAccess"],
        "priority": "Critical",
    },
    "asr_rules": {
        "description": "Attack Surface Reduction rules are configured",
        "check_command": ["powershell", "-Command",
                          "(Get-MpPreference).AttackSurfaceReductionRules_Ids"],
        "priority": "High",
    },
    "asr_actions": {
        "description": "ASR rule actions (0=Disabled,1=Block,2=Audit,6=Warn)",
        "check_command": ["powershell", "-Command",
                          "(Get-MpPreference).AttackSurfaceReductionRules_Actions"],
        "priority": "High",
    },
    "smbv1_disabled": {
        "description": "SMBv1 protocol is disabled",
        "check_command": ["powershell", "-Command",
                          "(Get-SmbServerConfiguration).EnableSMB1Protocol"],
        "priority": "Critical",
    },
    "autoplay_disabled": {
        "description": "AutoPlay is disabled",
        "check_command": ["powershell", "-Command",
                          "Get-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows"
                          "\\CurrentVersion\\Policies\\Explorer' -Name NoDriveTypeAutoRun "
                          "-ErrorAction SilentlyContinue | Select-Object -ExpandProperty NoDriveTypeAutoRun"],
        "priority": "Medium",
    },
}


def run_check(check_name, check_info):
    """Run a single GPO compliance check."""
    result = {
        "check": check_name,
        "description": check_info["description"],
        "priority": check_info["priority"],
        "status": "unknown",
        "output": "",
    }

    try:
        proc = subprocess.run(
            check_info["check_command"],
            capture_output=True, text=True, timeout=30,
        )
        output = proc.stdout.strip()
        result["output"] = output
        result["return_code"] = proc.returncode

        if proc.returncode != 0:
            result["status"] = "error"
            result["error"] = proc.stderr.strip()
        elif output:
            result["status"] = "data_retrieved"
        else:
            result["status"] = "empty_response"

    except FileNotFoundError:
        result["status"] = "not_available"
        result["error"] = "PowerShell not found or command not available"
    except subprocess.TimeoutExpired:
        result["status"] = "timeout"
        result["error"] = "Check timed out after 30 seconds"

    return result


def assess_asr_compliance(asr_ids_output, asr_actions_output):
    """Assess ASR rule compliance against recommended baseline."""
    active_ids = [line.strip() for line in asr_ids_output.split("\n") if line.strip()]
    active_actions = [line.strip() for line in asr_actions_output.split("\n") if line.strip()]

    assessment = {"total_recommended": len(ASR_RULES), "enabled": 0,
                  "blocking": 0, "audit_only": 0, "missing": [], "details": []}

    id_action_map = {}
    for i, rule_id in enumerate(active_ids):
        action = active_actions[i] if i < len(active_actions) else "0"
        id_action_map[rule_id.upper()] = action

    for rule_id, rule_info in ASR_RULES.items():
        action = id_action_map.get(rule_id.upper(), None)
        if action is None:
            assessment["missing"].append({"id": rule_id, "name": rule_info["name"]})
            status = "NOT CONFIGURED"
        elif action == "1":
            assessment["enabled"] += 1
            assessment["blocking"] += 1
            status = "BLOCK"
        elif action == "2":
            assessment["enabled"] += 1
            assessment["audit_only"] += 1
            status = "AUDIT"
        elif action == "6":
            assessment["enabled"] += 1
            status = "WARN"
        else:
            status = "DISABLED"

        assessment["details"].append({
            "id": rule_id,
            "name": rule_info["name"],
            "category": rule_info["category"],
            "status": status,
            "recommended": rule_info["recommended"],
        })

    assessment["compliance_pct"] = round(
        (assessment["blocking"] / assessment["total_recommended"]) * 100, 1
    )
    return assessment


def generate_gpo_report():
    """Generate a full GPO anti-ransomware compliance report."""
    report = {
        "title": "Anti-Ransomware Group Policy Compliance Report",
        "generated": datetime.now().isoformat(),
        "hostname": os.environ.get("COMPUTERNAME", "unknown"),
        "checks": {},
        "overall_score": 0,
    }

    print("[*] Running GPO compliance checks...")
    for check_name, check_info in GPO_CHECKS.items():
        print(f"  Checking: {check_info['description']}...")
        result = run_check(check_name, check_info)
        report["checks"][check_name] = result

    # ASR compliance assessment
    asr_ids = report["checks"].get("asr_rules", {}).get("output", "")
    asr_actions = report["checks"].get("asr_actions", {}).get("output", "")
    if asr_ids:
        report["asr_assessment"] = assess_asr_compliance(asr_ids, asr_actions)

    # Calculate overall score
    score = 0
    total = len(GPO_CHECKS)
    for check_name, result in report["checks"].items():
        if result["status"] == "data_retrieved" and result.get("output"):
            score += 1
    report["overall_score"] = round((score / total) * 100, 1)

    return report


def generate_remediation_script(report):
    """Generate PowerShell remediation commands for failed checks."""
    lines = [
        "# Anti-Ransomware GPO Remediation Script",
        "# Generated: " + datetime.now().isoformat(),
        "# Run as Administrator in elevated PowerShell",
        "",
    ]

    cfa = report.get("checks", {}).get("cfa_enabled", {})
    if cfa.get("output", "").strip() != "1":
        lines.append("# Enable Controlled Folder Access")
        lines.append("Set-MpPreference -EnableControlledFolderAccess Enabled")
        lines.append("")

    smbv1 = report.get("checks", {}).get("smbv1_disabled", {})
    if smbv1.get("output", "").strip().lower() == "true":
        lines.append("# Disable SMBv1")
        lines.append("Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force")
        lines.append("")

    asr = report.get("asr_assessment", {})
    for rule in asr.get("details", []):
        if rule["status"] in ("NOT CONFIGURED", "DISABLED", "AUDIT"):
            lines.append(f"# Enable ASR rule: {rule['name']}")
            lines.append(f"Add-MpPreference -AttackSurfaceReductionRules_Ids {rule['id']} "
                          f"-AttackSurfaceReductionRules_Actions Enabled")
            lines.append("")

    lines.append("# Disable AutoPlay")
    lines.append('Set-ItemProperty -Path "HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion'
                  '\\Policies\\Explorer" -Name NoDriveTypeAutoRun -Value 255')

    return "\n".join(lines)


if __name__ == "__main__":
    print("=" * 60)
    print("Anti-Ransomware Group Policy Audit Agent")
    print("AppLocker, CFA, ASR rules, network restrictions")
    print("=" * 60)

    if len(sys.argv) < 2:
        print("\nUsage:")
        print("  python agent.py audit              Run full GPO compliance audit")
        print("  python agent.py asr                Check ASR rule status only")
        print("  python agent.py remediate          Generate remediation script")
        print("  python agent.py baseline           Show recommended baseline")
        sys.exit(0)

    command = sys.argv[1]

    if command == "audit":
        report = generate_gpo_report()
        print(f"\n--- GPO Compliance Report ---")
        print(f"  Hostname: {report['hostname']}")
        print(f"  Overall Score: {report['overall_score']}%")
        for name, result in report["checks"].items():
            status = result["status"]
            icon = "[+]" if status == "data_retrieved" else "[!]"
            print(f"  {icon} {result['description']}: {status}")
        output_file = "gpo_audit_report.json"
        with open(output_file, "w") as f:
            json.dump(report, f, indent=2)
        print(f"\n[+] Full report saved to: {output_file}")

    elif command == "asr":
        print("\n--- Recommended ASR Rules for Ransomware Prevention ---")
        for rule_id, rule in ASR_RULES.items():
            print(f"  [{rule['category']:20s}] {rule['name']}")
            print(f"    GUID: {rule_id}")
            print(f"    Recommended: {rule['recommended']}")

    elif command == "remediate":
        report = generate_gpo_report()
        script = generate_remediation_script(report)
        output_file = "remediate_ransomware_gpo.ps1"
        with open(output_file, "w") as f:
            f.write(script)
        print(f"\n[+] Remediation script saved to: {output_file}")
        print(f"\n{script}")

    elif command == "baseline":
        print("\n--- Recommended Anti-Ransomware GPO Baseline ---")
        print("\nAppLocker Deny Paths:")
        for path in APPLOCKER_DENY_PATHS:
            print(f"  DENY: {path}")
        print(f"\nASR Rules ({len(ASR_RULES)} recommended):")
        for rule_id, rule in ASR_RULES.items():
            print(f"  {rule_id}: {rule['name']}")
        print(f"\nControlled Folder Access Protected Folders:")
        for folder in CFA_RECOMMENDED_FOLDERS:
            print(f"  {folder}")

    else:
        print(f"[!] Unknown command: {command}")
Keep exploring