Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Windows Server 2012 R2 / Using FSRM on Windows File Server to Prevent Ransomware

November 8, 2016 Windows Server 2012 R2

Using FSRM on Windows File Server to Prevent Ransomware

In this article, we’ll consider the methods of using File Server Resource Manager (FSRM) features on a file server running Windows Server 2012 R2 to detect and block ransomware. In particular, we’ll tell how to install FSRM service on the file server, configure file screening, and in the case ransomware detection  block user access to the share.

Contents:
  • How to Detect Ransomware Using FSRM
  • How to Configure the SMTP Settings of FSRM to Send E-Mail Notifications
  • How to Create a Group of File Extensions for the Ransomware
  • File Screen Templates Configuration
  • How to Apply File Screen Template to a Disk or Folder
  • Automatic Block of the User Infected by Ransomware
  • FSRM Protection Test

How to Detect Ransomware Using FSRM

If File Server Resource Manager  (FSRM) feature  is not installed on your file server, install it using Server Manager graphic console or PowerShell command prompt:

Install-WindowsFeature FS-Resource-Manager -IncludeManagementTools

Make sure that the role has been installed:

Get-WindowsFeature -Name FS-Resource-Manager

Install-WindowsFeature FS-Resource-Manager

After the feature has been installed, restart the server.

How to Configure the SMTP Settings of FSRM to Send E-Mail Notifications

The next step is the configuring of SMTP settings of FSRM  to sending e-mail notifications to admins. To do it, start fsrm.msc, right-click the root of File Server Resource Manager console and select Configure Options.

Specify the SMTP server name or IP address, the administrator and sender e-mail addresses.

Tip. If you don’t have an internal mail server, you can configure sending mail using SMTP relay.

FSRM SMTP Settings

To make sure that the SMTP server is configured correctly, send a test e-mail using Send Test E-mail button.

SMTP settings of FSRM can also be configured from PowerShell:

Set-FsrmSetting -AdminEmailAddress "FileServerAdmins@adatum.com" –smtpserver smtp.adatum.com –FromEmailAddress "FSRM@LON-FS02.adatum.com"

How to Create a Group of File Extensions for the Ransomware

The next step is to create a group of files containing known extensions and file names, created by encryption malware during its work.

This list can be created in the FSRM console. To do it, expand File Screening Management -> File Groups and select Create File Group.

fsrm create file group

You have to specify group name (for example, Crypto-files)  and enter all known extensions to the list using Files to include field.

ransomware file group

The list of known file extensions created by ransomware is quite long, so it is easier to create it using PowerShell.

In Windows Server 2012, you can create the file group using PowerShell as follows:

New-FsrmFileGroup -Name "Crypto-files" –IncludePattern @("_Locky_recover_instructions.txt","DECRYPT_INSTRUCTIONS.TXT", "DECRYPT_INSTRUCTION.TXT", "HELP_DECRYPT.TXT", "HELP_DECRYPT.HTML", "DecryptAllFiles.txt", "enc_files.txt", "HowDecrypt.txt", "How_Decrypt.txt", "How_Decrypt.html", "HELP_RESTORE_FILES.txt", , "restore_files*.txt", "restore_files.txt", "RECOVERY_KEY.TXT", "how to decrypt aes files.lnk", "HELP_DECRYPT.PNG", "HELP_DECRYPT.lnk", "DecryptAllFiles*.txt", "Decrypt.exe", "AllFilesAreLocked*.bmp", "MESSAGE.txt","*.locky","*.ezz", "*.ecc", "*.exx", "*.7z.encrypted", "*.ctbl", "*.encrypted", "*.aaa", "*.xtbl", "*.abc", "*.JUST", "*.EnCiPhErEd", "*.cryptolocker","*.micro","*.vvv")

In Windows Server 2008 R2, you will have to use filescrn.exe:

filescrn.exe filegroup add /filegroup:"Crypto-files" /members:"DECRYPT_INSTRUCTIONS.TXT|DECRYPT_INSTRUCTION.TXT| DecryptAllFiles.txt|enc_files.txt|HowDecrypt.txt|How_Decrypt.txt| How_Decrypt.html|HELP_TO_DECRYPT_YOUR_FILES.txt|HELP_RESTORE_FILES.txt| HELP_TO_SAVE_FILES.txt|restore_files*.txt| restore_files.txt|RECOVERY_KEY.TXT|HELP_DECRYPT.PNG|HELP_DECRYPT.lnk| DecryptAllFiles*.txt|Decrypt.exe|ATTENTION!!!.txt|AllFilesAreLocked*.bmp| MESSAGE.txt|*.locky|*.ezz|*.ecc|*.exx|*.7z.encrypted|*.ctbl| *.encrypted|*.aaa|*.xtbl|*.EnCiPhErEd|*.cryptolocker|*.micro|*.vvv| *.ecc|*.ezz|*.exx|*.zzz|*.xyz|*.aaa|*.abc|*.ccc|*.vvv|*.xxx| *.ttt|*.micro|*.encrypted|*.locked|*.crypto|*_crypt|*.crinf| *.r5a|*.XRNT|*.XTBL|*.crypt|*.R16M01D05|*.pzdc|*.good| *.LOL!|*.OMG!|*.RDM|*.RRK|*.encryptedRSA|*.crjoker| *.LeChiffre|*.keybtc@inbox_com|*.0x0|*.bleep|*.1999| *.vault|*.HA3|*.toxcrypt|*.magic|*.SUPERCRYPT|*.CTBL|*.CTB2|*.locky"

Tip. You can make a list of known file extensions yourself or use ready regularly updated lists from the following pages:

https://www.bleib-virenfrei.de/ransomware/

https://fsrm.experiant.ca/api/v1/combined

In the second case, you can download an up-to-date list of file extensions for FSRM directly from the webserver using Invoke-WebRequest

new-FsrmFileGroup -name "Anti-Ransomware File Groups" -IncludePattern @((Invoke-WebRequest -Uri "https://fsrm.experiant.ca/api/v1/combined").content | convertfrom-json | % {$_.filters})

Or use a ready file crypto_extensions.txt. You can save this file to the disk and update the created FSRM file group with it:

$ext_list = Get-Content .\ransomware_extensions.txt
Set-FsrmFileGroup -Name "Crypto-files" -IncludePattern ($ext_list)

File Screen Templates Configuration

Create a new File Screen Template to determine the actions FSRM has to perform if it detects these files. To do it, in the FSRM console go to File Screen Management -> File Screen Templates. Create a new template by selecting Create File Screen Template.

Create File Screen Template

In the Settings tab, specify the template name “Block_crypto_files”, screening type Active screening (do not allow to save these file types) and select Crypto-Files in the list of file groups.

block cryptolocker files template

In the E-mail Message tab, enable sending e-mail notifications and specify text of message subject and body.

email settings
In the Event Log tab, check making an entry to the system log with the note to specify only the name of the user: [Source Io Owner]

event log settings

In the Command tab, you can select what to do if one of these file types is detected. We’ll discuss it a bit later.

Save the changes. One more template will appear in the list.

list of file screen templates

How to Apply File Screen Template to a Disk or Folder

Now you only have to assign the created template to a disk or network share on your  server. In the FSRM console, create a new rule Create File Screen.

Create File Screen.

In File screen path field, specify the local disk or the path to the directory you want to protect from the ransomware, and select the template Block_crypto_files created earlier in the list of templates.

assign template to public folder

Automatic Block of the User Infected by Ransomware

Now you have to configure the action FSRM will perform if files created by encryption malware are detected. We’ll use a ready script: Protect your File Server against Ransomware by using FSRM and Powershell (https://gallery.technet.microsoft.com/scriptcenter/Protect-your-File-Server-f3722fce). What does this script do? At the attempt of writing a prohibited file type to the network share, FSRM runs this script, which analyses the event log and prohibits a user to write files to the shared folder. Thus, the access of the infected user to the network share will be blocked.

Download this script and unpack it to the root of C:\ directory on your file server. Copy SubInACL (a tool that allows to change permissions for the network share) in to the same directory. The following files have to be located in the directory:

  • RansomwareBlockSmb.ps1
  • StartRansomwareBlockSmb.cmd
  • subinacl.exe

StartRansomwareBlockSmb.cmd

Note. I had to change these strings in PS script:

$SubinaclCmd = "C:\subinacl /verbose=1 /share \\127.0.0.1\" + "$SharePart" + " /deny=" + "$BadUser"

and

if ($Rule -match "Crypto-Files")

In the Command tab of “Block crypto files” template settings, specify that the command prompt containing the argument StartRansomwareBlockSmb.cmd must be started:

Run this command or script: c:\windows\system32\cmd.exe

Command arguments: /c “c:\StartRansomwareBlockSmb.cmd”

The command has to be run as Local System.

fsrm event run script

FSRM Protection Test

Let’s test how the FSRM protection against ransomware. To do it, create a file with any extension in the protected directory and try to change this extension to the prohibited one  .locky.

When trying to save the prohibited file, FSRM will make an entry in the log:

Event ID: 8215
Source: SRMSVC

Based on the data from the log, RansomwareBlockSmb.ps1 script will prohibit the current user from accessing this directory, by changing share access permissions.

share permissions

The protection works! In the log located in the root of the disk you can see the directory and the user account the ransomware has been attempted to be run from.

If you need a higher protection level, you can switch from the black list of files to the white list, and then you’ll be able to save only allowed file types.

So, we have considered how to automatically block network share access to the users whose computers are infected by ransomware. Naturally, using FSRM in this way cannot fully protect files on your servers from this kind of malware, but it is suitable as one of the protection levels. In the next articles, we’ll consider another variant of protection against encryption ransomware:

  • How to Recover User Files from VSS Snapshots After Getting Infected with the Ransomware
  • Software Restriction Policies to Prevent Ransomware

 

 

0 comment
2
Facebook Twitter Google + Pinterest
previous post
How to Run SysPrep on Upgraded Windows
next post
How to Filter Event Logs by Username in Windows 2008 and higher

Related Reading

Fix: Remote Desktop Services Is Currently Busy

March 15, 2023

How to Install .NET Framework 3.5 on Windows...

December 12, 2022

Migrating RDS Roles (Connection Broker, Web Access) to...

September 9, 2022

PowerShell Install-Module Error: Unable to Download from URI

April 21, 2022

Configuring Always-On High Availability Groups on SQL Server

December 2, 2021

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • How to Run Program without Admin Privileges and Bypass UAC Prompt?

    March 24, 2023
  • Configure Network Settings on Windows with PowerShell: IP Address, DNS, Default Gateway, Static Routes

    March 24, 2023
  • Exchange Offline Address Book Not Updating in Outlook

    March 21, 2023
  • Attaching Host USB Devices to WSL or Hyper-V VM

    March 20, 2023
  • Sending an E-mail to a Microsoft Teams Channel

    March 17, 2023
  • How to Restore Deleted Users in Azure AD (Microsoft 365)?

    March 16, 2023
  • Fix: Remote Desktop Services Is Currently Busy

    March 15, 2023
  • Send-MailMessage: Sending E-mails with PowerShell

    March 14, 2023
  • Clear Cache and Temp Files in User Profiles on Windows (RDS) with PowerShell and GPO

    March 13, 2023
  • Prevent Users from Creating New Groups in Microsoft 365 (Teams/Outlook)

    March 6, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Granting Remote Access on SCManager to Non-admin Users
  • How to Obtain SeDebugPrivilege when Debug Program Policy is Enabled
  • Printer Pooling: How to Configure a Printer Pool in Windows Server 2012 R2
  • Windows 10: WSUS Error 0x8024401c
  • How to Install TFTP Server on Windows Server 2012 R2
  • The Requested Resource Is in Use: Cluster Disk Error in Windows Server 2012 R2
  • Configuring Kerberos Authentication on IIS Website
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top