Defeat Ransomware: Use Microsoft File Server Resource Manager (FSRM) – with a twist!

You may have seen some advice floating about on the internet, showing  you how to use Microsoft’s File Server Resource Manager (FSRM) to prevent Ransomware.

The problem with these articles is that they all involve maintaining a block list. You’ll find those block lists rarely keep up with new variants of Ransomware. So, in this article, i’m going to show you how to defeat ransomware – with a twist!

Lemons... good for lemonade. Not so good at beating Ransomware!

Lemons… good for lemonade. Not so good at beating Ransomware!


First things first, i’m going to assume you’re running Windows Server 2012 / R2, and have not yet installed the FSRM role [if you’re running 2008 R2, skip to near the middle of this article].

Open Powershell as Administrator

Install the FSRM role:

Install-WindowsFeature FS-Resource-Manager –IncludeManagementTools

fsrm 0.png

Reboot your server if prompted.

Configure SMTP settings – this will alert you if anyone attempts to create an unsafe file in the targeted filepath. Open an Admin Powershell prompt and enter:

Set-FsrmSetting -AdminEmailAddress "youremailaddress@domain.name" –smtpserver "IP Address of your mail server here" –FromEmailAddress "servername@domain.name"

You may need to make some adjustments on your mail server for this to work.

Next up, we’re going to configure a new FSRM file group.

This is where the twist comes in – your actually going to block EVERY FILE TYPE, then  ONLY allow the filetypes you know are safe – completely eliminating the need to maintain a block list.

The script below will cover the main filetypes but you’ll need to tailor this to your environment.

My recommendation is to install WinDirStat and perform a scan of the share you are targeting. This will list all of the extensions currently in use within the share.

windirstat

With Powershell open (remember, right click and run as Administrator); copy the following command and hit enter:

new-FsrmFileGroup -Name "Allow Safe Files Only" -IncludePattern "*.*" -ExcludePattern @("*.bmp","*.jpg","*.gif","*.jpeg","*.tiff","*.png","*.eps","*.tif","*.txt","*.text","*.pdf","*.xls","*.xlsx","*.doc","*.docx","*.ppt","*.pptx","*.pub","*.pubx","*.mpp","*.mdb","*.pst","*.msg","*.wmv","*.mov","*.wav","*.vss","*.vsd","*.fmp12","*.ppsx","*.ldb","*.avi","*.tmp","*.log")

FSRM File Groups Window

If you want to add addtional filetypes; either manually edit the File Group, or run the following  (adding new file extensions using the ,”*.ext” format):

set-FsrmFileGroup -Name "Allow Safe Files Only" -ExcludePattern @("*.bmp","*.jpg","*.gif","*.jpeg","*.tiff","*.png","*.eps","*.tif","*.txt","*.text","*.pdf","*.xls","*.xlsx","*.doc","*.docx","*.ppt","*.pptx","*.pub","*.pubx","*.mpp","*.mdb","*.pst","*.msg","*.wmv","*.mov","*.wav","*.vss","*.vsd","*.fmp12","*.7z","*.zip","*.ppsx","*.tmp","*.ldb","*.avi","*.log","Thumbs.db")

Now we’ll set up a new Active File Screen Template:

The first script creates the email template. You’ll want to review the text after -Subject, and after -Body. If you’d like the FSRM alerts to be emailed to multiple email addresses, separate them using a semicolon [;]

$Notification = New-FsrmAction -Type Email -MailTo "[Admin Email];[Source File Owner Email]" -Subject "Warning!! You have attempted to save unsecure file type – contact ICT immediately!" -Body "You have attempted to create or save an unsecure file type - [Source File Path] on [File Screen Path] on server [Server]. These file types are blocked by the following rule: [Violated File Group]. If this was unintentional, this could indicate that your computer has been infected with a virus.  Please contact ICT immediately for support." -RunLimitInterval 120

The next script creates the File Screen template:

New-FsrmFileScreenTemplate -Name "Allow Safe Files only" –IncludeGroup "Allow Safe Files Only" -Notification $Notification -Active

Open the File Server Resource Manager GUI.

Expand File Screening Management

– Select File Screen Templates, and Right click on Allow Safe Files Only. Select Edit Template Properties…allo safe files template.JPG

Select the Event Log tab.

Make sure Send warning to event log is ticked.  Hit OK.

This will record file blocking events to event log.  This will help diagnose any issues later.

file-screen-event-logging

Next, from the FSRM screen, Right click on File Screens and select Create File Screen…

FSRM Menu

Browse to, and select your share path.

From the “Derive properties from this file screen template (recommended)” drop down, select “Allow Safe Files only” and hit create.

FSRM Create File Screen Window

Finally, time for testing!

Using the file screen rules above, attempt to create two files:

filename.txt

filename.bat

The first file, filename.txt should be created.

FSRM will prevent you from creating the second file, filename.bat

Shortly after your attempt, you should receive an email alert. Using this information you’ll be able to track down the user; determine whether the file was legitimate, or a virus, then take the appropriate action (ie add the file extension to the safe list, or quarrantine the infected computer).

FSRM Email message.


If you’re looking to do with with Windows Server 2008 R2; you’ll need to run a few different commands, and perform a little extra work in the GUI.

First off, install FSRM using the following Powershell commands (remember, you’ll need to open Powershell as Administrator):

import-module servermanager

Add-WindowsFeature FS-FileServer,FS-Resource-Manager

Create the File Group using this command (use pipe | to separate each file extension):

filescrn Filegroup Add /Filegroup:"Allow Safe Files Only" /Members:"*.*" /Nonmembers:"*.bmp|*.jpg|*.gif|*.jpeg|*.tiff|*.png|*.eps|*.tif|*.txt|*.text|*.pdf|*.xls|*.xlsx|*.doc|*.docx|*.ppt|*.pptx|*.pub|*.pubx|*.mpp|*.mdb|*.pst|*.msg|*.wmv|*.mov|*.wav|*.vss|*.vsd|*.fmp12|*.7z|*.zip|*.ppsx|*.ldb|*.avi|*.log"

Create a new file screen template:

filescrn template add /template:"Allow Safe Files Only" /Type:Active /Add-Filegroup:"Allow Safe Files Only"

Open the FSRM GUI.

Expand file Screen Management, File Screen Templates.

Right click on “Allow Safe Files Only” – select Edit Template Properties

Select the “E-mail Message” tab.

Select tick box: send e-mail to the following administrators

copy the following into the box:

[Admin Email];[Source File Owner Email]

Check the box for: Send e-mail to the user who attempted to save an unauthorized file

In the Subject box, copy the following:

Warning!! You have attempted to save unsecure file type – contact ICT immediately!

In the message body:

You have attempted to create or save an unsecure file type - [Source File Path] on [File Screen Path] on server [Server]. These file types are blocked by the following rule: [Violated File Group]. If this was unintentional, this could indicate that your computer has been infected with a virus.  Please contact ICT immediately for support.

fsrm-2008r2

Select the Event Log tab, make sure send warning to event log is ticked.

Click OK. (you maybe warned that you have not configured your SMTP server yet.  Click Yes. we’ll do that next).

Select “Apply template only to derived file screens that match the original template”.

fsrm-2008r2-1

Finally, whilst you’re in the FSRM GUI, right click on File Server Resource Manager (local) and select Configure Options…

fsrm-2008r2-1

In the options window, select the Email Notifications tab.

Enter your server & email details.

fsrm-2008r2-0

Open the File Server Resource Manager GUI.

Expand File Screening Management – Right click on File Screens and select Create File Screen…

filescreen 2008r2.PNG

Browse to, and select your share path.

From the “Derive properties from this file screen template (recommended)” drop down, select “Allow Safe Files only” and hit create.

filescreen-2008r2-1


If users are prevented from saving certain files, but you’re sure that you have added in the correct file types, it maybe the application uses another file type to write a temporary file first.

Open Event Viewer (type: eventvwr.msc into the run box).

Head to Windows Logs, Application.

eventviewer

Look for Event ID 8215, SRMSVR.  This will list each blocked file.  Look for the .filetype thats being blocked and add to the exceptions list.


tsn signoff

Unlimited business broadband from £15.99 a month
Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s