Link to home
Start Free TrialLog in
Avatar of GCITech
GCITech

asked on

Network share, security

Work at a 35 user business, where many files are shared. Some files are on a NAS box, and some just shared on one of the servers (2003, and 2012) We have used mapped drives for years, but with the arrival of crypto malware, trying to minimize potential damage, when a user gets infected. My thought was to set up batch file to open share, with no drive letter mapping, such as
start \\servername\share user:name password. The result is the share folder opens, and they have accesss to what they want, and when browse window is closed, connection ends. Except, it really doesn't, because after first time opening and closing, we can now just browse to the share, and open without credentials, as session evidently doesn't actually terminate.
I also work for three small schools, with the same situation, I am trying to resolve.  Any suggestions will be greatly appreciated.
Avatar of ste5an
ste5an
Flag of Germany image

Actual crypto viruses don't need mapped drives. The can work already on accesible UNC shares when write/delete permissions exist.

The only effective measure against such threats is simply a good backup strategy. This involves especially that the backup media is not accessible after the backups are taken.
Avatar of btan
btan

Actually restricting use of file share is just a means to the end. I rather you take a more deeper understanding why in the first place Ransomware can get into your system. For the record, the malware gets into the machine due to unpatched vulnerability on the machine or due to poor user awareness whom click on phishing link or open up attachment file. Visiting non reputable side and plugging in unauthorized or personal thumb drive expose the machine further. User running as administrator by default worsen the situation. These are systemic issues that you should focus on more.

File share using vulnerable protocol such as SMBV1 should be disabled. You should be using SMBV3 where possible. Otherwise SMBV2.

Segregate out your network such that critical server does not easily get directly connected to all client, do segment and VLAN to management, user, backup, wired vs wireless, guest, Internet, etc.

Adopt a higher demand on hygiene and discipline on the machine. Patch them early. Get AV signatures push down. User should be just user and not having administrator access. Use only authorised thumbdrive. Scan before use.

Besides the file shares, ask that users do housekeeping and unmap drive even though you mentionwd on batch. Ransomware would not really care if it mapped drive, if they are targeted ones that check for SMB existence.

Consider anti ransomware software e.g. from MalwareBytes . Or else minimally application whitelisting using like Applocker. Or cryptoprevent. Windows has controlled Folder access in latest version.

Importantly, keep to a regime of backup and this is very critical as the last means if Ransomware get through the checks. Remember to keep the backup offline and not in network shares reachable by user machine otherwise ransomware may also encrypt it too. Adopt 3-2-1-1 principle.
-Have at least three copies of your data.
-Store the copies on two different media.
-Keep one backup copy offsite.
-Check at least one copy is recoverable.

Better to adopt a more comprehensive approach as this threat is evolving beyond just file shares. You find check out below for other details too.

https://www.experts-exchange.com/articles/28059/TL-DR-Ransomware-Infected.html
For author advice.
Avatar of GCITech

ASKER

Expert ste5an: I am aware crypto no longer requires mapped drives, and can access open shares, hence the batch files I suggested, with credentials to the share. The solution I need, is for Windows to not "remember" those credentials, when the share is closed.  The batch file  works correctly, if the computer is rebooted, after every time the share is closed, but that is obviously not a good solution. I was hoping for a way to force Windows to "forget" the credentials used in the batch file, when the share is closed.

Expert btan: I appreciate the time you took, and it is all good advice, however, in public education scenarios, and non-profits, much of what you propose is impossible to implement, due to the volume of users, and the amount of time and money available to address the issue. I agree with all you have suggested, but at the moment, am looking for a faster, less time and money requirement strategy, to minimise risk somewhat. What I have proposed will work, if Windows can be set in the registry, or elsewhere, to disconnect a share, in a timely manner, or to not save credentials, in the same user session.

Thanks to the both of you, and am still hoping someone can provide more knowledge.
In this case: When it would be possible, then you have created another security issue. You stored credentials in on the client.

But when you delete all network drives with this credential you should be able to remove the cached credentials using klist /purge. And as long as those credentials are not in the key ring (cmdkey /list), you should have what you want (with the above caveat).
Avatar of GCITech

ASKER

Excellent! Now we are making some progress!! I am aware that I have created a security issue, in that the credentials are now stored in the client pc, however, at least there will not be access to the share, unless it is already open, or the malware is smart enough to check every batch file on the pc, and harvest and use those, which in this case, the risk is acceptable to me. I was not familiar with the klist command, or the cmdkey command. So, would it be possible for my batch file to be something like this?

start \\servername\share user:name password
pause
klist /purge

Trying for the first line to open an explorer window to the directory, then the batch file pausing, then when user closes the explorer window, the batch file completing, and deleting just used credentials.
I greatly appreciate your help in this.
Your batch should only work, when \\servername\share is the only share using this credentials. I guess it's time to test this.
Avatar of GCITech

ASKER

I will report back...thanks
ASKER CERTIFIED SOLUTION
Avatar of btan
btan

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
For author advice.
Avatar of GCITech

ASKER

Excellent! This is what I was looking for, and it works. Thanks.
Get rid of the credentials is to open an elevated command prompt and type in:
net use \\server\share /delete
then type in:
klist purge