- Create and read SCVMM custom properties with PowerShell and the VMM Console - Mon, Apr 18 2022
- Prevent ransomware attacks on network shares with File Server Resource Manager (FSRM) - Mon, Mar 7 2022
- Block brute force Remote Desktop attacks with Windows PowerShell - Fri, Feb 11 2022
Launch the FSRM MMC snap-in. You can install the FSRM role with the required management tools using the following PowerShell command:
Install-WindowsFeature –Name FS-Resource-Manager –IncludeManagementTools
Please note that this command needs to be run as an Administrator.
Go to the side bar, and under the File Screening Management section, click the File Groups applet. You should see several built-in file groups.
Right-click the File Groups applet and select Create File Group.
For the file group name, enter "All Files," and under "Files to include," enter *.* and click Add.
This is very important because we will be implicitly blocking all file extensions and explicitly allowing certain file extensions. Ransomware has evolved over the years to the point where the extension generated during the encryption process can be dynamic and unique to the server being encrypted. For example, a variant of the REvil ransomware will generate a file extension matching a portion of the UUID of the disk being encrypted. Because of this, it is no longer practical to maintain a list of known ransomware extensions to explicitly block.
Before we apply the implicit block to the network share, we will create an explicit file screen exception to apply.
Go to the side bar, and under the File Screening Management section, click the File Screens applet.
Enter the (local) path where the file screen exception will be applied. Please note that this exception will be applied to the root directory as well as all subdirectories. For this guide, I am going to apply this file screen exception to my collaborative network share: S:\COLLAB.
Select the file extension groups you want to allow to be saved on the server. Since this is a collaborative network share, I am going to allow Audio and Video Files, Compressed Files, Executable Files, Image Files, System Files, Temporary Files, Text Files, and Web Page Files.
You can modify each group of file extensions as needed.
You should see both the new file screen and the file screen exception.
Now, if I go to my collaborative network share and try to create, copy, or modify a file with an extension other than what is explicitly allowed (i.e., *.locked), I will get an error.
Additionally, I am disallowed from copying or creating files with blocked extensions (i.e., *.encrypted).
Subscribe to 4sysops newsletter!
FSRM is a powerful tool that, when set up correctly, can help you audit and manage what data is allowed to be stored on your file shares. And now, it can also be used as an additional measure to ensure that your network share files are not encrypted or modified by ransomware.