the-server.ninja - Sep 6, 2016May 12, 2017

Defeat Ransomware: Use Microsoft File Server Resource Manager (FSRM) – with a twist! | The-Server.Ninja

The-server.ninja Spined HTML

Defeat Ransomware: Use Microsoft File Server Resource Manager (FSRM) – with a twist! | The-Server.Ninja The-Server.Ninja Server Admin by day… Server Ninja by night… Menu Skip to content HomeAbout Search Search for: Defeat Ransomware: Use Microsoft File Server Resource Manager (FSRM) – with a twist! Sep 6, 2016May 12, 2017 / Severn You may have seen some translating floating well-nigh on the internet, showing  you how to use Microsoft’s File Server Resource Manager (FSRM) to prevent Ransomware. The problem with these wares is that they all involve maintaining a woodcut list. You’ll find those woodcut lists rarely alimony up with new variants of Ransomware. So, in this article, i’m going to show you how to defeat ransomware – with a twist! Lemons… good for lemonade. Not so good at vibration Ransomware! First things first, i’m going to seem you’re running Windows Server 2012 / R2, and have not yet installed the FSRM role [if you’re running 2008 R2, skip to near the middle of this article].UnshutPowershell as Administrator Install the FSRM role: Install-WindowsFeature FS-Resource-Manager –IncludeManagementTools Reboot your server if prompted. Configure SMTP settings – this will zestful you if anyone attempts to create an unsafe file in the targeted filepath.Unshutan Admin Powershell prompt and enter: Set-FsrmSetting -AdminEmailAddress "youremailaddress@domain.name" –smtpserver "IP Address of your mail server here" –FromEmailAddress "servername@domain.name" You may need to make some adjustments on your mail server for this to work. Next up, we’re going to configure a new FSRM file group. This is where the twist comes in – your unquestionably going to woodcut EVERY FILE TYPE, then  ONLY indulge the filetypes you know are unscratched – completely eliminating the need to maintain a woodcut list. The script unelevated will imbricate the main filetypes but you’ll need to tailor this to your environment. My recommendation is to install WinDirStat and perform a scan of the share you are targeting. This will list all of the extensions currently in use within the share. With Powershell unshut (remember, right click and run as Administrator); reprinting the pursuit writ and hit enter: new-FsrmFileGroup -Name "AllowUnscratchedFiles Only" -IncludePattern "*.*" -ExcludePattern @("*.bmp","*.jpg","*.gif","*.jpeg","*.tiff","*.png","*.eps","*.tif","*.txt","*.text","*.pdf","*.xls","*.xlsx","*.doc","*.docx","*.ppt","*.pptx","*.pub","*.pubx","*.mpp","*.mdb","*.pst","*.msg","*.wmv","*.mov","*.wav","*.vss","*.vsd","*.fmp12","*.ppsx","*.ldb","*.avi","*.tmp","*.log") If you want to add addtional filetypes; either manually edit the File Group, or run the following  (adding new file extensions using the ,”*.ext” format): set-FsrmFileGroup -Name "AllowUnscratchedFiles Only" -ExcludePattern @("*.bmp","*.jpg","*.gif","*.jpeg","*.tiff","*.png","*.eps","*.tif","*.txt","*.text","*.pdf","*.xls","*.xlsx","*.doc","*.docx","*.ppt","*.pptx","*.pub","*.pubx","*.mpp","*.mdb","*.pst","*.msg","*.wmv","*.mov","*.wav","*.vss","*.vsd","*.fmp12","*.7z","*.zip","*.ppsx","*.tmp","*.ldb","*.avi","*.log","Thumbs.db") Now we’ll set up a new Active File Screen Template: The first script creates the email template. You’ll want to review the text without -Subject, and without -Body. If you’d like the FSRM alerts to be emailed to multiple email addresses, separate them using a semicolon [;] $Notification = New-FsrmAction -Type Email -MailTo "[Admin Email];[Source File Owner Email]" -Subject "Warning!! You have attempted to save unsecure file type – contact ICT immediately!" -Body "You have attempted to create or save an unsecure file type - [Source File Path] on [File Screen Path] on server [Server]. These file types are obstructed by the pursuit rule: [Violated File Group]. If this was unintentional, this could indicate that your computer has been infected with a virus.  Please contact ICT immediately for support." -RunLimitInterval 120 The next script creates the File Screen template: New-FsrmFileScreenTemplate -Name "AllowUnscratchedFiles only" –IncludeGroup "AllowUnscratchedFiles Only" -Notification $Notification -ActiveUnshutthe File Server Resource Manager GUI. Expand File Screening Management – Select File Screen Templates, and Right click onIndulgeSafe Files Only. Select Edit Template Properties… Select the Event Log tab. Make sure Send warning to event log is ticked.  Hit OK. This will record file blocking events to event log.  This will help diagnose any issues later. Next, from the FSRM screen, Right click on File Screens and select Create File Screen… Browse to, and select your share path. From the “Derive properties from this file screen template (recommended)” waif down, select “AllowUnscratchedFiles only” and hit create. Finally, time for testing! Using the file screen rules above, struggle to create two files: filename.txt filename.bat The first file, filename.txt should be created. FSRM will prevent you from creating the second file, filename.bat Shortly without your attempt, you should receive an email alert. Using this information you’ll be worldly-wise to track lanugo the user; determine whether the file was legitimate, or a virus, then take the towardly whoopee (ie add the file extension to the unscratched list, or quarrantine the infected computer). If you’re looking to do with with Windows Server 2008 R2; you’ll need to run a few variegated commands, and perform a little uneaten work in the GUI. First off, install FSRM using the pursuit Powershell commands (remember, you’ll need to unshut Powershell as Administrator): import-module servermanager Add-WindowsFeature FS-FileServer,FS-Resource-Manager Create the File Group using this writ (use pipe | to separate each file extension): filescrn Filegroup Add /Filegroup:"AllowUnscratchedFiles Only" /Members:"*.*" /Nonmembers:"*.bmp|*.jpg|*.gif|*.jpeg|*.tiff|*.png|*.eps|*.tif|*.txt|*.text|*.pdf|*.xls|*.xlsx|*.doc|*.docx|*.ppt|*.pptx|*.pub|*.pubx|*.mpp|*.mdb|*.pst|*.msg|*.wmv|*.mov|*.wav|*.vss|*.vsd|*.fmp12|*.7z|*.zip|*.ppsx|*.ldb|*.avi|*.log" Create a new file screen template: filescrn template add /template:"AllowUnscratchedFiles Only" /Type:Active /Add-Filegroup:"AllowUnscratchedFiles Only"Unshutthe FSRM GUI. Expand file Screen Management, File Screen Templates. Right click on “AllowUnscratchedFiles Only” – select Edit Template Properties Select the “E-mail Message” tab. Select tick box: send e-mail to the pursuit administrators reprinting the pursuit into the box: [Admin Email];[Source File Owner Email]Trammelsthe box for: Send e-mail to the user who attempted to save an unauthorized file In the Subject box, reprinting the following: Warning!! You have attempted to save unsecure file type – contact ICT immediately! In the message body: You have attempted to create or save an unsecure file type - [Source File Path] on [File Screen Path] on server [Server]. These file types are obstructed by the pursuit rule: [Violated File Group]. If this was unintentional, this could indicate that your computer has been infected with a virus.  Please contact ICT immediately for support. Select the Event Log tab, make sure send warning to event log is ticked. Click OK. (you maybe warned that you have not configured your SMTP server yet.  Click Yes. we’ll do that next). Select “Apply template only to derived file screens that match the original template”. Finally, whilst you’re in the FSRM GUI, right click on File Server Resource Manager (local) and select Configure Options… In the options window, select the Email Notifications tab. Enter your server & email details.Unshutthe File Server Resource Manager GUI. Expand File Screening Management – Right click on File Screens and select Create File Screen… Browse to, and select your share path. From the “Derive properties from this file screen template (recommended)” waif down, select “AllowUnscratchedFiles only” and hit create. If users are prevented from saving unrepealable files, but you’re sure that you have widow in the correct file types, it maybe the using uses flipside file type to write a temporary file first.UnshutEvent Viewer (type: eventvwr.msc into the run box). Head to Windows Logs, Application. Look for Event ID 8215, SRMSVR.  This will list each obstructed file.  Look for the .filetype thats stuff obstructed and add to the exceptions list. Advertisements Share this:TwitterFacebookGooglePrintLinkedInPinterestEmailLike this:Like Loading... Related Security, Server, Uncategorized File Server Resource Manager, FSRM, Microsoft, Ransomware, Security, Windows server Post navigation ← Build your own computer defence shield: security infographicWindows Deployment: PXE booting between VLAN’s → Leave a Reply Cancel reply Enter your scuttlebutt here... Please log in using one of these methods to post your comment: Email (required) (Address never made public) Name (required) Website You are commenting using your WordPress.com account. ( Log Out /  Change ) You are commenting using your Google+ account. ( Log Out /  Change ) You are commenting using your Twitter account. ( Log Out /  Change ) You are commenting using your Facebook account. ( Log Out /  Change ) Cancel Connecting to %s Notify me of new comments via email. Notify me of new posts via email. Search for: Recent Posts Powershell – Creating Active Directory User Accounts: with an Office 365 mailbox Jan 11, 2018 GDPR – Getting Started Dec 19, 2017 Windows 10 v1709 Deployment Nov 16, 2017 News: Windows Server 2016 RTM. Now misogynist on the MVLS portal! Oct 13, 2016 Windows Deployment: PXE booting between VLAN’s Sep 13, 2016 Recent Comments Powershell – C… on How to standardize your compan…Severn on Windows Deployment: Advanced P…Severn on Using a Raspberry Pi as a Squi…Wall on Using a Raspberry Pi as a Squi…Severn on Using a Raspberry Pi as a Squi… Archives Archives Select Month Jan 2018  (1) Dec 2017  (1) Nov 2017  (1) Oct 2016  (1) Sep 2016  (2) May 2016  (1) Mar 2016  (2) Dec 2015  (1) Oct 2015  (1) Aug 2015  (1) Jul 2015  (4) May 2015  (4) Apr 2015  (4) Feb 2015  (4) Jan 2015  (3) Apr 2014  (11) Categories Active Directory (4) Cloud (1) Exchange (2) Hyper-V (2) Microsoft (10) Programming (3) Raspberry Pi (1) Security (14) Server (7) Squid (1) Tools & Utilities (7) Uncategorized (4) VPN (1) Windows 10 (2) Windows Deployment (17) Meta Register Log in Entries RSS Comments RSS WordPress.com Advertisements SocialView /pages/The-serverninja/611128422321990’s profile on FacebookView @the_serverninja’s profile on Twitter Follow The-Server.Ninja on WordPress.com Blog at WordPress.com. Post to Cancel Send to Email Address Your Name Your Email Address Cancel Post was not sent - trammels your email addresses! Email trammels failed, please try then Sorry, your blog cannot share posts by email. Privacy & Cookies: This site uses cookies. By standing to use this website, you stipulate to their use. To find out more, including how to tenancy cookies, see here: Cookie Policy %d bloggers like this: