Quick-tip: Windows Group Policy for Software Restrictions in suspicious folders

Tags: #<Tag:0x00007f7700b75100> #<Tag:0x00007f7700b74f20> #<Tag:0x00007f7700b74de0>

Quick-tip: Windows Group Policy for Software Restrictions in suspicious folders

If they are well-implemented Group Policies on Windows can be an effective counter-measure against Ransomware or generic Backdoors. This way it may become much harder for attackers (or Red Teamers) to gain persistent (illegitimate) access or to infect systems.

Accordingly, you may want to do this for other folders such as %TEMP%.

I have rarely seen a legitimate adoption of these folders by software vendors. The main attack vector is that applications like Outlook can download or extract malicious attachments into these folders. Preventing execution may be a good measure for those users, who don’t have a technical focus. Never execute Email attachments.

The measure is well-known and not “next-gen”. That’s okay. It’s Windows after all.