Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Windows Server 2012 R2 / Using FSRM on Windows File Server to Prevent Ransomware

November 8, 2016 Windows Server 2012 R2

Using FSRM on Windows File Server to Prevent Ransomware

In this article, we’ll consider the methods of using File Server Resource Manager (FSRM) features on a file server running Windows Server 2012 R2 to detect and block ransomware. In particular, we’ll tell how to install FSRM service on the file server, configure file screening, and in the case ransomware detection  block user access to the share.

Contents:
  • How to Detect Ransomware Using FSRM
  • How to Configure the SMTP Settings of FSRM to Send E-Mail Notifications
  • How to Create a Group of File Extensions for the Ransomware
  • File Screen Templates Configuration
  • How to Apply File Screen Template to a Disk or Folder
  • Automatic Block of the User Infected by Ransomware
  • FSRM Protection Test

How to Detect Ransomware Using FSRM

If File Server Resource Manager  (FSRM) feature  is not installed on your file server, install it using Server Manager graphic console or PowerShell command prompt:

Install-WindowsFeature FS-Resource-Manager -IncludeManagementTools

Make sure that the role has been installed:

Get-WindowsFeature -Name FS-Resource-Manager

Install-WindowsFeature FS-Resource-Manager

After the feature has been installed, restart the server.

How to Configure the SMTP Settings of FSRM to Send E-Mail Notifications

The next step is the configuring of SMTP settings of FSRM  to sending e-mail notifications to admins. To do it, start fsrm.msc, right-click the root of File Server Resource Manager console and select Configure Options.

Specify the SMTP server name or IP address, the administrator and sender e-mail addresses.

Tip. If you don’t have an internal mail server, you can configure sending mail using SMTP relay.

FSRM SMTP Settings

To make sure that the SMTP server is configured correctly, send a test e-mail using Send Test E-mail button.

SMTP settings of FSRM can also be configured from PowerShell:

Set-FsrmSetting -AdminEmailAddress "FileServerAdmins@adatum.com" –smtpserver smtp.adatum.com –FromEmailAddress "FSRM@LON-FS02.adatum.com"

How to Create a Group of File Extensions for the Ransomware

The next step is to create a group of files containing known extensions and file names, created by encryption malware during its work.

This list can be created in the FSRM console. To do it, expand File Screening Management -> File Groups and select Create File Group.

fsrm create file group

You have to specify group name (for example, Crypto-files)  and enter all known extensions to the list using Files to include field.

ransomware file group

The list of known file extensions created by ransomware is quite long, so it is easier to create it using PowerShell.

In Windows Server 2012, you can create the file group using PowerShell as follows:

New-FsrmFileGroup -Name "Crypto-files" –IncludePattern @("_Locky_recover_instructions.txt","DECRYPT_INSTRUCTIONS.TXT", "DECRYPT_INSTRUCTION.TXT", "HELP_DECRYPT.TXT", "HELP_DECRYPT.HTML", "DecryptAllFiles.txt", "enc_files.txt", "HowDecrypt.txt", "How_Decrypt.txt", "How_Decrypt.html", "HELP_RESTORE_FILES.txt", , "restore_files*.txt", "restore_files.txt", "RECOVERY_KEY.TXT", "how to decrypt aes files.lnk", "HELP_DECRYPT.PNG", "HELP_DECRYPT.lnk", "DecryptAllFiles*.txt", "Decrypt.exe", "AllFilesAreLocked*.bmp", "MESSAGE.txt","*.locky","*.ezz", "*.ecc", "*.exx", "*.7z.encrypted", "*.ctbl", "*.encrypted", "*.aaa", "*.xtbl", "*.abc", "*.JUST", "*.EnCiPhErEd", "*.cryptolocker","*.micro","*.vvv")

In Windows Server 2008 R2, you will have to use filescrn.exe:

filescrn.exe filegroup add /filegroup:"Crypto-files" /members:"DECRYPT_INSTRUCTIONS.TXT|DECRYPT_INSTRUCTION.TXT| DecryptAllFiles.txt|enc_files.txt|HowDecrypt.txt|How_Decrypt.txt| How_Decrypt.html|HELP_TO_DECRYPT_YOUR_FILES.txt|HELP_RESTORE_FILES.txt| HELP_TO_SAVE_FILES.txt|restore_files*.txt| restore_files.txt|RECOVERY_KEY.TXT|HELP_DECRYPT.PNG|HELP_DECRYPT.lnk| DecryptAllFiles*.txt|Decrypt.exe|ATTENTION!!!.txt|AllFilesAreLocked*.bmp| MESSAGE.txt|*.locky|*.ezz|*.ecc|*.exx|*.7z.encrypted|*.ctbl| *.encrypted|*.aaa|*.xtbl|*.EnCiPhErEd|*.cryptolocker|*.micro|*.vvv| *.ecc|*.ezz|*.exx|*.zzz|*.xyz|*.aaa|*.abc|*.ccc|*.vvv|*.xxx| *.ttt|*.micro|*.encrypted|*.locked|*.crypto|*_crypt|*.crinf| *.r5a|*.XRNT|*.XTBL|*.crypt|*.R16M01D05|*.pzdc|*.good| *.LOL!|*.OMG!|*.RDM|*.RRK|*.encryptedRSA|*.crjoker| *.LeChiffre|*.keybtc@inbox_com|*.0x0|*.bleep|*.1999| *.vault|*.HA3|*.toxcrypt|*.magic|*.SUPERCRYPT|*.CTBL|*.CTB2|*.locky"

Tip. You can make a list of known file extensions yourself or use ready regularly updated lists from the following pages:

https://www.bleib-virenfrei.de/ransomware/

https://fsrm.experiant.ca/api/v1/combined

In the second case, you can download an up-to-date list of file extensions for FSRM directly from the webserver using Invoke-WebRequest

new-FsrmFileGroup -name "Anti-Ransomware File Groups" -IncludePattern @((Invoke-WebRequest -Uri "https://fsrm.experiant.ca/api/v1/combined").content | convertfrom-json | % {$_.filters})

Or use a ready file crypto_extensions.txt. You can save this file to the disk and update the created FSRM file group with it:

$ext_list = Get-Content .\ransomware_extensions.txt
Set-FsrmFileGroup -Name "Crypto-files" -IncludePattern ($ext_list)

File Screen Templates Configuration

Create a new File Screen Template to determine the actions FSRM has to perform if it detects these files. To do it, in the FSRM console go to File Screen Management -> File Screen Templates. Create a new template by selecting Create File Screen Template.

Create File Screen Template

In the Settings tab, specify the template name “Block_crypto_files”, screening type Active screening (do not allow to save these file types) and select Crypto-Files in the list of file groups.

block cryptolocker files template

In the E-mail Message tab, enable sending e-mail notifications and specify text of message subject and body.

email settings
In the Event Log tab, check making an entry to the system log with the note to specify only the name of the user: [Source Io Owner]

event log settings

In the Command tab, you can select what to do if one of these file types is detected. We’ll discuss it a bit later.

Save the changes. One more template will appear in the list.

list of file screen templates

How to Apply File Screen Template to a Disk or Folder

Now you only have to assign the created template to a disk or network share on your  server. In the FSRM console, create a new rule Create File Screen.

Create File Screen.

In File screen path field, specify the local disk or the path to the directory you want to protect from the ransomware, and select the template Block_crypto_files created earlier in the list of templates.

assign template to public folder

Automatic Block of the User Infected by Ransomware

Now you have to configure the action FSRM will perform if files created by encryption malware are detected. We’ll use a ready script: Protect your File Server against Ransomware by using FSRM and Powershell (https://gallery.technet.microsoft.com/scriptcenter/Protect-your-File-Server-f3722fce). What does this script do? At the attempt of writing a prohibited file type to the network share, FSRM runs this script, which analyses the event log and prohibits a user to write files to the shared folder. Thus, the access of the infected user to the network share will be blocked.

Download this script and unpack it to the root of C:\ directory on your file server. Copy SubInACL (a tool that allows to change permissions for the network share) in to the same directory. The following files have to be located in the directory:

  • RansomwareBlockSmb.ps1
  • StartRansomwareBlockSmb.cmd
  • subinacl.exe

StartRansomwareBlockSmb.cmd

Note. I had to change these strings in PS script:

$SubinaclCmd = "C:\subinacl /verbose=1 /share \\127.0.0.1\" + "$SharePart" + " /deny=" + "$BadUser"

and

if ($Rule -match "Crypto-Files")

In the Command tab of “Block crypto files” template settings, specify that the command prompt containing the argument StartRansomwareBlockSmb.cmd must be started:

Run this command or script: c:\windows\system32\cmd.exe

Command arguments: /c “c:\StartRansomwareBlockSmb.cmd”

The command has to be run as Local System.

fsrm event run script

FSRM Protection Test

Let’s test how the FSRM protection against ransomware. To do it, create a file with any extension in the protected directory and try to change this extension to the prohibited one  .locky.

When trying to save the prohibited file, FSRM will make an entry in the log:

Event ID: 8215
Source: SRMSVC

Based on the data from the log, RansomwareBlockSmb.ps1 script will prohibit the current user from accessing this directory, by changing share access permissions.

share permissions

The protection works! In the log located in the root of the disk you can see the directory and the user account the ransomware has been attempted to be run from.

If you need a higher protection level, you can switch from the black list of files to the white list, and then you’ll be able to save only allowed file types.

So, we have considered how to automatically block network share access to the users whose computers are infected by ransomware. Naturally, using FSRM in this way cannot fully protect files on your servers from this kind of malware, but it is suitable as one of the protection levels. In the next articles, we’ll consider another variant of protection against encryption ransomware:

  • How to Recover User Files from VSS Snapshots After Getting Infected with the Ransomware
  • Software Restriction Policies to Prevent Ransomware

 

 

0 comment
2
Facebook Twitter Google + Pinterest
previous post
Granting Remote Access on SCManager to Non-admin Users
next post
Recovering Encrypted Files from VSS Snapshot after Ransomware Infection

Related Reading

Updating PowerShell Version on Windows

April 12, 2023

Fix: Remote Desktop Services Is Currently Busy

March 15, 2023

How to Install .NET Framework 3.5 on Windows...

December 12, 2022

Migrating RDS Roles (Connection Broker, Web Access) to...

September 9, 2022

PowerShell Install-Module Error: Unable to Download from URI

April 21, 2022

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Recovering Files from BitLocker Encrypted Drive

    June 1, 2023
  • Microsoft Key Management Service (KMS) Volume Activation FAQs

    May 31, 2023
  • Configuring Event Viewer Log Size on Windows

    May 24, 2023
  • How to Detect Who Changed the File/Folder NTFS Permissions on Windows?

    May 24, 2023
  • Enable Single Sign-On (SSO) Authentication on RDS Windows Server

    May 23, 2023
  • Allow Non-admin Users RDP Access to Windows Server

    May 22, 2023
  • How to Create, Change, and Remove Local Users or Groups with PowerShell?

    May 17, 2023
  • Fix: BSOD Error 0x0000007B (INACCESSABLE_BOOT_DEVICE) on Windows

    May 16, 2023
  • View Success and Failed Local Logon Attempts on Windows

    May 2, 2023
  • Fix: “Something Went Wrong” Error When Installing Teams

    May 2, 2023

Follow us

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Granting Remote Access on SCManager to Non-admin Users
  • How to Obtain SeDebugPrivilege when Debug Program Policy is Enabled
  • Printer Pooling: How to Configure a Printer Pool in Windows Server 2012 R2
  • How to Install TFTP Server on Windows Server 2012 R2
  • Windows 10: WSUS Error 0x8024401c
  • Configuring Kerberos Authentication on IIS Website
  • How to Clear Windows Event Logs Using PowerShell or Wevtutil
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top