Evaluating the Pros and Cons of Microsoft’s Controlled Folder Access

In a time when threat actors are targeting data to bring organizations to their knees,
Microsoft’s Controlled Folder Access (CFA) feature has emerged as one of Microsoft’s
many answers to combating ransomware. While this security feature offers some
advantages, it also comes with its fair share of drawbacks. In this blog post, we’ll delve
into the pros and cons of Microsoft’s Controlled Folder Access to help you make an
informed decision about whether it’s the right choice for your cybersecurity needs.

The Pros of Microsoft’s Controlled Folder Access:
1. Ransomware Protection: CFA acts as a defense mechanism against
ransomware attacks. It monitors and restricts access to your important files and
folders, preventing unauthorized changes and encryption attempts by malicious
software.
2. Application Whitelisting: You have the power to whitelist trusted applications,
ensuring that only approved programs can access your protected folders. This
control minimizes the risk of malware infiltrating your system.
3. Built-In Windows Security: CFA is integrated into Windows Defender Antivirus,
making it readily available to users without the need for third-party security
software. This can lead to cost savings for businesses and individuals.

The Cons of Microsoft’s Controlled Folder Access:
1. Compatibility Issues: One of the primary drawbacks is the potential for
compatibility issues with legitimate applications. If a trusted program is
mistakenly blocked, it can disrupt workflows and cause frustration.
2. Administration Complexity: While the initial configuration of CFA aims to be
user-friendly, the initial setup and configuration may still be challenging.
Advanced organizations with a deep technical bench of information security
professionals have experienced a lack of centralized dashboard, combing
through Event Trace for Windows (ETW) logs, and limited improvement to the
security posture of the organization.
3. High False Positive Rate: Just as with compatibility issues, CFA can sometimes
flag legitimate activities as suspicious, leading to false positives that need to be
triaged by an incident responder.
4. Limited Scope: Controlled Folder Access mainly focuses on protecting files and
folders within user profiles. It may not provide comprehensive protection for files
stored in non-standard locations or network drives.

5. Ongoing Maintenance: To maintain CFA effectively, users need to continuously
update the whitelist of approved applications and monitor event logs, which can
be extremely time-consuming.

In conclusion, it appears Microsoft admits their Endpoint Detection and Response (EDR)
technology, Microsoft Defender, is not enough to combat ransomware. With its high
administration cost and limited benefits, SecuritySnares has seen a large number of
organizations turn CFA off.