There has been a lot of talk of the WannaCry malware last couple of weeks and I will try to describe how you can add another layer of security between a infected computer and your central file storage. There is already a few write-ups within this area, most of them only use the File Screen service to block users from creating new files with know extensions or renaming existing ones. This is a good start but it does not actually prevent the user (or the malware running in user context) from deleting all the files on your servers.
Usually the virus creates an encrypted copy of the original file and then when its complete it will try to overwrite the original. But what happens if the malware is not allowed to create the encrypted copy? Well depending on how the malware is written nothing might happen and you will be safe OR it will just ignore the error and continue by deleting the original and move on to the next file. If this happens and you do not have a recent backup you will still loose the files and File Screen will not have helped preventing loss of data.
My solution to this problem is to utilize the function to trigger a command when File Screen blocks something. This command triggers a script that will block the affected user from the Windows share by putting a deny rule for the user in the share permissions. Once the user's computer has been remediated and the malware has been removed the deny rule can easily be removed again.
I have created a PowerShell script both for setting up a new server and one for manage ones that have been already set up (the later will be covered in part 2 of the blogpost).
The scripts can be found here:
http://github.com/matbe/PowerShell/tree/master/FSRM
Disclaimer: The script has only been tested on Windows Server 2012 R2/2016 and requires at least PowerShell 4.0. It should work on Server 2008 R2/2012 if you have updated PowerShell but might need some adjustments.
Setting up
Start by downloading the files from the link above. The first thing you need to do is to copy the RansomwareBlockSmb folder to the C drive on the server you will be installing File Screen on. This can be done manually of you can use the Copy-FSRMFolder script if you need to copy it to multiple server:
$ScriptSourcePath = "\\servername\FSRM\RansomwareBlockSmb" [array]$servers = "<FSRMServer1>","<FSRMServer2>" foreach($server in $servers) { try { Copy-Item $ScriptSourcePath "\\$server\c$" -recurse -Force Write-Host "RansomwareBlockSmb folder copied to \\$server\c$\" } catch { Write-Host $_.Exception.Message } }After this have been done you will need to edit the New-FSRMServer.ps1 script for your needs. Everything that can be customized is under the "Declarations" region.
Important! All values within square brackets [ ] are File Screen variables and should not be changed unless you know what you are doing, they might break the scripts.
# Extensions that will block user access to the share
$ransompattern = @("*.wnry", "*.wcry", "*.wncry", "*.wncryt")
# Disk drives that will be excluded from File Screen
$diskexeptions= "C","T"
# General FSRM Settings
#-------------
$SMTPServer = "smtp.corp.SCCMTest.org"
$SMTPFrom = "noreply@corp.SCCMTest.org"
$AdminEmail = "helpdesk@corp.SCCMTest.org"
#-------------
# Event settings for the "Ransomware template
#-------------
$EventCommand = 'C:\Windows\System32\cmd.exe'
$EventCommandParam = '/c "C:\RansomwareBlockSmb\StartRansomwareBlockSmb.cmd"'
$EventCommandWorkDir = "C:\Windows\System32\"
$EventLogEntry = "[Source Io Owner];[Source File Path];[Violated File Group]"
$SMTPTo = "[Admin Email];[Source Io Owner Email]"
$emailSubject = "Security Announcement from the IT-Department"
$emailBody = @"
Your account have been locked out. The reason is that you or someone in your name have tried to change a file extension to an extension identified as ransomware.
DO THE FOLLOWING!
1. Shut down your computer immediately
2. Have your logon name and computer name ready.
3. Contact Helpdesk immediately and inform them that you have received this message.
TECHNICAL INFORMATION FOR HELPDESK!
File: [Source File Path]
Server: [Server]
Username: [Source Io Owner]
/Your IT-Department
"@$ransompattern is a list of all extensions you want to block, the ones in the script are the known ones for the WannaCry malware.
$diskexeptions is a list of all drives that will NOT have file screen activated of the drive. Any other fixed drive not in this list will get File Screen activated.
$SMTPServer, $SMTPFrom and $AdminEmail are used to set up the general settings for the FSRM server. Make sure the file server is allowed to send anonymous emails or this will not work!
Do not change the $eventcommands unless you want to run another script or you need to change the path for the RansomwareBlockSmb folder.
Do not change $EventLogEntry, if you do the script that blocks the user from the share will not work.
I recommend that you leave $SMTPTo to the default value, if you want more admins to get the email notification add them to the $AdminEmail variable instead.
$emailSubject and $emailbody should be customized to your environment but be aware that the same email will be sent to both end user and administrators so make sure you have enough info in it so the administrator/helpdesk knows which user have been affected.
Execution
Once you are happy with your customizations simply run the script from your management server and point it towards your test server with the following syntax:
Invoke-Command –ComputerName Server1 –FilePath .\New-FSRMServer.ps1Or if you want to run it on multiple servers:
$servers = "server1","server2"
Invoke-Command –ComputerName $servers –FilePath .\New-FSRMServer.ps1Thats it!
What did it do?
If the script ran without any errors it should now have set up a FSRM role with File Screen activated on all drives (except the ones in $diskexeptions). When the script runs it creates a logfile in C:\New-FSRMServer.log (this can be changed in the script), any errors should be logged there. If it fails fix the problem and just re-run the script.
If you open the File Server Resource Manager on the server and right click on "Configure Options.." the values you entered in the script will be filled in under the "Email Notifications" tab.
Under File Screening Management/File Groups the new group "Ransomware_Extentsions" will be created with the specified extenstions.
Under File Screening Management/File Screen Templates there will be a template called "Ransomware", if you right click and choose properties you will find all settings from the script.
Note: The "E-mail Message", "Event Log" and "Command" tabs have some settings that are not available in the GUI and must be set using a script. One of these settings are the "RunLimitInterval" variable. The script sets them as follows:
- E-mail Message = 60 minutes (an email will only be sent out once every hour even if the file screen gets activated multiple times during this time)
- Event Log = 0 minutes (every time a file is blocked it will be logged to the eventlog)
- Command = 0 minutes (the commandline script will be triggered for every file that is blocked, this is required since there could be multiple shares on the same drive)
And finally under File Screening Management/File Screens you will notice that there is a file screen active for each drive based on the template above.
Solution in action
Now when a user or malware try to change extension to a blocked one the following will happen:
- They will be denied by the File Screen server.
- They will shortly after receive an email with the subject and body you provided in the script.
- The File Screen will trigger the RansomwareBlockSmb.ps1 script that will add the affected user to the SMB-share with a deny rule
Disclaimer: This solution is provided as is without any guarantees or warranty. This is something I have customized in my spare time and share "as is". You will have to test this in a lab and verify that everything works before you deploy it in production. Use at your own risk.
Hope this can help you put another layer of security in your environment to protect you from malware. This can of course be used to protect against any Ransomware like CryptoLocker, Locky and just not WannaCry, just add the extension you want to block to the script.
/Matt