Jump to content
RESET Forums (homeservershow.com)

Protecting client backups against cryptowall?


Recommended Posts

Merconium

I've got Server 2012 R2 running an Essentials R2 role solely to protect my academic work via nightly backups (and File History). I didn't join the domain.

 

From what I understand, the exe runs on the client computer but can encrypt shares visible to said client over the network (hence so many posts about NAS users getting hit). The only mapped folders are Company and Users, and I don't keep anything I care about in there. 

 

As far as we know, so long as I don't execute cryptolocker or cryptowall on the server itself, the exe wouldn't see Client Computer Backups or File History Backups, correct? Are there any permissions settings that I should double check (obviously I'm an admin on the local domain, etc.)?

 

If there is a threat to those unmapped folders, would a honeypot like the one described by the OP a little ways down here be helpful in this case? (For folks with substantive user folders on the server, it seems like a necessary precaution.)

Link to post
Share on other sites
  • Replies 29
  • Created
  • Last Reply

Top Posters In This Topic

  • ikon

    9

  • Drashna Jaelre

    7

  • Trimble Epic

    4

  • revengineer

    2

Top Posters In This Topic

Popular Posts

I don't think you're being paranoid even a little bit. You may or may not know, but I have 4 to 5 copies of all my data.

Nothing at all against any of the info already posted, but I can't help but think that one good strategy for protecting clients is have a robust backup strategy. That way, if a client gets 'violated'

Yeah, absolutely. Just wanted to throw the term in there, in case anyone wasn't 100% sure.   And it still begs the question: exactly how does the backup get initiated? Does the server use WoL? I've

revengineer

My understanding is that on the machine where this malware runs all resources with a drive letter are in danger. This includes shares mapped to a drive letter. I believe shares accessed with \\ are safe. Would be good to get this confirmed in case my knowledge is outdated.

Link to post
Share on other sites

Mind if I ride along?

 

Ransomwares are probably the one threat I am extremely afraid of. It's one thing for a traditional virus or malware to mess with Windows DLL or EXE files, but it's totally different to have your own data (pictures, home movies, personal/work docs, etc.) held hostage. That's like really getting hit below the belt.

 

It's nowhere near as bullet-proof, but in the recent months, I took a few precautions on my WHS2011:

 

1. Installed ESET Smart Security

2. Most of the shared folders I changed to read-only, particularly for users who don't normally need to write or modify files stored on those folders. That should help limit the attack surface somewhat

 

These clients are already backing up to the server. For it to be end-to-end, I think I should also install ESET SS or NOD32 on all Windows clients.

Link to post
Share on other sites
Drashna Jaelre

The database is stored in a proprietary format, to start off with.

 

However, Windows creates "administrative shares" for each drive letter by default. You can access them by using \\servername\c$ (and so on for each letter.

If a ransomware/cryptolocker type virus hits you, it can potentially access those files.

This is why you should NEVER use a domain administrator account on the local PCs. (or matching credentials for a domain admin, if you're not domain joined).

 

If you're using the domain on the client, you can add ANY user to the local administrators group (run "lusrmgr.msc", to do so). This gives that account admin access to THAT computer.

 

 

Also, if you're using the domain, I HIGHLY recommend "installing" the cryptlocker prevent kit, as a group policy for the domain. This should significantly reduce the likelihood that it will even be allowed to run.

http://community.spiceworks.com/topic/396103-cryptolocker-prevention-kit-updated

Or you could try this:

http://www.foolishit.com/vb6-projects/cryptoprevent/

 

Keep in mind, these may break some programs (like uTorrent, or even chrome (install Chrome for Business instead, as that installs to the program files directory))

 

 

Additionally, if you are that worried, you may want to set up a Squid proxy, so you can intercept traffic.

Sophos UTM is great for this, as the web filter (squid proxy) is very "turn key". 

And if you scan HTTPS traffic as well, you may significantly reduce the chances of getting a virus (the web filter can scan files, using Sophos and Avira antivirus). However, it can break a lot of functionality (auto updates/downloads).

 

 

@oj88, installing antivirus may not be practical. A lot of developers avoid doing so, because it can cause issues with development (oh, look, the file I just compiled is getting flagged), and it can cause a significant performance hit (lots of access during compiling).

Depending on what Merconium is doing, he may fall into this.

Link to post
Share on other sites

Was curious whether Malwarebytes includes protection for these crypto variants? I seem to recall them saying they support this as long as the self protection module is enabled? Am running MB on my WSE12R2 server box. Wasn't sure if that was enough or I should just add the CryptoPrevent Premium subscription for the automatic updates?

Edited by Jason
Link to post
Share on other sites
Trimble Epic

I have been pondering this for a while myself.

 

I'm still running WHS v1, and as far as I was aware, the client backups are not exposed to the client machines... So I've been thinking they are safe...   (am I wrong?  are they exposed via drive$ letter$ as Drashna described above?)

 

As far as the shares... I've been wanting to lock them all down to read only as well... I already have a "user" account on my whs called "player" with a simple password that is able to access music, video and photos on the server in read only mode...  I've been doing that since I first noticed that there are player clients that have delete features, and my kids are stupid.

 

The problem is - my own user account has read/write access to those shares... and I don't need write access full time... So I've trying to come up with a way to move new media files into those shares while keeping myself limted to read only... here's some of my ideas...

 

1) use two accounts on the server, with my daily account being read-only, but when I want to move files onto the server, I would manually log on to that share as a read/write user, do the changes, then log off/disconnect/unmap drive letter.    This seemed to me the most logical approach.  two connections - one read only left connected all the time, the other only used long enough to manually curate my files, then disconnected and flushed.  Not sure how that would interact with my daily connection to those folders... and not sure about the ID being cached.

 

2) create "landing zone" folders on my own desktop machine, I place a media file in there, and a script running on the server itself reaches into my machine, and moves the file onto itself, into the correct media folder.  This way, no remote user can write to the server.  sounds too complicated.

 

3) run all my downloads on the server itself... remote desktop into the server to control it... I haven't heard anything about cryptolocker variants that hop through RDC session yet...    or just leave it automated (just started playing with sickbeard, etc this week)

 

So, I'm concerned about cryptolocker variants, but I'm also concerned about the wife or kids simply accidently (or not) deleting things.

 

Oh, and if backups are exposed, I would want to find a way to lock them to read only also... but find a way that the backup software itself can use a write credential that the rest of the machine can't use...  is that even possible?

 

Is read-only access actually safe vs cryptovariants?

Edited by Trimble Epic
Link to post
Share on other sites

Nothing at all against any of the info already posted, but I can't help but think that one good strategy for protecting clients is have a robust backup strategy. That way, if a client gets 'violated' you can simply restore to a backup that was created before the infection.

  • Like 1
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...