Stop encryption of network shares using FSRM

ransomware

With the recent ransomware attack across the world, IT departments should now been fully patched but also be taking steps to help protect themselves in the future. One way of trying to stop encryption of your files on network shares is to utilise the free File Server Resource Manager (FSRM) tool. This tool has been around for a while now and is a critical help for IT departments when setting up file shares – if for nothing more than stopping people putting torrent or MP3 files on your network!

But back to the more serious matter of stopping the encryption of network shares. Below is a full guide on how to setup FSRM and also what to configure.

STEP 1 – Install FSRM

The first step is to get the File Server Resource Manager feature installed on the server. The quickest way to do this is to install it via command line.



For Windows Server 2012, 2012 R2 and Server 2016:

Install-WindowsFeature –Name FS-Resource-Manager –IncludeManagementTools

For Windows Server 2008 R2:

Add-WindowsFeature FS-FileServer,FS-Resource-Manager

STEP 2 – Configure Email

The first thing to configure is how the server will send email. Go to Control Panel -> Administrative Tools and launch the File Server Resource Manager tools. When loaded, right click at the top of the tree on the left pane and choose Configure Options.

Fill in your SMTP server, the default email address you want to send to, and the from address that the server will use.

STEP 3 – Create New File Group

Once email is configured, expand the File Screen Management tree and click on File Groups. Click Create File Group in the right pane.

We will create a file group called all files that will include (you guessed it…) all files EXCEPT a file called do_not_modify_or_delete.txt

STEP 4 – Create File Screen Template

In the left pane, select File Screen Template and create a new template. Choose a name for it (like “EncryptionBlock”), select Passive screening, and check the box next to the all files file group you created.

Go to the Email Message tab and enable email message alerts. This will send you an email the moment the folder we choose in the next step gets changed.

STEP 5 – Prepare Folder

Before we apply the file screen, navigate to the shared folder directory that you want to protect. Enter the directory and create a new folder called _do not delete – the underscore at the beginning will cause the folder to be sorted first alphabetically, so Cryptolocker will hit this folder first.

Inside the folder, create a text document called do_not_modify_or_delete.txt

STEP 6 – Apply the File Screen

In the left pane, select File Screens and create a new one. Select the _do not delete you just created and choose the detectchanges file screen template from the dropdown.

Then click Create.

ALL DONE!

At this point, you should now have everything set up. If this shared folder were to get hit by cryptolocker, the _do not delete folder will get hit first. Typically Cryptolocker will change the file extension to something different (like .ecc or .xyz) which will trigger the file screen. At the very least, it will send an email alerting you to the file change and you can investigate.

By utilising FSRM, you will be able to significantly reduce the impact an infection has on your environment and hopefully eliminate the need to restore files from backup.

SourceChris Reinking

You may also like...