6

Suppose in a network there is a file server which's storage is shared between all workstations and all users require full read/write access to this storage for their cooperation workflow. (Over samba, afd and nfs)

If (at least) one client gets infected by ransomware, how can that infection be kept from encrypting/affecting the whole file servers data?

The only effective countermeassure I can think of is to forbid write access and only explicitly grant it on request for all write/delete actions, but this seems to introduce a big organizational overhead.

I'm not asking how to recover from such a szenario - backups are in place that should keep the damage minimal in such a case.

I'd rather not use these backups and keep the effect of the infection local, e.g. keep it off the server altogether.

Tobi Nary
  • 14,302
  • 8
  • 43
  • 58
  • 1
    Full read/write access for everyone means full fuckup-access for everyone... or maybe there is some way to detect unusual access patterns and prevent them? – Philipp Mar 16 '16 at 18:13
  • Prevention is better than cure. If you can: disable USB on LAN workstations, firewall heavily, and of course, anti-virus. User education/lectures/contractual clauses if appropriate. Maybe a versioning filesystem too - I know of WebDAV+SVN, there are presumably others. – Phil Lello Mar 16 '16 at 21:53

1 Answers1

5

Generally, make sure you enforce the least privilege principle as much as you can. Evaluate the damage that would be done to the business if a ransomware encrypts all the files and balance it against the overhead which would be introduced by applying more restrictions.

You could also deploy a monitoring system which monitors the write access of every user. If some user writes to an unusual amount of files in a defined time, you could trigger an action like killing the connection to the share and throwing an notification to you.

Another measure is introducing a staging area. In this area everything is writable. At a defined point (after an amount of time of after a project or task is finished) files in this area are moved to a read-only part and can only be modified by request.

Noir
  • 2,523
  • 13
  • 23
  • What technology would you use to detect an unusually large number of files being edited? – Neil Smithline Mar 16 '16 at 19:29
  • I'd use the operating system tools to log changes of the file system and use a [SIEM](https://en.wikipedia.org/wiki/Security_Information_and_Event_Management) to analyze it. There are much solutions out there so it's depending on the individual use case which is suitable. Some of them are open source so you can easily try them out. – Noir Mar 16 '16 at 21:41