Configures Windows Group Policy Objects (GPO) to prevent ransomware execution and limit its spread. Implements AppLocker rules, Software Restriction Policies, Controlled Folder Access, attack surface reduction rules, and network protection settings. Activates for requests involving Windows GPO hardening against ransomware, AppLocker configuration, Controlled Folder Access setup, or endpoint protection via Group Policy.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionimplementing-anti-ransomware-group-policyExecute the skills CLI command in your project's root directory to begin installation:
Fetches implementing-anti-ransomware-group-policy from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate implementing-anti-ransomware-group-policy. Access via /implementing-anti-ransomware-group-policy in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | implementing-anti-ransomware-group-policy |
| description | 'Configures Windows Group Policy Objects (GPO) to prevent ransomware execution and limit its spread. Implements AppLocker rules, Software Restriction Policies, Controlled Folder Access, attack surface reduction rules, and network protection settings. Activates for requests involving Windows GPO hardening against ransomware, AppLocker configuration, Controlled Folder Access setup, or endpoint protection via Group Policy. ' |
| domain | cybersecurity |
| subdomain | ransomware-defense |
| tags | - ransomware - group-policy - windows - AppLocker - hardening - prevention |
| version | 1.0.0 |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.DS-11 - RS.MA-01 - RC.RP-01 - PR.IR-01 |
Do not use as a standalone ransomware defense. GPO settings complement but do not replace endpoint detection, backups, network segmentation, and user awareness training.
Configure AppLocker to prevent executables from running in common ransomware staging locations:
AppLocker GPO Path:
Computer Configuration → Policies → Windows Settings →
Security Settings → Application Control Policies → AppLocker
Key Rules:
━━━━━━━━━
1. DENY executable rules for user-writable paths:
- %USERPROFILE%\AppData\Local\Temp\* (email attachment extraction)
- %USERPROFILE%\AppData\Roaming\* (CryptoLocker staging)
- %USERPROFILE%\Downloads\* (web downloads)
- %TEMP%\* (temporary extraction)
- %USERPROFILE%\Desktop\* (social engineering drops)
2. ALLOW default rules:
- C:\Windows\* (signed by Microsoft)
- C:\Program Files\* and C:\Program Files (x86)\*
- Administrator group: all paths
3. Enable Application Identity service:
Computer Configuration → Policies → Windows Settings →
Security Settings → System Services →
Application Identity → Automatic
Protect critical directories from unauthorized modification:
Controlled Folder Access GPO Path:
Computer Configuration → Administrative Templates →
Windows Components → Microsoft Defender Antivirus →
Microsoft Defender Exploit Guard → Controlled Folder Access
Settings:
━━━━━━━━━
1. Configure Controlled folder access: Enabled → Block mode
2. Configure protected folders: Add custom paths
- \\fileserver\shares\finance
- \\fileserver\shares\hr
- C:\Users\*\Documents
- C:\Users\*\Desktop
3. Configure allowed applications: Whitelist trusted apps
- C:\Program Files\Microsoft Office\*
- C:\Program Files\Adobe\*
- Line-of-business applications
Default protected folders (automatic):
Documents, Pictures, Videos, Music, Desktop, Favorites
Enable ASR rules that target ransomware delivery mechanisms:
ASR Rules GPO Path:
Computer Configuration → Administrative Templates →
Windows Components → Microsoft Defender Antivirus →
Microsoft Defender Exploit Guard → Attack Surface Reduction
Critical ASR Rules for Ransomware Prevention:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
GUID Rule
BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 Block executable content from email
D4F940AB-401B-4EFC-AADC-AD5F3C50688A Block Office apps from creating child processes
3B576869-A4EC-4529-8536-B80A7769E899 Block Office apps from creating executable content
75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 Block Office apps from injecting into processes
D3E037E1-3EB8-44C8-A917-57927947596D Block JavaScript/VBScript from launching downloads
5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Block execution of obfuscated scripts
92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B Block Win32 API calls from Office macros
01443614-CD74-433A-B99E-2ECDC07BFC25 Block executable files unless they meet prevalence criteria
Set each rule to: Block (1) or Audit (2) for initial testing
Lock down SMB, RDP, and WMI to limit ransomware propagation:
Network Restrictions:
━━━━━━━━━━━━━━━━━━━━
1. Disable SMBv1:
Computer Configuration → Administrative Templates →
Network → Lanman Workstation → Enable insecure guest logons: Disabled
Computer Configuration → Administrative Templates →
MS Security Guide → Configure SMBv1 server: Disabled
2. Restrict Remote Desktop:
Computer Configuration → Administrative Templates →
Windows Components → Remote Desktop Services →
Remote Desktop Session Host → Connections →
Allow users to connect remotely: Disabled (or restricted to specific groups)
3. Disable remote WMI:
Windows Firewall → Inbound Rules →
Block Windows Management Instrumentation (WMI) inbound
4. Disable AutoPlay/AutoRun:
Computer Configuration → Administrative Templates →
Windows Components → AutoPlay Policies →
Turn off AutoPlay: Enabled (All drives)
5. Disable PowerShell remoting for non-admin users:
Computer Configuration → Administrative Templates →
Windows Components → Windows PowerShell →
Turn on Script Execution: Allow only signed scripts
Verify that GPO settings are applied correctly across the domain:
# Check GPO application on endpoint
gpresult /r /scope:computer
# Verify AppLocker rules
Get-AppLockerPolicy -Effective | Select-Object -ExpandProperty RuleCollections
# Check Controlled Folder Access status
Get-MpPreference | Select-Object EnableControlledFolderAccess
# List protected folders
Get-MpPreference | Select-Object -ExpandProperty ControlledFolderAccessProtectedFolders
# Check ASR rules
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Actions
gpresult /r on test endpoints to confirm GPO application%AppData%\Temp to verify AppLocker blocks it| Term | Definition |
|---|---|
| AppLocker | Windows application control feature that restricts which executables, scripts, and DLLs users can run based on publisher, path, or hash rules |
| Controlled Folder Access | Microsoft Defender feature that prevents untrusted applications from modifying files in protected directories |
| Attack Surface Reduction (ASR) | Set of rules in Microsoft Defender Exploit Guard that block specific attack behaviors like Office macro child processes |
| Software Restriction Policies (SRP) | Legacy Windows feature (deprecated in Win 11) for restricting executables; replaced by AppLocker and WDAC |
| WDAC | Windows Defender Application Control; the successor to AppLocker with stronger enforcement using code integrity policies |
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
implementing-anti-ransomware-group-policy reduced setup friction for our internal harness; good balance of opinion and flexibility.
Keeps context tight: implementing-anti-ransomware-group-policy is the kind of skill you can hand to a new teammate without a long onboarding doc.
Registry listing for implementing-anti-ransomware-group-policy matched our evaluation — installs cleanly and behaves as described in the markdown.
implementing-anti-ransomware-group-policy has been reliable in day-to-day use. Documentation quality is above average for community skills.
implementing-anti-ransomware-group-policy is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
Useful defaults in implementing-anti-ransomware-group-policy — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
implementing-anti-ransomware-group-policy fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Solid pick for teams standardizing on skills: implementing-anti-ransomware-group-policy is focused, and the summary matches what you get after install.
implementing-anti-ransomware-group-policy reduced setup friction for our internal harness; good balance of opinion and flexibility.
implementing-anti-ransomware-group-policy is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
showing 1-10 of 42