Using FSRM against Ransomware

Every administrator is afraid about Ransomware software. We want to protect our systems with so many different approaches and at many layers, but almost always we try to use complicate techniques to archive basic objectives. I found on TechNet an article, which sounds good for me and I am also confidential using Windows embedded functionalities for trying to prevent an attack.
Are there positive and negative sides? Of course they are, the most important negative thing I recognize is that we are using technology based on file type. Actually we are trying to prevent to write all known file extensions that can be written on our system. This will work if we know the extension and we have to search for new used file extensions and add them as blocked file types. But there are also positive things: we don’t need to buy anything, we have all we need ready on our server – we have just to use it! It is very simple to configure and maintain and it works!
When I read this article, I was surprised why I have to do all those steps thru GUI? We can simply use PowerShell that is quicker and it will do exactly the same things every time we will start it. Well, I made a script that you can run on every server you have to protect and for every share or partition you want to protect. There is only one think that you cannot protect: system drive if you try to prevent whole drive. In this case, the protection will be passive and not active and there is no way to change it (but I hope that you don’t share system drive).
Things that you have to know are basic, just few data:
  • Path to protect
  • SMTP server for sending mail (and be careful with authentication! Test it!)
  • Mail address form which mail will be sent
  • Mail address from administrator
  • Script that you want to run after detection (if you want)
You can run it as many times you want, on every server you want (version 2008 and newer) and you will be able to protect your data. It is a secure way to do it because you just prevent to change the data transformation and not the malware itself. I recommend also to use a script published on TechNet article for disabling the AD user or deny user access to server (It is also zipped into my file; including subinacl.msi).
To prevent malware, you can use an additional build in function: AppLocker and also this is explained here. And by the way, the approach is tested on Server 2016 TP5 – it’s working!

Create redirected folders with PowerShell

As many of us know, to setup redirected folders you have to create root folder, permissions and sharing manually. You do it always in the same way: search internet for exact permissions that you need to set, control that is all OK, than share the folder…
Therefore, the job is ideal for a script as is always done in the same way; the only thing that is changing is the folder location and the domain name.
To simplify all this work I wrote a script to create a folder, setup the right permissions and share this folder. The only things you have to change in the script are:

  • the folder name and location
  • the name of shared folder
  • the group to which redirection will apply
  • the domain admins group (it is changing the domain)

You have to write these four variables in the beginning of the script and then just run it. All the work is done!

You can download script here..

Adding AD users via PowerShell script and CSV file

In one of my previous posts, I wrote how to add groups and their members in AD. Some of my friends validated this post as very usable, but they missed the first step: how to add users with all properties to AD. There are many scripts on the net, but I didn’t find a script with enough properties and I decided to write my own one.
I tried to think what the IT persons want and I arrived to those fields:

  • Users name
  • Users surname
  • Users Display name
  • Users SAM name
  • Company with complete address
  • Department where users are working
  • Manager
  • Office where who is situated
  • Home directory
  • Mobile phone
  • Company phone
  • OU where user is created (it is not the best idea to create them in default OU)

In addition I tried to do some more things like users password is always the same and users has always to change this password on first login (be careful with some users, who are working for example only true RDP). I found all this data useful also for future use like for creating a script for Mail signature and similar.
All that you need you will find in this ADUsers script. You will find a script and an Excel file where to add user’s data. You have to fill white cells; yellow cells are formula based and are calculated in base of white ones. The formula that you have to change, as you need, is how the username is created. At the end be careful that you will avoid duplicated data.
Have a good usage and good work! download link.

Delete Canon print drivers with PowerShell

Some days ago I had a problem with Canon drivers (and to be honest, I am convinced that Canon has to do something to solve the situation). At this moment the only way to change Canon printer driver it is to reinstall it from the original package and this cannot be done silently (as I know, correct me if I am wrong). Uninstalling drivers via standard way is not possible as the “driver is in use” all the time, the spooler is active and if you stop the spooler, you cannot uninstall the driver because the spooler is not running. Crazy!
What was my idea? First, I have an environment with few thousand computers, so all the process must be silent, automated and if it is possible traceable. As I have printers mapped form print server, the printers have to remain mapped and the driver should be downloaded from the print server on the first use (of course you have to manually reinstall new driver on print server). The best way to do this kind of work is PowerShell.
OK, so for the first I had to create a log source for the script as I wanted to trace all the work of the script and I wrote few lines of code to define all settings needed to put my events in log.
After this, it is absolutely needed that Print spooler is running and driver is not in use. I found a solution stopping the print spooler, renaming the winprint key in registry (this key is responsible for print process used by Canon drivers) and starting the spooler. In this way I created the situation where the print spooler is running, but not the winprint process– so the Canon drivers are not in use and they can be uninstalled.
The rest of the script find all Canon drivers (from registry), remove them with rundll23 PrintUI.dll command, rename winprint registry key back and restart the print spooler once again.
The final part is to write success or failure to Application log.

When you run script be careful to two things:

  • The script has to run as local administrator account or system account. If you run the script as user with less privileges, it will fail.
  • This script is valid for a 64 bit systems. If you have a 32 bit systems, you have to correct lines where registry keys are specified.

The script can be downloaded here: RemovePrnDrv Script.

Good work!.