Every week, it seems that another company becomes the victim of a coordinated ransomware attack. While several companies offer various products and services to detect and contain ransomware, Microsoft's File Server Resource Manager (FSRM) can be leveraged as an additional tool to prevent the encryption of files on your network shares. In this guide, I will show you how to prevent ransomware attacks on network shares with FSRM.

Launch the FSRM MMC snap-in. You can install the FSRM role with the required management tools using the following PowerShell command:

Install-WindowsFeature –Name FS-Resource-Manager –IncludeManagementTools

Please note that this command needs to be run as an Administrator.

Go to the side bar, and under the File Screening Management section, click the File Groups applet. You should see several built-in file groups.

File Server Resource Manager file groups

File Server Resource Manager file groups

Right-click the File Groups applet and select Create File Group.

Create a new file group

Create a new file group

For the file group name, enter "All Files," and under "Files to include," enter *.* and click Add.

Include all files

Include all files

This is very important because we will be implicitly blocking all file extensions and explicitly allowing certain file extensions. Ransomware has evolved over the years to the point where the extension generated during the encryption process can be dynamic and unique to the server being encrypted. For example, a variant of the REvil ransomware will generate a file extension matching a portion of the UUID of the disk being encrypted. Because of this, it is no longer practical to maintain a list of known ransomware extensions to explicitly block.

Click OK.

Before we apply the implicit block to the network share, we will create an explicit file screen exception to apply.

Go to the side bar, and under the File Screening Management section, click the File Screens applet.

Create a new file screen exception

Create a new file screen exception

Enter the (local) path where the file screen exception will be applied. Please note that this exception will be applied to the root directory as well as all subdirectories. For this guide, I am going to apply this file screen exception to my collaborative network share: S:\COLLAB.

Select the file extension groups you want to allow to be saved on the server. Since this is a collaborative network share, I am going to allow Audio and Video Files, Compressed Files, Executable Files, Image Files, System Files, Temporary Files, Text Files, and Web Page Files.

You can modify each group of file extensions as needed.

File screen exception

File screen exception

Click OK.

You should see both the new file screen and the file screen exception.

File screen and file screen exception

File screen and file screen exception

Now, if I go to my collaborative network share and try to create, copy, or modify a file with an extension other than what is explicitly allowed (i.e., *.locked), I will get an error.

Test File Before

Test File Before

Test File After

Test File After

Additionally, I am disallowed from copying or creating files with blocked extensions (i.e., *.encrypted).

Subscribe to 4sysops newsletter!

Copy test file

Copy test file

FSRM is a powerful tool that, when set up correctly, can help you audit and manage what data is allowed to be stored on your file shares. And now, it can also be used as an additional measure to ensure that your network share files are not encrypted or modified by ransomware.

avatar
3 Comments
  1. Rastislav 4 months ago

    But when the malware first encrypts the contents of the file and saves it under the original file name, FSRM won’t allow it to rename it, but the data will already be encrypted and therefore lost, right?

    • Lenz 4 months ago

      Not sure you right but you also can deny that user access to the file shares after the first detection, so it will encrypt only file. It’s better than the full share…

  2. Olivier 4 months ago

    Using FIle Screening is not a solution. If you put a “Not allowed extension file” (i.e. video file), in a Archive file (i.e. zip) you can do it.
    If you have embedded a not allowed extension file in a allow extension file, it’s good again.

    Don’t believe me, try it yourself, and make up your own mind

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account