none
FileServer Ressource Manager commands RRS feed

  • Question

  • Hi everyone.

    Im trying to protect my Fileservers from Ransomware encryptions. So i set up FSRM screens for usual ransomware filepatterns.

    Upon detection FSRM can execute a command that you can freely define.

    On 2012 R2 I used

    -ExecutionPolicy Unrestricted -NoLogo -Command "& { Get-SmbShare -Special $false | ForEach-Object {Block-SmbShareAccess -Name $_.Name -AccountName '[Source IO Owner]' -Force } }"

    '[Source IO Owner]' is a FSRM variable: 
    https://technet.microsoft.com/en-us/library/cc788122(v=ws.11).aspx?f=255&MSPPError=-2147217396

    What it does is it denies the user that is trying to write a screened pattern permission to all the shares on the server. This works fine.

    On 2008 R2 however there is no Get-SMBShare so i tried to disable the AD Account of the User. But it wont do it.

    I have tried the following:

    -ExecutionPolicy Unrestricted -NoLogo -Command "& {disable-adaccount -identity '[Source IO Owner]' }"
    -ExecutionPolicy Unrestricted -NoLogo -Command "disable-adaccount -identity '[Source IO Owner]"

    and 

    -executionpolicy bypass -file ""C:\Admin\disableaduser.ps1" -FileName [SourceFilePath] -FileOwner [SourceFileOwner]"

    with the disableaduser script looking like this:

    Param(
      [string]$FileName,
      [string]$FileOwner
    )
    ipmo activedirectory
    
    set-aduser $FileOwner -Enabled $False

    I have imported the ad module and the commands work fine when i run them manually in powershell (with actual username instead of the FSRM variable of course - dont know how to check those variables...)

    Can anybody immediatly see the problem? Or someone knows where to debug these FSRM commands? I dontr even know where to look at for error messages..

    Ive found this info

    A good troubleshooting option is to look for event logs that have been generated by File Server Resource Manager. All event log entries for File Server Resource Manager can be found in the Application event log under the source SRMSVC.

    from https://technet.microsoft.com/en-us/library/cc731466(v=ws.11).aspx?f=255&MSPPError=-2147217396

    but there arent any FSRM entries at all..

    • Moved by Bill_Stewart Friday, July 7, 2017 6:26 PM Off-topic
    Wednesday, May 17, 2017 6:22 AM

All replies

  • Disable-Account userid.

    Disabling a user will not work you have to force a restart of the workstation they are using.  Even logging a user off will not stop the ransomware as it normally locks a thread in memory which can only be aborted by a restart.


    \_(ツ)_/

    Wednesday, May 17, 2017 2:43 PM
  • yes meanwhile ive found this out, too.

    which is unfortunate.

    Ill rather not rely on dependecies from the accessing host. there just needs to be one guy who manages to connect a private laptop to a share and i cant restart his machine..

    Thursday, May 18, 2017 5:47 AM