implementing-anti-ransomware-group-policy

Featured

Configures Windows Group Policy Objects (GPO) to prevent ransomware execution and limit its spread. Implements AppLocker rules, Software Restriction Policies, Controlled Folder Access, attack surface reduction rules, and network protection settings. Activates for requests involving Windows GPO hardening against ransomware, AppLocker configuration, Controlled Folder Access setup, or endpoint protection via Group Policy.

AI & Automation 13,115 stars 1533 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Implementing Anti-Ransomware Group Policy ## When to Use - Hardening a Windows Active Directory environment against ransomware execution and propagation - Implementing defense-in-depth by blocking ransomware execution paths via Group Policy - Configuring AppLocker or WDAC rules to prevent unauthorized executables from running in user-writable directories - Enabling Controlled Folder Access to protect critical directories from unauthorized file modifications - Restricting lateral movement vectors (RDP, SMB, WMI) that ransomware uses to spread across the domain **Do not use** as a standalone ransomware defense. GPO settings complement but do not replace endpoint detection, backups, network segmentation, and user awareness training. ## Prerequisites - Windows Server 2016+ Active Directory environment with Group Policy Management Console (GPMC) - Domain Admin or Group Policy Creator Owners privileges - Windows 10/11 Enterprise or Education (required for AppLocker and WDAC) - Microsoft Defender Antivirus enabled (required for Controlled Folder Access and ASR rules) - Python 3.8+ for audit script that validates GPO compliance - Test OU for validating GPO settings before domain-wide deployment ## Workflow ### Step 1: Block Ransomware Execution Paths with AppLocker Configure AppLocker to prevent executables from running in common ransomware staging locations: ``` AppLocker GPO Path: Computer Configuration → Policies → Windows Settings → Security Settings → Application ...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

implementing-ransomware-backup-strategy

Designs and implements a ransomware-resilient backup strategy following the 3-2-1-1-0 methodology (3 copies, 2 media types, 1 offsite, 1 immutable/air-gapped, 0 errors on restore verification). Configures backup schedules aligned to RPO/RTO requirements, implements backup credential isolation to prevent ransomware from compromising backup infrastructure, and establishes automated restore testing. Activates for requests involving ransomware backup planning, backup resilience, air-gapped backup design, or backup recovery point objective configuration.

13,115 Updated today
mukul975
AI & Automation Featured

implementing-application-whitelisting-with-applocker

Implements application whitelisting using Windows AppLocker to restrict unauthorized software execution on endpoints, reducing attack surface from malware, unauthorized tools, and shadow IT. Use when enforcing application control policies, meeting compliance requirements for software restriction, or preventing execution of unsigned or untrusted binaries. Activates for requests involving AppLocker, application whitelisting, software restriction, or executable control.

13,115 Updated today
mukul975
AI & Automation Featured

recovering-from-ransomware-attack

Executes structured recovery from a ransomware incident following NIST and CISA frameworks, including environment isolation, forensic evidence preservation, clean infrastructure rebuild, prioritized system restoration from verified backups, credential reset, and validation against re-infection. Covers Active Directory recovery, database restoration, and application stack rebuild in dependency order. Activates for requests involving ransomware recovery, post-encryption restoration, or disaster recovery from ransomware.

13,115 Updated today
mukul975
AI & Automation Featured

performing-ransomware-response

Executes a structured ransomware incident response from initial detection through containment, forensic analysis, decryption assessment, recovery, and post-incident hardening. Addresses ransom negotiation considerations, backup integrity verification, and regulatory notification requirements. Activates for requests involving ransomware response, ransomware recovery, crypto-ransomware, data encryption attack, ransom payment decision, or ransomware containment.

13,115 Updated today
mukul975
AI & Automation Featured

building-ransomware-playbook-with-cisa-framework

Builds a structured ransomware incident response playbook aligned with the CISA StopRansomware Guide and NIST Cybersecurity Framework. Covers preparation, detection, containment, eradication, recovery, and post-incident phases with actionable checklists. Activates for requests involving ransomware response planning, CISA compliance, incident response playbook creation, or ransomware preparedness assessment.

13,115 Updated today
mukul975