Permission Settings to protect Shared Folders from Ransomware on Windows 10?

This question has been asked here a few different ways, but I couldn't find one that specifically addresses this for Windows 10 ACL / permissions.

In our work environment we have individual machines make backup images onto a shared folder on a Windows 10 machine that acts as a file server and only that client machine/user has access to that folder.

The concern, of course, is that if the client is ransomware attacked it could access that shared folder and encrypt / overwrite the backup files.

It would seem that using the fine grained special permissions in Windows 10 would make it possible to create a new file and store the backup, but prevent that file from being encrypted and overwritten / deleted?


I've dealt with with this exact scenario, as have many others in this forum, I suspect.

If a person can login as a user and read/write to server files, the files are at risk. I.e., if a user can edit a word document, then can encrypt it.

Rather than change server access permissions (they should be set up as minimum privilege needed), most organizations are changing what users can access. Our organization blocked all of Google Drive, for example. This isn't a great solution, but it's worked so far (knock on wood).

If it's just local backups you're concerned about, creating a 'backup user' that solely holds write permissions to the backup volume technically works, although I haven't tried this.

Ultimate solution is segregated incremental cloud backups.


Windows does have a feature called "Controlled Folder Access", if you go into Settings > Windows Security > Virus & Threat Protection > near the bottom click "Manage Ransomware Protection" and see the feature in there.

This sets 'protected folders' that will basically make it so any app that wants to access those folders will need to be approved, which would require admin access. It's supposed to automatically allow safe apps but I found that almost every single one needed manual approval to add to the allowed list.

However, the big drawback to this feature is you cannot remove any of the default protected folders, which includes all the libraries (videos, documents, etc). You can add custom folders and remove them, but not the defaults. Which might make the feature more hassle than it's worth if you only care about protecting a specific location.