Cryptolocker…

Everyone of us want to stop Cryptolocker and similar programs. It seems that it is really a nightmare for all admins. Anyway, to stop Cryptolocker and any unwanted program, you have to be aware, that this will bring limitations to your system, which are not always welcome.

How does Cryptolocker work?
We have 5 phases of Cryptolocker infections:

  1. Installation: The software is delivered to your computer via download or E-Mail attachment and the user click on it. The executable is now installed, the registry keys are set and we are ready to go to the next phase.
  2. Contacting headquarters: the computer is contacting criminal headquarters for registration, so it will prepare all environment for phase 3.
  3. Creating keys: headquarter and client are now identifying each other and are ready to “handshake” and create two keys for encryption.
  4. Encryption: Cryptographic keys are now established and the encryption can begin. It depends on version, but almost all files on all local and shared drives where you have permissions will be encrypted.
  5. Extortion: The screen with a guide how much and where to pay is displayed. There is displayed also how much time you have for payment. If you will not pay in time, the headquarter key will be deleted and you will not be able to decrypt files. The payment is every day higher – so if you want to pay, do it immediately.

To prevent a large number of unwanted software, the first step to do is always remove LocalAdmin permissions and turn on UAC. This two actions will put you in situation where user will not be able to install any application and write to system crucial folders. Also have your system always up to date. And I don’t mean only OS, but include all applications installed (we know attacks to Java, Adobe FlashPlayer, Microsoft Office…).
Of course this is not enough as a lot of bed guys know how to elevate permissions or are using different folders (for example AppData is used for Cryptolocker), but been a LocalAdmin is a great way to become a victim. I suggest to all home users and system administrators to use two different accounts – one for daily use and the second for administrator tasks.
Well, the real way to prevent Cryptolocker is blocking the execution of exe files in AppData folder. You can do this with group policy in AppLocker or in software restriction policy. This are steps for basic protection with AppLocker:

  1. Create new GPO for Cryptolocker prevention
  2. Edit new created GPO
  3. Expand Computer configuration > Policies > Windows Settings > Security settings > System Services
  4. Enable “Application Identity” service and set it to automatic startup modeCrypto1
  5. Go down to Application Control Policies and expand to AppLocker
  6. In “Configure role enforcement enable Executable rules and make them in Enforce mode (I suggest you, to run them in Audit mode for week or two and analyze logs before enforcing them – just to find legal applications which can be blocked)Crypto2
  7. Expand AppLocker and click to Executable rules
  8. Right click in action pane and create Default Rules
  9. Right click in action pane and create New RuleCrypto3
  10. In Permissions on Action set Allow for EveryoneCrypto4
  11. In Conditions select that is Publisher ruleCrypto5
  12. In Publisher, just browse one file (in my case was Internet Explorer) and go with slider up to Any publisherCrypto6
  13. Give the name to the ruleCrypto7

So, this is about AppLocker, but we have still a lot of work to do. There is a big surface for attack if users are local admin. To prevent this, configure Restricted groups in GPO by using Computer Configuration > Policies > Windows Settings > Security settings > Restricted Groups.
Apply this GPO to all computers and the first step is done.
GPO is a good way to prevent Crypto, but be aware that Crypto is evolving and you have to evolve with him. And preventing Crypto with GPO means that executable is already in your system – maybe you have to prevent it before is downloaded or received with mail. For this step you will need the application firewall, good antivirus in file system and in mailing system.
But still you can do something with chip devices with closing outgoing ports 83, 846, 777, 997, 1604, 9001, 9003, 444, 9052, 8443, 7777, 9003 and 25254. This ports are used to communicate with headquarter servers to obtain a certificate for encryption (maybe exist also other ports or will be added / changed during the time). If you will close this ports, the system will not be able to retrieve a certificate for encryption and the encryption will not be able to begin. Be careful on notebooks because the users will bring their notebooks at home and the encryption will be successful.
As you can see, there are a lot of ways to prevent Cryptolocker, but you have to prevent it. When you have it, it is too late – think about it now!

And for home users? Well we cannot forget them. They have a lot of pictures and documents on their computers – practically a whole life and is a really big impact to lose all this material.
I suggest you a software from FoolishIT. It is free and it is working good (but if you want to keep it up to date, give those few Euros to the author – he is doing his job well!).

 

Additional reading:
https://blogs.technet.microsoft.com/mmpc/2015/01/13/crowti-update-cryptowall-3-0/
http://www.crowdstrike.com/blog/4-0-another-brick-in-the-cryptowall/
http://researchcenter.paloaltonetworks.com/2015/02/analysis-cryptowall-3-0-dyre-i2p/
https://tools.cisco.com/security/center/viewAlert.x?alertId=36338

Send mail on backup failure with Script

A lot of us, in small environment, is using Windows backup to backup all servers. To be honest, it is a good enough solution, but we have problems with reporting. For me, as an administrator, it is very important to know if a backup was successful or not. There is still another problem, that we have many small environments to check and it would be nice to receive reports thru mail.
As there I didn’t find a solution, I wrote a script, which runs as scheduled task (weekly or daily – as you prefer) and E-Mail me all errors on backup jobs in last X hours. It is working for me and now I am more secure that everything in the system is going in the right way. Be careful how you will use the script; it should be used on any server where you run Windows backup and if you are using Exchange for sending mails take care on authentication or create relay connector to allow the script to send an E-Mail.

Script could be downloaded here..

Blocking Chrome or Firefox with GPO

We have a lot of users where Google Chrome or Mozilla Firefox it is” installed automatically” – they did nothing (well, we know them…). In this cases, you want to block the installation of this two programs and maybe some others, but you don’t know how.
Actually it is very simple and you have two different ways to do it.
The first approach is good if you want to block the installation only on one or on some computers or there is no domain. In this case you have to modify the Local policy of computer. Open mmc.exe, from File menu choose Add / Remove Snap in… and select Group Policy Object. The new window will open and be careful that under Group Policy object is selected policy “Local Computer”. Steps in advance are the same as in the second approach, so they will be discussed later. Here you must have in mind that local administrators are able to change local policies.

LocalPolicy view
The second approach is similar. The only difference is, that we will use a GPO (Group Policy Object) and for this reason we can apply this settings to a large number of computers. It depend where do you link this GPO.
This steps are in common for both approaches. It is the same way to block any software if you are using local policy or group policy. (Be careful when you are blocking some programs as you can look out also yourself!!!)

  • Expand Computer configuration
  • Expand Windows settings
  • Expand Security Settings
  • Expand Software Restriction Policies
  • In the action pane click on More Actions and click New Software Restriction Policies…
  • Expand Additional Roles
Policy settings
  • In the Action pane click on More Actions and click New Path Rule…
  • For blocking Chrome, you have to create 5 rules with values (for any value you have to create one role):
    • Path:     Chrome.exe                                      Security level: Disallowed
    • Path:     ChromeSetup.exe                          Security level: Disallowed
    • Path:     Gears-Chrome-Opt.msi                Security level: Disallowed
    • Path:     Chrome_Installer.exe                   Security level: Disallowed
    • Path:     GoogleUpdate.exe                         Security level: Disallowed
  • For blocking Firefox, you have to create 2 rules with values:
    • Path:     Firefox.exe                                        Security level: Disallowed
    • Path:     Firefox Setup*.exe                         Security level: Disallowed
Setting of the role

Hope I helped someone with this post. Let me know..

Upgrading to Windows 10

In this days many users are trying to upgrade their system to Windows 10. Some of them are disappointed as there is no way to get the magic »update«.
Actually there will not be a classic update, but Windows 10 will be downloaded and then installed. But if you want to upgrade right now (without waiting), you can do it simply visiting the link http://www.microsoft.com/sl-si/software-download/windows10 and download the software. It is so easy!
Anyway, be aware of few things that are recommended before upgrading your system:

  • Check if your applications will run on the new OS,
  • Check if your hardware is supported (previously I blogged how to solve fingerprint sensor on Lenovo notebook),
  • Update your currently OS before you are upgrading to Windows 10,
  • Be aware that you have 30 days to roll back to the old OS. After 30 days it will not be possible anymore to do it.

If you want to do a clean installation, you will have some more work to do. The only way (as you don’t have the product key) is to upgrade the computer and after a successful upgrade write down the Windows product key. Use the software on previous link to create DVD or USB media and your key for clean installation. Unfortunately, you will need more time.

Have fun with Windows 10!.

Fingerprint login not working on Lenovo in Windows 10

Now Windows 10 is available and many of us are trying to install it. This causes new problems, as not all drivers and software are updated and developed to be installed on Windows 10. I have a brand new Lenovo W550s notebook and I wanted to install Windows 10 Enterprise – a clean installation, not an upgrade. Most things function perfect, but I had a problem with fingerprint logon to domain. For me it was immediately clear what is the cause. In Control Panel Biometric devices were missing and this means that software is missing.
The notebook wanted to install Fingerprint Manager Pro, but this software is not developed for Windows 10 now and you will not be able to install it from Lenovo page. But here is a simple workaround: Download the software from this link and install it: http://www.userdrivers.com/Notebook-Tablet-PC/Lenovo-Fingerprint-Manager-Pro-8-01-26-for-Windows-7-8-8-1-x86-x64/download/
It is the same software and you will be able to install it even if is written for Windows 8.1. It works!.