Is Windows Built-in Ransomware Protection Enough?
Windows has a feature called "Controlled Folder Access" buried in its security settings. It's Microsoft's built-in ransomware defense — and most Windows users don't even know it exists. I enabled it, tested it against simulated ransomware behavior, and ran it alongside my real backups for three months. Here's what it actually protects, where it falls short, and whether you need more.
What Controlled Folder Access Does
CFA monitors protected folders (default: Documents, Pictures, Videos, Desktop, Favorites, Music) and blocks any untrusted application from modifying files inside them. When ransomware tries to encrypt your files, CFA intercepts the write attempt and stops it — showing a notification that an app was blocked. It's essentially a whitelist: only trusted apps (Microsoft Office, known safe executables) can write. Anything unfamiliar gets blocked by default.
How I Tested It
I created a controlled test environment: a Windows 11 VM with CFA enabled on the default folders. I downloaded several legitimate but uncommon apps (a niche text editor, an indie game installer, an old version of 7-Zip) and attempted to save files into Documents. CFA blocked them all until I manually added each one to the allowed list. I then ran a benign encryption script (not malware — a custom PowerShell script simulating ransomware behavior) that attempted to encrypt all files in Documents. CFA stopped it cold.
| Test Scenario | CFA Result |
|---|---|
| Unknown .exe saving to Documents | ✅ Blocked |
| PowerShell encryption script | ✅ Blocked |
| Trusted app (Word) saving normally | ✅ Allowed |
| Malware on non-protected drive | ❌ Not blocked |
| Ransomware renaming files (not modifying) | ⚠️ Partial |
What Controlled Folder Access Doesn't Protect
- Files outside protected folders: Secondary drives (D:, E:), external USBs, network shares — CFA doesn't cover them by default. You must manually add each folder.
- File deletion or renaming: Some ransomware strains simply rename files or delete originals after copying. CFA blocks writes (modification), not deletions — though Windows Defender's broader real-time protection usually catches these.
- Data exfiltration: Ransomware increasingly steals data before encrypting it ("double extortion"). CFA doesn't stop an app from reading and uploading your files — only from modifying them.
- Trusted app compromise: If Microsoft Word is allowed by CFA and a malicious macro encrypts files via Word's own process, CFA may not block it because Word is trusted. This is rare but possible.
Layered Defense: The Strategy I Actually Recommend
Controlled Folder Access is a single layer — not a complete solution. My recommended stack for ransomware protection:
- Enable Controlled Folder Access (Windows Security → Virus & threat protection → Ransomware protection).
- Keep Windows Defender real-time protection on. CFA is a supplement, not a replacement.
- Follow the 3-2-1 backup rule (read our full guide). If ransomware bypasses CFA, your off-site backup is your last line of defense.
- Use a standard user account, not Administrator. This limits ransomware's ability to disable security features.
- Don't open suspicious attachments. The majority of ransomware infections still start with phishing emails.
Verdict: Is CFA Enough?
| Your Situation | Recommendation |
|---|---|
| Home user, casual browsing, email | Controlled Folder Access + Defender + 3-2-1 backup is enough |
| Business with sensitive client data | Add a dedicated third-party anti-ransomware tool (Malwarebytes Premium, Bitdefender) |
| High-risk user (downloading files, torrents) | Add third-party anti-ransomware + strict application whitelisting |
| I want maximum protection without paying | CFA + Defender + free anti-ransomware (like RansomFree by Cybereason, but verify current availability) |
My personal setup: CFA enabled on all fixed drives, Defender real-time protection on, and a 3-2-1 backup. For my threat model (no risky downloads, cautious browsing), I don't run a third-party anti-ransomware. But I do test my backups monthly. If I were handling client financial data or medical records, I'd add Malwarebytes Premium.
Questions about ransomware protection? Reach us at contact@viperstream.cloud.