Using The Windows File Server Resource Manager To Protect Against Ransomware
Hello everyone! Hello everyone! Welcome back to Exigo Insights’s latest installment. Today, we will be talking about how Windows Server Feature can protect your files from all ransomware attacks. Let’s get started.
Over the past few years, malware’s face has changed. It’s now a different industry. Your data and its importance to you have a value that people want to capitalize on. This is possible thanks to ransomware like CryptoLocker or Locky.
There are many tools that you can use in your organization, including mail filtering and gateway AV. But the File Screening feature on your Windows servers is one you should be using. This allows you to create rulesets that report on or block files on your server.
Many features are available in the File Server Resource Manager role. Ransomware attacks can be mitigated by file screening. File screening allows file servers to be set up to audit all files in real-time for ransomware extensions. The file screen will alert you if a user is infected by ransomware. It will block access to files shares and prevent them from causing damage. This will save you hours of downtime and make it easier to clean up.
This script will configure and set up all of these things in minutes. These are the actions that the script does:
- If the file server resource manager role is not already installed, it will be installed.
- To screen for ransomware file extensions, configure the file server resource manager.
- This script will execute a script when a file has been modified with a ransomware extension. This script blocks SMB access to all files shared on the file server and sends an email message at the email address specified.
These are the prerequisites for writing the script:
- Windows Server 2012 – to use the cmdlet which blocks SMB share access.
- Mail Relay Server – Used to set up email alerts.
How to Run the Script
The script runs very easily. I have created an advanced function that includes all of the parameters required to set up email alerts. We only need to edit the parameters of the function that is being called at the end.
Save the script once you have added your parameters. Hold down Shift and right-click on the.ps1 file to execute the script. Select COPY AS PASSWORD:
To run the script, open an administrative PowerShell prompt. Type in “PowerShell” in the search box.
The script will run and if File Server Resource Manager is not already installed, it will begin installing. Once the script finishes, you can review what was done by clicking on Tools, then selecting File Server Resource Manager.
Selecting the File Groups option in the left pane will bring up our new filegroup, “Ransomware Files”. This contains all our ransomware extensions.
Selecting File Screen Templates from the left pane will show us our “RansomwareCheck” template. To view the configurations, right-click and choose Edit. Ransomeware Files have been selected.
Selecting the Command tab will reveal that the script was created in the scripts directory of the server. This script performs the SMB block action and sends an alert email to the email relay server specified by the script parameters.
Selecting the file screens section of the left pane will reveal that our F drive has an active file screen. The script will scan all volumes available except the C drive, and create a file screen for each volume. You can manually modify this if you wish:
Test the script
This can be used to test the functionality. We can access a file server from a workstation, and navigate to a shared folder. By renaming the extension to “.crypto”, we will replicate the effect of the cryptolocker virus on files. The change is denied.
Our user is also denied access to their mapped drive via the file server.
The email address we specified in the parameters of the script is sent an email. We can see the details about the infected user and the attack on the server. We also receive the command that can again be used to grant access to the user.