Using FSRM against Ransomware

Every administrator is afraid about Ransomware software. We want to protect our systems with so many different approaches and at many layers, but almost always we try to use complicate techniques to archive basic objectives. I found on TechNet an article, which sounds good for me and I am also confidential using Windows embedded functionalities for trying to prevent an attack.
Are there positive and negative sides? Of course they are, the most important negative thing I recognize is that we are using technology based on file type. Actually we are trying to prevent to write all known file extensions that can be written on our system. This will work if we know the extension and we have to search for new used file extensions and add them as blocked file types. But there are also positive things: we don’t need to buy anything, we have all we need ready on our server – we have just to use it! It is very simple to configure and maintain and it works!
When I read this article, I was surprised why I have to do all those steps thru GUI? We can simply use PowerShell that is quicker and it will do exactly the same things every time we will start it. Well, I made a script that you can run on every server you have to protect and for every share or partition you want to protect. There is only one think that you cannot protect: system drive if you try to prevent whole drive. In this case, the protection will be passive and not active and there is no way to change it (but I hope that you don’t share system drive).
Things that you have to know are basic, just few data:
  • Path to protect
  • SMTP server for sending mail (and be careful with authentication! Test it!)
  • Mail address form which mail will be sent
  • Mail address from administrator
  • Script that you want to run after detection (if you want)
You can run it as many times you want, on every server you want (version 2008 and newer) and you will be able to protect your data. It is a secure way to do it because you just prevent to change the data transformation and not the malware itself. I recommend also to use a script published on TechNet article for disabling the AD user or deny user access to server (It is also zipped into my file; including subinacl.msi).
To prevent malware, you can use an additional build in function: AppLocker and also this is explained here. And by the way, the approach is tested on Server 2016 TP5 – it’s working!

Kaspersky cause Hyper-V error 0x80070005 when creating switch

Kaspersky Hyper-V ErrorAs I trust and use Kaspersky Antivirus, I had some problems in last month or two. It seems that Kaspersky is not really well integrated with Windows 10 and you have to expect some problems.
In my case, I use Kaspersky Small Office Security and this software prevents me to do a lot of actions. I found the issue when I tried to create External Network Switch in Hyper-V console – the problem is when you create a new network adapter. In this case I received an Error Access Denied – 0x80070005.
I received the same Error also when I tried to install Shrew Soft VPN Client. I was always unable to install network component due to Access Deny.  Analyzing the problem, I found that there is a problem accessing to folder INF (Change) and some other system folders, but all permissions were as they should be and there was no way to establish the right permissions to get installers work.
Well, removing Kaspersky I was able to solve the problem. But be careful, just disabling the antivirus will not be enough; you have to completely uninstall the entire antivirus and reboot the computer to correct the issue.
Hope that Kaspersky will correct the issue soon. It is my preferred antivirus program and I like it, but unfortunately it is not well integrated with Windows 10.


Everyone of us want to stop Cryptolocker and similar programs. It seems that it is really a nightmare for all admins. Anyway, to stop Cryptolocker and any unwanted program, you have to be aware, that this will bring limitations to your system, which are not always welcome.

How does Cryptolocker work?
We have 5 phases of Cryptolocker infections:

  1. Installation: The software is delivered to your computer via download or E-Mail attachment and the user click on it. The executable is now installed, the registry keys are set and we are ready to go to the next phase.
  2. Contacting headquarters: the computer is contacting criminal headquarters for registration, so it will prepare all environment for phase 3.
  3. Creating keys: headquarter and client are now identifying each other and are ready to “handshake” and create two keys for encryption.
  4. Encryption: Cryptographic keys are now established and the encryption can begin. It depends on version, but almost all files on all local and shared drives where you have permissions will be encrypted.
  5. Extortion: The screen with a guide how much and where to pay is displayed. There is displayed also how much time you have for payment. If you will not pay in time, the headquarter key will be deleted and you will not be able to decrypt files. The payment is every day higher – so if you want to pay, do it immediately.

To prevent a large number of unwanted software, the first step to do is always remove LocalAdmin permissions and turn on UAC. This two actions will put you in situation where user will not be able to install any application and write to system crucial folders. Also have your system always up to date. And I don’t mean only OS, but include all applications installed (we know attacks to Java, Adobe FlashPlayer, Microsoft Office…).
Of course this is not enough as a lot of bed guys know how to elevate permissions or are using different folders (for example AppData is used for Cryptolocker), but been a LocalAdmin is a great way to become a victim. I suggest to all home users and system administrators to use two different accounts – one for daily use and the second for administrator tasks.
Well, the real way to prevent Cryptolocker is blocking the execution of exe files in AppData folder. You can do this with group policy in AppLocker or in software restriction policy. This are steps for basic protection with AppLocker:

  1. Create new GPO for Cryptolocker prevention
  2. Edit new created GPO
  3. Expand Computer configuration > Policies > Windows Settings > Security settings > System Services
  4. Enable “Application Identity” service and set it to automatic startup modeCrypto1
  5. Go down to Application Control Policies and expand to AppLocker
  6. In “Configure role enforcement enable Executable rules and make them in Enforce mode (I suggest you, to run them in Audit mode for week or two and analyze logs before enforcing them – just to find legal applications which can be blocked)Crypto2
  7. Expand AppLocker and click to Executable rules
  8. Right click in action pane and create Default Rules
  9. Right click in action pane and create New RuleCrypto3
  10. In Permissions on Action set Allow for EveryoneCrypto4
  11. In Conditions select that is Publisher ruleCrypto5
  12. In Publisher, just browse one file (in my case was Internet Explorer) and go with slider up to Any publisherCrypto6
  13. Give the name to the ruleCrypto7

So, this is about AppLocker, but we have still a lot of work to do. There is a big surface for attack if users are local admin. To prevent this, configure Restricted groups in GPO by using Computer Configuration > Policies > Windows Settings > Security settings > Restricted Groups.
Apply this GPO to all computers and the first step is done.
GPO is a good way to prevent Crypto, but be aware that Crypto is evolving and you have to evolve with him. And preventing Crypto with GPO means that executable is already in your system – maybe you have to prevent it before is downloaded or received with mail. For this step you will need the application firewall, good antivirus in file system and in mailing system.
But still you can do something with chip devices with closing outgoing ports 83, 846, 777, 997, 1604, 9001, 9003, 444, 9052, 8443, 7777, 9003 and 25254. This ports are used to communicate with headquarter servers to obtain a certificate for encryption (maybe exist also other ports or will be added / changed during the time). If you will close this ports, the system will not be able to retrieve a certificate for encryption and the encryption will not be able to begin. Be careful on notebooks because the users will bring their notebooks at home and the encryption will be successful.
As you can see, there are a lot of ways to prevent Cryptolocker, but you have to prevent it. When you have it, it is too late – think about it now!

And for home users? Well we cannot forget them. They have a lot of pictures and documents on their computers – practically a whole life and is a really big impact to lose all this material.
I suggest you a software from FoolishIT. It is free and it is working good (but if you want to keep it up to date, give those few Euros to the author – he is doing his job well!).


Additional reading:

Blocking Chrome or Firefox with GPO

We have a lot of users where Google Chrome or Mozilla Firefox it is” installed automatically” – they did nothing (well, we know them…). In this cases, you want to block the installation of this two programs and maybe some others, but you don’t know how.
Actually it is very simple and you have two different ways to do it.
The first approach is good if you want to block the installation only on one or on some computers or there is no domain. In this case you have to modify the Local policy of computer. Open mmc.exe, from File menu choose Add / Remove Snap in… and select Group Policy Object. The new window will open and be careful that under Group Policy object is selected policy “Local Computer”. Steps in advance are the same as in the second approach, so they will be discussed later. Here you must have in mind that local administrators are able to change local policies.

LocalPolicy view
The second approach is similar. The only difference is, that we will use a GPO (Group Policy Object) and for this reason we can apply this settings to a large number of computers. It depend where do you link this GPO.
This steps are in common for both approaches. It is the same way to block any software if you are using local policy or group policy. (Be careful when you are blocking some programs as you can look out also yourself!!!)

  • Expand Computer configuration
  • Expand Windows settings
  • Expand Security Settings
  • Expand Software Restriction Policies
  • In the action pane click on More Actions and click New Software Restriction Policies…
  • Expand Additional Roles
Policy settings
  • In the Action pane click on More Actions and click New Path Rule…
  • For blocking Chrome, you have to create 5 rules with values (for any value you have to create one role):
    • Path:     Chrome.exe                                      Security level: Disallowed
    • Path:     ChromeSetup.exe                          Security level: Disallowed
    • Path:     Gears-Chrome-Opt.msi                Security level: Disallowed
    • Path:     Chrome_Installer.exe                   Security level: Disallowed
    • Path:     GoogleUpdate.exe                         Security level: Disallowed
  • For blocking Firefox, you have to create 2 rules with values:
    • Path:     Firefox.exe                                        Security level: Disallowed
    • Path:     Firefox Setup*.exe                         Security level: Disallowed
Setting of the role

Hope I helped someone with this post. Let me know..

Deleting print jobs in Error on print server

I had a problem in an environment where all users print thru one print server. The printer was worst one and we always had problems to delete some jobs in error. The users were also unable to print when the printer had a job in error. So, we wanted to automate that procedure to keep printers alive as much as possible.
In this case, we found two different but similar solutions, both in PowerShell.
The first is to delete jobs in non-working hours (true the night). We used the script:

get-printer | where {$_.PrinterStatus -ne “Normal”} | get-printjob |Remove-PrintJob

This script deletes all jobs on all printers where the status of the printer is not normal. This are pros and contras:

  • It runs thru the night, so the printer could be offline for whole day,
  • All jobs on the printer are lost. We preferred to do it in this way, as we didn’t know what kind of jobs were in the queue. It could a confidential information and is better to lose the job as leave those papers in the printer,
  • It has minimum impact to the print server.

The second option is running a similar script every few minutes:

get-printer | Get-PrintJob | where {$_.JobStatus -match “Error”} | Remove-PrintJob

This script has those pros and contras:

  • It could be run every few minutes and printers are really many time online,
  • It has more impact on the print server as the previous, but the impact is still minimum. There is not real difference in server usage.

After consulting with the customer, the best choice was the second version, running every 5 minutes. Now we have printers really with better uptime and the server is running practically on the same performance. Be careful that you run this script with an account who has permissions to delete print jobs (Print Administrator) and it will work. Anyway, if it is possible is always better to find the cause of errors and repair it. It is not always possible, but try to do it, before you use the script.
Still I am convinced that the best way to solve this type of issues is assign the second option directly to an error. When the printer is going to error, it is acknowledged as Error 372; Source: PrintService. You have just to assign a task to this error..