Stop encryption of network shares using FSRM

ransomware

Last updated on March 30th, 2023 at 05:15 pm

Read Time:2 Minute, 56 Second

With the recent ransomware attack across the world, IT departments should now been fully patched but also be taking steps to help protect themselves in the future. One way of trying to stop encryption of your files on network shares is to utilise the free File Server Resource Manager (FSRM) tool. This tool has been around for a while now and is a critical help for IT departments when setting up file shares – if for nothing more than stopping people putting torrent or MP3 files on your network!

But back to the more serious matter of stopping the encryption of network shares. Below is a full guide on how to setup FSRM and also what to configure.

STEP 1 – Install FSRM

The first step is to get the File Server Resource Manager feature installed on the server. The quickest way to do this is to install it via command line.

For Windows Server 2012, 2012 R2 and Server 2016:

Install-WindowsFeature –Name FS-Resource-Manager –IncludeManagementTools

For Windows Server 2008 R2:

Add-WindowsFeature FS-FileServer,FS-Resource-Manager

STEP 2 – Configure Email

The first thing to configure is how the server will send email. Go to Control Panel -> Administrative Tools and launch the File Server Resource Manager tools. When loaded, right click at the top of the tree on the left pane and choose Configure Options.

Fill in your SMTP server, the default email address you want to send to, and the from address that the server will use.

STEP 3 – Create New File Group

Once email is configured, expand the File Screen Management tree and click on File Groups. Click Create File Group in the right pane.

We will create a file group called all files that will include (you guessed it…) all files EXCEPT a file called do_not_modify_or_delete.txt

STEP 4 – Create File Screen Template

In the left pane, select File Screen Template and create a new template. Choose a name for it (like “EncryptionBlock”), select Passive screening, and check the box next to the all files file group you created.

Go to the Email Message tab and enable email message alerts. This will send you an email the moment the folder we choose in the next step gets changed.

STEP 5 – Prepare Folder

Before we apply the file screen, navigate to the shared folder directory that you want to protect. Enter the directory and create a new folder called _do not delete – the underscore at the beginning will cause the folder to be sorted first alphabetically, so Cryptolocker will hit this folder first.

Inside the folder, create a text document called do_not_modify_or_delete.txt

STEP 6 – Apply the File Screen

In the left pane, select File Screens and create a new one. Select the _do not delete you just created and choose the detectchanges file screen template from the dropdown.

Then click Create.

ALL DONE!

At this point, you should now have everything set up. If this shared folder were to get hit by cryptolocker, the _do not delete folder will get hit first. Typically Cryptolocker will change the file extension to something different (like .ecc or .xyz) which will trigger the file screen. At the very least, it will send an email alerting you to the file change and you can investigate.

By utilising FSRM, you will be able to significantly reduce the impact an infection has on your environment and hopefully eliminate the need to restore files from backup.

Source: Chris Reinking
Click to rate this post!
[Total: 0 Average: 0]

Free Subscription

If you want to be notified when we post more quality guides like this one, sign up to our free subscription service and you will receive an email when a new post is live.

Join 441 other subscribers.

No need to worry, we will not be filling your inbox with spam and you can unsubscribe anytime you like.


3 thoughts on “Stop encryption of network shares using FSRM

  1. I’m probably missing something obvious, but what purpose does excluding the text file in the folder serve? Wouldn’t you want to know if it gets changed?

  2. I’m probably missing something obvious, but what purpose does excluding the text file in the folder serve? Wouldn’t you want to know if it gets changed?

  3. I’m probably missing something obvious, but what purpose does excluding the text file in the folder serve? Wouldn’t you want to know if it gets changed?

Leave us a message...

This site uses Akismet to reduce spam. Learn how your comment data is processed.