Prevent Workstation to encrypt server files
I am trying to see if there is any way to detect and stop encryption process on a windows server.
Basically one of the workstation opened a ransomware (SIGMA) and it has encrypted everything on her computer which is to be expected. However, it also encrypted everything on the mapped driver from the file server. The file-server has antivirus and even anti-ransom but it still encrypted the stuff on the mapped drives. All drives or folders that were not mapped to this particular workstation are fine.
So the question would be if there is anything to prohibit any type of encryption that is initiated from a workstation. If not, maybe someone knows a good solution to prevent this in another way.
By the way, I do have backups, however since I only have backups every 24 hours, I lots one days work. I do not really care about the files on the workstation because I simply restore a clean image but if it messes with my files on the domain server, it becomes a huge issue and I need to find some solution.
Any tip is very much appreciated. Thanks to all that are willing to assist me.
The server is Windows Server 2016
Basically one of the workstation opened a ransomware (SIGMA) and it has encrypted everything on her computer which is to be expected. However, it also encrypted everything on the mapped driver from the file server. The file-server has antivirus and even anti-ransom but it still encrypted the stuff on the mapped drives. All drives or folders that were not mapped to this particular workstation are fine.
So the question would be if there is anything to prohibit any type of encryption that is initiated from a workstation. If not, maybe someone knows a good solution to prevent this in another way.
By the way, I do have backups, however since I only have backups every 24 hours, I lots one days work. I do not really care about the files on the workstation because I simply restore a clean image but if it messes with my files on the domain server, it becomes a huge issue and I need to find some solution.
Any tip is very much appreciated. Thanks to all that are willing to assist me.
The server is Windows Server 2016
For this reason, I enforce some form of software restriction policies in every company as possible (not everyone wants it, though it's one of the best solutions).
Users really don't need to execute anything that's been installed already anyway. And if they need it, just install it for them.
Users really don't need to execute anything that's been installed already anyway. And if they need it, just install it for them.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Well ransomwares have created new facts and we need to go back to the drawing board..
It seems that the simple share is way too dangerous so there is a need for changing habbits...
Solutions...many but i will throw some:
FTP...with the help of an Ftp client you can have a repository which is hard to access without all the security info.
Web/desktop replacement explorer ...an application that connects to a restrictive repository...or even a file capable handling(firebird?)...
It seems that the simple share is way too dangerous so there is a need for changing habbits...
Solutions...many but i will throw some:
FTP...with the help of an Ftp client you can have a repository which is hard to access without all the security info.
Web/desktop replacement explorer ...an application that connects to a restrictive repository...or even a file capable handling(firebird?)...
All nice. theoretical and/or expensive. SRP is already proven to work and it's free.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for all the feedback. I found some solutions from the feedback.
Initially I was looking for a way to detect that a workstation in the Win Server 2016 Domain Network initiated a encrypting process. However, it is better to protect the workstation directly, so that this does not even happen.
Also I implemented more training to the employees because this user had to go through 5 steps to get this ransomware to start.
I would love if they would be giving this much attention to emails I send ;-)
Thank you everybody, this was very good feedback.
Initially I was looking for a way to detect that a workstation in the Win Server 2016 Domain Network initiated a encrypting process. However, it is better to protect the workstation directly, so that this does not even happen.
Also I implemented more training to the employees because this user had to go through 5 steps to get this ransomware to start.
I would love if they would be giving this much attention to emails I send ;-)
Thank you everybody, this was very good feedback.
On win10 v1709 and newer, there is ransomware protection built-in (but deactivated), that let's you select which folder may be writte to by what programs. So it's a per-program setting, not a per-user settiong. If you use these new OS', it's worth looking into it, although it does not seem to be mature, yet.