Jump to content
RESET Forums (homeservershow.com)

Server security and LOCKY?


Jason
 Share

Recommended Posts

Our office got hit hard this week by the LOCKY ransomware.  Came in thru a laptop client (Win 8.1) and infected our network shares.   I didn't notice a Security forum here.

 

Has anyone else encountered it yet (I hope not)?  What precautious do you take on your home networks or home servers to safeguard against these threats?

 

Anxious to hear everyone's take.

Link to comment
Share on other sites

  • 2 weeks later...

Also, you mention an office place...

 

Depending on the setup and size, if you're using a domain, you can implement the "cryptolocker prevent" stuff via group policy, so all of the domain joined systems are using the "prevention". Though, this can cause issues with some apps (chrome for instance, if not using the "Chrome for Business/Enterprise" version).  

Also, if you're using Enterprise SKUs on the systems, you may want to look into "AppLocker", as this should stop it dead in it's tracks, at least for domain systems. 

 

As for the network.... make sure users are:

  • NEVER, EVER EVER using domain admin accounts. Period. I don't care what your CEO/CFO/CTO/ETC says. Using a domain admin for anything other than periodically administering your domain is really, really bad.   Just allow users access to stictly what they need. 
  • If these are work PCs, you may want to consider setting up some sort of UTM device on your companies network, and requiring (configuration) all work systems to VPN into your network (if you have the bandwidth for it). 
  • Personally/guest computers should be segmented from the main network, if possible.
  • Again, if on a domain: Set up group policies to prevent locker malware

And there are other things, but these are pretty basic minimums. 

 

As for recovery... backups, definitely.  But something that LoneWolf didn't mention: Versioning.  Windows supports "Previous Versions", which is form of versioning. Depending on how this is configured.... recovering files may be a s simple as just using the Previous Versions feature to roll back all the files to a few hours ago.  Numerous linux file systems include similar functionality as well. 

 

 

 

..... I may have been spending too much time on /r/sysadmins lately....

Link to comment
Share on other sites

  • 3 weeks later...

Good Info.

 

Here's what I'm doing.

 

1) backups.  My server itself (the system) is backing up daily to a dedicated HD, and I swap it out semi-regularly..  I need to do that more often.

2) backups.  My user machines are backing up to the server using the essentials backup.  I'm hoping that the server stores the backups in a way that doesn't expose their meat via an invisible share such that ransomware could find it and overwrite it...  can anyone confirm this?

3) backups.  All data (except TV/Movie video files) on the server shares are being sent up to crashplan.  Again, the hope here is that ransomware hasn't learned how to find the crashplan console and delete all the backups in the cloud.  To this end, I only install the crashplan console on the server itself.

4) backups.  All TV/Movie video files are simply copied to a collection of old HD's that I keep offline in a HD protector box offsite.  I need to do another pass, I have more recent video to backup.  sigh.

 

and 5) I'm experimenting with locking down file write permissions for everyone including myself such that I can't overwrite anything - unless I temporarily and manually override the locks with a password.  This is proving tricky because some automatic systems are broken...

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...