Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / Windows Server 2012 R2 / Using FSRM on Windows File Server to Prevent Ransomware

November 8, 2016 Windows Server 2012 R2

Using FSRM on Windows File Server to Prevent Ransomware

In this article, we’ll consider the methods of using File Server Resource Manager (FSRM) features on a file server running Windows Server 2012 R2 to detect and block ransomware. In particular, we’ll tell how to install FSRM service on the file server, configure file screening, and in the case ransomware detection  block user access to the share.

Contents:
  • How to Detect Ransomware Using FSRM
  • How to Configure the SMTP Settings of FSRM to Send E-Mail Notifications
  • How to Create a Group of File Extensions for the Ransomware
  • File Screen Templates Configuration
  • How to Apply File Screen Template to a Disk or Folder
  • Automatic Block of the User Infected by Ransomware
  • FSRM Protection Test

How to Detect Ransomware Using FSRM

If File Server Resource Manager  (FSRM) feature  is not installed on your file server, install it using Server Manager graphic console or PowerShell command prompt:

Install-WindowsFeature FS-Resource-Manager -IncludeManagementTools

Make sure that the role has been installed:

Get-WindowsFeature -Name FS-Resource-Manager

Install-WindowsFeature FS-Resource-Manager

After the feature has been installed, restart the server.

How to Configure the SMTP Settings of FSRM to Send E-Mail Notifications

The next step is the configuring of SMTP settings of FSRM  to sending e-mail notifications to admins. To do it, start fsrm.msc, right-click the root of File Server Resource Manager console and select Configure Options.

Specify the SMTP server name or IP address, the administrator and sender e-mail addresses.

Tip. If you don’t have an internal mail server, you can configure sending mail using SMTP relay.

FSRM SMTP Settings

To make sure that the SMTP server is configured correctly, send a test e-mail using Send Test E-mail button.

SMTP settings of FSRM can also be configured from PowerShell:

Set-FsrmSetting -AdminEmailAddress "FileServerAdmins@adatum.com" –smtpserver smtp.adatum.com –FromEmailAddress "FSRM@LON-FS02.adatum.com"

How to Create a Group of File Extensions for the Ransomware

The next step is to create a group of files containing known extensions and file names, created by encryption malware during its work.

This list can be created in the FSRM console. To do it, expand File Screening Management -> File Groups and select Create File Group.

fsrm create file group

You have to specify group name (for example, Crypto-files)  and enter all known extensions to the list using Files to include field.

ransomware file group

The list of known file extensions created by ransomware is quite long, so it is easier to create it using PowerShell.

In Windows Server 2012, you can create the file group using PowerShell as follows:

New-FsrmFileGroup -Name "Crypto-files" –IncludePattern @("_Locky_recover_instructions.txt","DECRYPT_INSTRUCTIONS.TXT", "DECRYPT_INSTRUCTION.TXT", "HELP_DECRYPT.TXT", "HELP_DECRYPT.HTML", "DecryptAllFiles.txt", "enc_files.txt", "HowDecrypt.txt", "How_Decrypt.txt", "How_Decrypt.html", "HELP_RESTORE_FILES.txt", , "restore_files*.txt", "restore_files.txt", "RECOVERY_KEY.TXT", "how to decrypt aes files.lnk", "HELP_DECRYPT.PNG", "HELP_DECRYPT.lnk", "DecryptAllFiles*.txt", "Decrypt.exe", "AllFilesAreLocked*.bmp", "MESSAGE.txt","*.locky","*.ezz", "*.ecc", "*.exx", "*.7z.encrypted", "*.ctbl", "*.encrypted", "*.aaa", "*.xtbl", "*.abc", "*.JUST", "*.EnCiPhErEd", "*.cryptolocker","*.micro","*.vvv")

In Windows Server 2008 R2, you will have to use filescrn.exe:

filescrn.exe filegroup add /filegroup:"Crypto-files" /members:"DECRYPT_INSTRUCTIONS.TXT|DECRYPT_INSTRUCTION.TXT| DecryptAllFiles.txt|enc_files.txt|HowDecrypt.txt|How_Decrypt.txt| How_Decrypt.html|HELP_TO_DECRYPT_YOUR_FILES.txt|HELP_RESTORE_FILES.txt| HELP_TO_SAVE_FILES.txt|restore_files*.txt| restore_files.txt|RECOVERY_KEY.TXT|HELP_DECRYPT.PNG|HELP_DECRYPT.lnk| DecryptAllFiles*.txt|Decrypt.exe|ATTENTION!!!.txt|AllFilesAreLocked*.bmp| MESSAGE.txt|*.locky|*.ezz|*.ecc|*.exx|*.7z.encrypted|*.ctbl| *.encrypted|*.aaa|*.xtbl|*.EnCiPhErEd|*.cryptolocker|*.micro|*.vvv| *.ecc|*.ezz|*.exx|*.zzz|*.xyz|*.aaa|*.abc|*.ccc|*.vvv|*.xxx| *.ttt|*.micro|*.encrypted|*.locked|*.crypto|*_crypt|*.crinf| *.r5a|*.XRNT|*.XTBL|*.crypt|*.R16M01D05|*.pzdc|*.good| *.LOL!|*.OMG!|*.RDM|*.RRK|*.encryptedRSA|*.crjoker| *.LeChiffre|*.keybtc@inbox_com|*.0x0|*.bleep|*.1999| *.vault|*.HA3|*.toxcrypt|*.magic|*.SUPERCRYPT|*.CTBL|*.CTB2|*.locky"

Tip. You can make a list of known file extensions yourself or use ready regularly updated lists from the following pages:

https://www.bleib-virenfrei.de/ransomware/

https://fsrm.experiant.ca/api/v1/combined

In the second case, you can download an up-to-date list of file extensions for FSRM directly from the webserver using Invoke-WebRequest

new-FsrmFileGroup -name "Anti-Ransomware File Groups" -IncludePattern @((Invoke-WebRequest -Uri "https://fsrm.experiant.ca/api/v1/combined").content | convertfrom-json | % {$_.filters})

Or use a ready file crypto_extensions.txt. You can save this file to the disk and update the created FSRM file group with it:

$ext_list = Get-Content .\ransomware_extensions.txt
Set-FsrmFileGroup -Name "Crypto-files" -IncludePattern ($ext_list)

File Screen Templates Configuration

Create a new File Screen Template to determine the actions FSRM has to perform if it detects these files. To do it, in the FSRM console go to File Screen Management -> File Screen Templates. Create a new template by selecting Create File Screen Template.

Create File Screen Template

In the Settings tab, specify the template name “Block_crypto_files”, screening type Active screening (do not allow to save these file types) and select Crypto-Files in the list of file groups.

block cryptolocker files template

In the E-mail Message tab, enable sending e-mail notifications and specify text of message subject and body.

email settings
In the Event Log tab, check making an entry to the system log with the note to specify only the name of the user: [Source Io Owner]

event log settings

In the Command tab, you can select what to do if one of these file types is detected. We’ll discuss it a bit later.

Save the changes. One more template will appear in the list.

list of file screen templates

How to Apply File Screen Template to a Disk or Folder

Now you only have to assign the created template to a disk or network share on your  server. In the FSRM console, create a new rule Create File Screen.

Create File Screen.

In File screen path field, specify the local disk or the path to the directory you want to protect from the ransomware, and select the template Block_crypto_files created earlier in the list of templates.

assign template to public folder

Automatic Block of the User Infected by Ransomware

Now you have to configure the action FSRM will perform if files created by encryption malware are detected. We’ll use a ready script: Protect your File Server against Ransomware by using FSRM and Powershell (https://gallery.technet.microsoft.com/scriptcenter/Protect-your-File-Server-f3722fce). What does this script do? At the attempt of writing a prohibited file type to the network share, FSRM runs this script, which analyses the event log and prohibits a user to write files to the shared folder. Thus, the access of the infected user to the network share will be blocked.

Download this script and unpack it to the root of C:\ directory on your file server. Copy SubInACL (a tool that allows to change permissions for the network share) in to the same directory. The following files have to be located in the directory:

  • RansomwareBlockSmb.ps1
  • StartRansomwareBlockSmb.cmd
  • subinacl.exe

StartRansomwareBlockSmb.cmd

Note. I had to change these strings in PS script:

$SubinaclCmd = "C:\subinacl /verbose=1 /share \\127.0.0.1\" + "$SharePart" + " /deny=" + "$BadUser"

and

if ($Rule -match "Crypto-Files")

In the Command tab of “Block crypto files” template settings, specify that the command prompt containing the argument StartRansomwareBlockSmb.cmd must be started:

Run this command or script: c:\windows\system32\cmd.exe

Command arguments: /c “c:\StartRansomwareBlockSmb.cmd”

The command has to be run as Local System.

fsrm event run script

FSRM Protection Test

Let’s test how the FSRM protection against ransomware. To do it, create a file with any extension in the protected directory and try to change this extension to the prohibited one  .locky.

When trying to save the prohibited file, FSRM will make an entry in the log:

Event ID: 8215
Source: SRMSVC

Based on the data from the log, RansomwareBlockSmb.ps1 script will prohibit the current user from accessing this directory, by changing share access permissions.

share permissions

The protection works! In the log located in the root of the disk you can see the directory and the user account the ransomware has been attempted to be run from.

If you need a higher protection level, you can switch from the black list of files to the white list, and then you’ll be able to save only allowed file types.

So, we have considered how to automatically block network share access to the users whose computers are infected by ransomware. Naturally, using FSRM in this way cannot fully protect files on your servers from this kind of malware, but it is suitable as one of the protection levels. In the next articles, we’ll consider another variant of protection against encryption ransomware:

  • How to Recover User Files from VSS Snapshots After Getting Infected with the Ransomware
  • Software Restriction Policies to Prevent Ransomware

 

 

0 comment
2
Facebook Twitter Google + Pinterest
previous post
How to Run SysPrep on Upgraded Windows
next post
How to Upgrade VM Hardware Version in VMWare ESXi

Related Reading

How to Backup Hyper-V Virtual Machines?

December 10, 2019

How to Measure Storage Performance and IOPS on...

October 30, 2019

Installing SFTP (SSH FTP) Server on Windows with...

October 2, 2019

How to Approve and Decline WSUS Updates?

September 26, 2019

How to Disable NTLM Authentication in Windows Domain?

September 24, 2019

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Follow us

woshub.com

Recent Posts

  • The Disk is Offline Because of Policy Set by an Administrator

    December 12, 2019
  • How to Backup Hyper-V Virtual Machines?

    December 10, 2019
  • How to Change a Network Location from Public to Private on Windows 10/Windows Server 2016?

    December 9, 2019
  • Configuring Storage Replica on Windows Server 2016

    December 4, 2019
  • Windows 10 Install Error 0x80300024

    December 2, 2019
  • Running PowerShell Script (*.PS1) as a Windows Service

    November 27, 2019
  • Creating Multiple Partitions on a USB Drive in Windows 10

    November 26, 2019
  • VMWare vSphere: Failed to Upload Files to Datastore

    November 21, 2019
  • How to Delete Old User Profiles Using GPO and PowerShell?

    November 19, 2019
  • Get-ADUser: Getting Active Directory Users Info via Powershell

    November 18, 2019
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Granting Remote Access on SCManager to Non-admin Users
  • Schedule Task to Start When Another Task Finishes
  • The Remote Desktop Session Host Server Does Not Have a Remote Desktop License Server Specified
  • Fix: Server Stuck on “Preparing to Configure Windows”
  • Printer Pooling: How to Configure a Printer Pool in Windows Server 2012 R2
  • Windows.edb File Too Big – How to Reduce Size
  • How to Run File Explorer Elevated
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top