Server 2012 Foundation GPO - Prevent Ransomware - Malware Bytes Endpoint Security - Firewall

It's Windows 10 and Windows 7 Pro. This is a small domain.

McKnife, do you have a link to using software restriction policies?

Interesting that the NSA guide shows security errors in Norton.

NET::ERR_CERT_AUTHORITY_INVALID
This page is insecure (broken HTTPS). - Certificate Error
There are issues with the site's certificate chain (net::ERR_CERT_AUTHORIT

Even ignoring the warning the page can not be found for NSA guide.

Cannot find requested page. The URL you are looking for may have changed or you may be using an old bookmark to access a specific part of this site. Navigate to the page using the links in the Main Menu.
If you still cannot find the page you're looking for, please contact Site Support.

I can download it that way. But may you would like to install their certificates: https://www.nsa.gov/what-we-do/information-assurance/ ->Follw 1 and 2, then revisit my link.

They don't make it easy. Step 1 has no links. Found http://iase.disa.mil/pki-pke/Pages/tools.aspx but still no link for installer under Trust Store tab. I guess I can't get it from the general Internet.

InstallRoot 4.1: SIPR Windows Installer *Downloads available on SIPRNet URL Only

I am on the one & only server for the domain.

I created a copy of the Default Domain Policy GPO &  created new Software Restrictions policy within it but there is very little to work with.

There's just levels & additional rules.

I got in but it's a white list approach as you mentioned in the 1st post. I was hoping we could just disable macros. Disabling Office applications is not an option since the business runs on them.

Thanks btan, I will review your links in the morning & inquire about Malwarebytes anti ransomware.

Malware Bytes is suggesting customer keep their Norton 360 anti-virus too. I would have though Malware Bytes could catch viruses too. I've seen some reviews that suggest Norton 360 was almost as good as Malware Bytes endpoint.

Do we need endpoint suite + Norton 360 + Malwarebytes anti ransomware. Seems like a lot of on access software that could slow file access down.

The strange thing is that Malware Bytes rep recommends keeping Norton. Seems odd that Malware Bytes rep suggests that they are not AV protection.

All of our solutions are compatible with anti-viruses. We are not AVs and we recommend having multiple layers of protection. At Malwarebytes, we focus on zero day newer threats while AVs focus on the older legacy threats. Since malware is mutating every second, it is essential to be protected against these unknown zero day threats as well. Many of our customers use our solutions alongside a free AV but if you currently have a paid version, that will work too. There should be no issues running both protections.

@McKnife , I don't see any admin templates for Office. I guess that feature is only for the newer versions of Office like Office 2016.
The whitelisting approach has some merit but how easy is it to audit all the existing software?

@btan, the screen shots for http://en.wooyun.io/2016/01/28/Bypass-Windows-AppLocker.html use pictographs. Is AppLocker included with Server 2012 or is that an add-on?

@btan - I don't see classic admin templates on our server either. Is there a way to import them?

Edit: I tried Add/Remove template but it doesn't seem to find anything.

@btan It looks like AppLocker may be easier to run than Software Restrictions GPO but it doesn't work on all Windows 7 Pro (No AppLocker rules are enforced) or Windows 8.1(Only the Enterprise edition supports AppLocker).

I suppose I can use it to audit.

OK, so no AppLocker. I'll find out which versions of Office they are using and download templates.

Getting the templates is probably the easiest project. Just need to identify Office versions.

We are also considering blocking with router filters if we can find one that will support it.

Thanks for all the help. Project on hold.