3 quick tweaks to prevent - netwrix · pdf file3 quick tweaks to prevent ransomware attacks...
TRANSCRIPT
3
August 2016 SysAdmin Magazine
Ransom ware prot ect ion Using FSRM and PowerShell
3 Quick Tweaks t o Prevent Ransom ware At t acks
Ransom ware Survival Guide: Defending Against Crypt o-Ransom ware
How t o Secure Your Com pany f rom Rogue Adm inist rat ors
Contents
5
12
13
Tech Tips: 4 Secur it y Log Event s t o Audit 19
How-t o for IT Pro: Det ect Password Changes in Act ive Direct ory
Free Tool of t he Mont h: Account Lockout Exam iner21
16
3
3 Quick Tweaks to Prevent
Ransom ware At t acks
Ransomware is everywhere ? that insidious t hreat that encrypts your precious
documents and other files and holds them hostage until you pay a substantial sum to
an anonymous third party. Fortunately, there are measures you can take to reduce the
likelihood of an attack. Here are three tweaks you can make to mitigate this threat.
by Jonathan HassellIT Pro, entrepreneur
August 2016 SysAdmin Magazine
Get a bet t er grasp on your inbound e-m ail m essages
Ask your e-mail hygiene provider to enable their URL scanning protection? this is
sometimes called ClickProtect or URLScan. It replaces links in inbound e-mail messages
with a link to the hygiene provider?s portal, and once that edited link is clicked, the
hygiene provider can examine the target destination and decide whether it is potentially
malicious or not. If it is, the hygiene provider can display a big warning saying ?Don?t
Proceed,? and that may be just enough to convince your users they?ve been fooled.
Have good, consistent backups and test restorat ion regularly
- The best way to beat ransomware creators at their game is to remove the need to
pay the ransom, and the only way you can do that is to have in your back pocket
the ability to get back to a ?last known good? state on your own and go from
there. The only way you can get to this point is to make regular backups.
- Use Shadow Copies on your Windows Servers, take multiple snapshots per day,
and test your restores all the time? both on a consistent basis and also on a
surprise basis. Take some of your backups offsite, and make sure that backup
drives that are not in use are disconnected from your servers entirely so as not to
subject them to any future versions of malware that might be smart enough to
delete volume shadow copy entries from your backup medium.
- Contrary to what you might think, you do not need any additional significant
investment to get going on a regular backup scheme.If your budget is tight, buy
three USB hard drives from Costco and use the built-in Windows Server Backup
service to get going. For Linux, there are several suitable open source backup
packages that will work with USB mounted drives. Whatever you do, you need to
start with this, and you can do so for no more than $250.
Look at appl icat ion whitel ist ing
Basically your only chance at decidedly, effectively preventing a ransomware infestation
is to use application whitelisting. With this approach, you tell your operating system
which binaries you will allow to run, and the operating system prevents everything else
from running? including legitimate programs that have not been approved by you just
yet. This whitelist is derived from building a list of checksums and digital signatures from
executable files, so there is some manual labor involved in both deploying the
whitelisting solution in the first place and keeping it up to date.
4
1
2
3
August 2016 SysAdmin Magazine
5
Ransomware Protect ion
Using FSRM and PowerShell
While the FBI continues to investigate the MedStar attacks and a series of other recent
ransomware attacks, I decided to describe a case from my own experience when I
received an encrypted file and opened it. What steps should I have been undertaking
to protect my system from file-encrypting malware?
by Matt HoptonNetwork Architect
August 2016 SysAdmin Magazine
Background
Well, I received an email with the usual ?please see attached document, or it?ll cost you lots of money?.
Attached was a zip file with 2 files inside ? a Word document and a JavaScript file.
I was surprised that the spammers are now using the latest version of Office as an excuse as to why
you can?t read their (macro-enabled) document.
6 August 2016 SysAdmin Magazine
Just for fun, I enabled macros in an isolated network environment and monitored what happened
next using Process Monitor from Sysinternals.
The Word docum ent downloaded a base64-encoded t ext docum ent , w rot e it t o t he user ?s
%t em p% folder , renam ed it t o .exe and execut ed it . (The JavaScr ipt f i le t hat was in t he or iginal
zip f i le provides a sim ilar exper ience.)
This appears to be a variant of the ?Teslacrypt? malware family and proceeds to encrypt all of the
user?s documents, desktop and pretty much anything else that it can touch. In a real-life environment
however; hopefully most, if not all, of the user?s files are being stored on a file server through one
means or another ? be it Work Folders, Folder Redirection etc.
Using File Server Resource Manager
We can use File Server Resource Manager (FSRM) as a system to help prevent the already-executing
malware from infecting the entire file server.
We will setup FSRM to monitor the shares for suspicious activity associated with Ransomware, email
designated admin addresses and then block the infected user?s access to the shares on that server.
If you don?t already have File Server Resource Manager installed on your file server, go ahead and
install it now from Server Manager -> Add Roles and Features:
7 August 2016 SysAdmin Magazine
Once installed, launch it from the Server Manager?s Tools menu.
The first thing we need to do is setup the email alert system with your mail server. To do this, choose
?Configure Options? from the right hand ?actions? panel. A window appears on the ?Email Notifications?
tab.
Enter your mail server?s fully qualified domain name (FQDN), or IP address in the first box, a
semicolon-separated list of emails to receive the alerts in the 2nd, and a valid email address on your
email server in the 3rd. Press Send Test E-mail and wait for it to be sent. If you don?t receive anything,
you may need to enable unauthenticated relaying for this file server on your email system. Press OK
to finish.
Set t ing up t he File Screen
FSRM has an excellent function called File Screening, whereby you can set actions to be performed
when users attempt to save certain types of files to the network. In our environment, we use this to
prevent users from saving executable files to their home folders.
In this case, we?re going to setup screening on the regular file share and on a new file share that will
act as a honeypot for ransomware.
- In the navigation pane, click ?File Screens? and ?Create File Screen? on the action pane.
- Hit browse and navigate to the top level of your file shares. For example, I?ve setup some
shares in D:\Shares\? so that?s the path to pick here.
- Click ?Define custom file screen properties? -> Custom Properties.
- Leave the ?screening type? as ?active?, which will help prevent your file server being filled with
encrypted files.
- Click ?Create? under ?Maintain file groups?
- Give the group a name like ?Known Ransomware Files? and add ?testfile.txt? into the first box:
(We will be updating this list via a script later.)
8 August 2016 SysAdmin Magazine
- Click OK, then tick the group in the list:
- On the second tab, tick the ?Send e-mail? box and customise the message if you wish.
- In the ?Command? tab, tick the box and enter the path to PowerShell.exe in the first box. On
my system, it is as below:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- In the second box, ?command arguments?, enter the PowerShell script below:
-ExecutionPolicy Unrestricted -NoLogo -Command ?& { Get-SmbShare -Special $false | ForEach-Object {
Block-SmbShareAccess -Name $_.Name -AccountName ?[Source Io Owner]? -Force } }?
This script will block the user?s access to all shares on this server whenever it is detected that they
have written a file that matches the ransomware file screen pattern, effectively preventing the
malware doing more damage, but without causing downtime for other users of the server. (Hooray,
finally a genuine use for share permissions!)
- If you?re still running Server 2008, the Get-SmbShare command isn?t available. Instead, you can
use Windows Firewall to block access for all users to the server. In the first box, enter:
c:\windows\system32\netsh.exe
- Then, in the second:
advfirewall firewall add rule name=?* TEMPORARY BLOCK RANSOMWARE DETECTED* ? dir=in protocol=tcp
interface=any action=block localport=139,443,445
But be warned ? this blocks everyone?s access to the server!
- Finally, click ?Local System? in the ?run as? section and press OK.
- Click create and save the properties as ?Ransomware Screen Template?. This will allow you to
easily apply it to any other shares that you might have. 9 August 2016 SysAdmin Magazine
The Honeypot
To take this a step further, we can create a new Share to act as a ?honeypot? and entice the
ransomware to write to it without damaging user?s files. Using Server Manager -> File and Storage
Services -> Shares, create a new Share called ?$Honeypot?.
Make sure you give ?Authenticated Users? full control over both the file permissions and the share
permissions.
We use the dollar sign at the start in order to place the honeypot first in the list of shares when
browsing the file server, in the hope that the ransomware will attempt to encrypt it first.
Creat e a ?read-m e? f i le in t he honeypot folder :
This file is here to help instruct users if they come across the folder, but also as a trap for
ransomware, as it will attempt to encrypt the file when it discovers it. Go ahead and create a new File
Screen on this new share, selecting ?Derive Properties from template? and choosing our ?Ransomware
Template? that we saved earlier.
Modify the file screen so that it includes an ?All Files? group: * .* ? this will help to protect against new
unknown file names as nobody should be writing to the honeypot folder.
10 August 2016 SysAdmin Magazine
Test ing
Remotely, attempt to create a file called ?testfile.txt? on the server; either in one of the protected
shares, or in the honeypot share. Within seconds, you should get an email along the following lines:
Then that user?s access to the shares on that server should be denied.
Updat ing t he File Screen
Run the script below in PowerShell to download the latest known file extensions and apply to your
file group. This will update all file screens that use that particular group.
You will need to change the name in the last line if you called it something else earlier.
- $decryptreadme = (Invoke-WebRequest
?https://raw.githubusercontent.com/thephoton/ransomware/master/filescreendecryptreadme.txt?).Content
- $fileexts = (Invoke-WebRequest
?https://raw.githubusercontent.com/thephoton/ransomware/master/filescreenextensions.txt?).Content
- $filescreengroup = @()
- foreach($line in $decryptreadme.Split(?̀ r` n?)){ if ($line -ne ??) {$filescreengroup += $line} }
foreach($line in $fileexts.Split(?̀ r` n?)){ if ($line -ne ??) {$filescreengroup += $line} }
- Get-FsrmFileGroup ?Known Ransomware Files? | Set-FsrmFileGroup -IncludePattern $filescreengroup
Rem oving a user ?s share block af t er an infect ion
If you should get an infection and the user has their access to the server blocked, run the script below
to undo that access (after making sure everything is clear of course!)
Get-SmbShare -Special $false | ForEach-Object { Unblock-SmbShareAccess -Name $_.Name -AccountName ?ACCOUNT
NAME TO UNBLOCK? -Force }
Good luck in your quest t o block Ransom ware!
11 August 2016 SysAdmin Magazine
12
Ransomware Survival Guide:
Defending Against Crypt o-Ransom ware
Cyber Threat Alliance reports that CryptoWall 3.0 alone has already cost victims $325 mil l ion
Download.(pdf )
Get a walk t hrough on:
- How ransomware is delivered to a user 's computer
- Stages of crypto-ransomware infection
- Best practices that can be applied immediately
While ransomware attacks have been around for years, security experts say they've become far
more dangerous recently because of advances in encryption and other technologies. A
crypto-ransomware attack can take hostage not only data stored on a company?s individual
computers, but also the files on its servers and cloud-based file-sharing systems ? leading to
financial losses, stopping business in its tracks and potentially damaging the organization?s
reputation. According to a report prepared by the Cyber Threat Alliance (CTA), CryptoWall version
3.0 alone has already cost victims $325 million. To learn m ore, download Ransomware Guide ->
August 2016 SysAdmin Magazine
13
How to Secure Your Com pany
from Rogue Administrators
Sometime back, I chronicled one of the most infamous ?hacks? that ever happened. A
gentleman named Jason Cornish brought the Shionogi Pharmaceutical Company to its
knees. In a nutshell, he and his friend saw that things were going bad for them and
decided to take revenge. They altered an account to allow themselves access from
outside the company?s network, got in, and deleted several dozens of systems (all of
them were VMs). Effectively, they destroyed the company?s ability to conduct business
for several days, which resulted in almost a million dollars in lost revenue.
by Richard Muniz IT Engineer
August 2016 SysAdmin Magazine
Underst anding t he process
Sadly, this could have been avoided. In this blog, I intend to demonstrate how using some built-in
tools will help. First, I?m making two big assumptions here. One is that we have a good Change
Management system in place. Someone has to request something, it has to seek approval through a
board, and once approved, the change is made. My second assumption is that once a change is made,
we have a validation process, and this is where AD native auditing comes in.
This screen shot is of the Active Directory User OU in my test lab.
I?ve got Kevin Riley highlighted because I?m going to make him a member of the ?Domain Admins?
group. This is going to be a big red flag, and I?m going to get an e-mail regarding this event.
- First, we have to understand how the process might work. When someone is added to the
Domain Admins group, an approval should be passed and the IT team should get a notification
that Kevin now has admin rights. Most ticketing systems will allow you to build in an ?Approval?
function. It doesn?t have to be anything more complicated than a pull down that allows the
individual in charge of approving it (and incidentally, only that person has the rights to add his
or her names to the box) to do so. Anything associated with this ticket (e-mails, etc.) becomes a
part of the ticket. This enables us to see what happened at every step along the way and to
ensure the process has been adhered to.
14 August 2016 SysAdmin Magazine
- The pertinent questions are as follows: ?Does the approval process really help protect against
unauthorized changes? How about protection from a rogue administrator? This is where
change monitoring comes in. In the Kevin?s case, the function is governed by the process.
However, if someone just gave him the rights (accidentally or intentionally), I want to know
about it.
- To understand the process, we have to look for events. Whenever anyone is added to certain
groups, such as Domain Admins, a key event is triggered. The magic Event ID you?re looking for
is 4732. These get logged on just the Domain Controllers, so I?ll go to the Domain Controller.
- Now that I know that, what do I do with that piece of information? First, I need to understand
that Domain Admins is a security group. In theory, every time I add someone to this group,
that event will be generated.
Building aler t inside t he Dom ain Cont roller
I could buy software that would do this for me, but I prefer building my own Alert inside the Domain
Controller. To do that, proceed through the following:
- Go to Start > Accessories > System tools > Task Scheduler.
- Click on ?Create a Basic Task.?
- Give the task a name and describe what it?s supposed to do (so if you get hit by a bus,
someone knows what it does).
15 August 2016 SysAdmin Magazine
- Specify a trigger, in this case, an event.
- Fill in the information you need.
16 August 2016 SysAdmin Magazine
- Choose the action to be performed. In this case, I want it to send me an e-mail.
- Enter the required information. I?m keeping it rather simple.
Now, the single major objection I hear concerning doing this (or any kind of real-time alerts) is that it
generates too much garbage, and it does. However, it all boils down to this: If you?re expecting the
change, it?s safe to ignore it. If you?re not, you better ask questions.
17 August 2016 SysAdmin Magazine
There?s a lot of commercial software that will do the same thing for you and take a lot of the tedious
work out for you. This makes investing in one of the commercial software packages well worth it.
Another thing you should watch for are inactive accounts. Most people would consider anyone who
hasn?t logged on in 30 days inactive. Asking why there isn?t any activity on an account should start
leading you in the right direction. Let?s look at some possible answers:
- The person is no longer with the company and somehow you missed deactivating them.
- They?re out on maternal leave, sick leave, vacation, or any number of reasons and you missed
this somehow.It?s a service account (you should have a list of your service accounts? the fewer,
the easier for you to keep track of).
- Something else is going on.
Using PowerShell scr ipt
You can use a simple Powershell command run from inside your domain controller:
Search-ADAccount-AccountInactive -TimeSpan 60 -UsersOnly | Where-Object { $_.Enabled -eq $true } |
Format-Table Name, UserPrincipalName | Export-CSV FileName.csv -NoTypeInformation
You can change the number of days to any number you need.
Notice that I?m having it send me a report as a CSV file. This becomes useful for auditing purposes, not to
mention justification of anything I need to do to that account (like opening a ticket and deleting it).
Deploying professional t ool
Instead of using PowerShell scripts, you can deploy a professional tool to get reports to your e-mail.
Try Net wr ix Audit or for Free ->
18 August 2016 SysAdmin Magazine
Tech Tips:4 Secur it y Log Event s to Audit
19
by Troy ThompsonIT Expert, AD administrator
In this piece, I?ll brief you on the four key areas to watch out for in your event logs
across your workstations and your overall domain as well as the rationale behind all
of them.
August 2016 SysAdmin Magazine
20
1. Audit success and failure event s in t he
syst em log
The idea here is to identify patterns of use over a
normal period of time so that when a nefarious
actor attempts to gain access to your system, you
can detect his or her actions using a spreadsheet
or other analysis software to identify patterns
that are out of the norm. According to Microsoft,
system success and failure events are generally
low volume but tend to offer a high value in
terms of the information they present, so these
should be the cornerstone of any auditing and
profiling scheme you may deploy.
2. Look for policy change success event s on
t he dom ain cont rollers
These types of events indicate that someone on
the system is attempting to alter the Local
Security Authority (LSA) policy configuration. This
is one way intruders could attempt to download a
copy of the Active Directory database or plant
malware in sensitive domain controllers. The
frequency of these policy change success events
should be rare enough to be indicative of
nefarious activity. Unfortunately, it is typical to
have many failure events on normal, completely
unbreached systems, so the signal-to-noise ratio
on monitoring failure events is usually too low to
be worth the bother.
3. Look for success event s in account
m anagem ent
These events are written when users are created,
modified, or deleted and when groups are
created, deleted, or have their memberships
changed. A combination of success events is a
good forensic to trace potential breaches of your
directory back to where nefarious actors were
able to create accounts or elevate existing
accounts to a highly privileged state? for
example, to a domain administrator.
4. Exam ine success event s in t he logon
cat egor ies
Do it both on individual computers and on
domain controllers. For individual workstations,
this will give you a record of when users sign on
and off their computers. (For member servers on
a domain, there is no need to monitor success
events, since those events will be covered by
monitoring for success events on a domain
controller.) You can easily trace a stolen password
or other breach by examining the dates and
times of successful logon events of the account in
question.
Monitoring logon success events for domain
controllers shows you when accounts sign on and
off the domain. This information can be used in a
similar fashion if you are working with the Active
Directory. Of course, the larger the domain or
number of users, the more legitimate success
events will be written, so you will need to come
up with a retention policy that defines when you
can purge successful event data from your audit
system so that it does not become overburdened
with data.
You m ay be int erest ed in:
Try Net wr ix f reeware t ools to be informed
about changes in your IT infrastructure.
August 2016 SysAdmin Magazine
21
Free Tool of t he Mont h
Account Lockout Examiner
Account Lockout Examiner is a freeware tool notifies IT administrators
about account lockouts and helps them identify the root causes so
they can quickly restore normal operations. Administrators can unlock
user accounts from the tool?s console or a mobile device.
Download
Exam ple of t he account lockout repor t
August 2016 SysAdmin Magazine
How-t o for IT Pro:
Detect Password Changes in Active Directory
22
Accidental or intentional unauthorized software installation on Windows Server enables disruptive
malware activity that can lead to server performance slowdowns and even leaks of sensitive data. To
gain access to systems, hackers scan targets for unprotected software and scam users into
downloading malware. Employees may also unknowingly download and install malicious files in
violation of your software installation policy.
Run GPMC.msc (url2open.com/gpmc) ? open "Default Domain Policy" ? Computer
Configuration ? Policies ? Windows Settings ? Security Settings ? Local Policies ? Audit
Policy:
- Audit account management ? Define ? Success and Failure.
1.
Run GPMC.msc ? open "Default Domain Policy" ? Computer Configuration ? Policies ?
Windows Settings ? Security Settings ? Event Log ? Define:
- Maximum security log size to 1GB
- Retention method for security log to Overwrite events as needed
2.
Open Event viewer and search Security log for event id?s: 628/4724 ? password reset attempt
by administrator and 627/4723 ? password change attempt by user. 3.
August 2016 SysAdmin Magazine
Try Net wr ix Audit or 8.0: Track Active Directory and
Group Policy Changes netwrix.com/go/auditor
Copyright © Netwrix Corporation. All rights reserved. Netwrix is trademark of Netwrix Corporation and/or one or more of its subsidiaries and may be registered in the U.S. Patent and Trademark Off ice and in other countries. All other trademarks and registered trademarks are the property of their respective owners.
Corporate Headquarters: 8001 Irvine Center Drive, Suite 1100 Irvine, CA 92618
Phone: 1-949-407-5125 Tol l -f ree: 888-638-9749 EMEA: +44 (0) 203-318-02
Next Steps:
netwrix.com | Follow us