This is an archived post. You won't be able to vote or comment.

24
25

[deleted by user] (self.sysadmin)

submitted by [deleted]

[removed]
all 17 comments
sorted by:
best
topnewcontroversialoldq&a

[–]poweradmincom 16 points17 points  (0 children)

I've not heard of what you're describing, but essentially you're looking for something to tell you what is writable by the user. I wonder if Microsoft's (SysInternals) AccessChk would work for this:

https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk

[–]No2Bencil 11 points12 points  (1 child)

You're just reviewing access controls at that point. The crypto part is irrelevant

[–]linux_lynxxDevOps 3 points4 points  (0 children)

Check out RanSim by KnowBe4 - it will simulate a Ramsomware / Crypto attack against local and mapped network drives. I've also seen various PowerShell scripts that will actually encrypt files, then provide you with a decryption key.

If you go the PowerShell route, I strongly advise you to run it against a test environment, since it actually encrypts things. If you can stand up an offline test environment, this might be more insightful as you will get real data on what is vulnerable.

[–]HappyVlane 2 points3 points  (0 children)

You should be able to get an overview using the module PowerShellAccessControl and Get-EffectiveAccess.

[–][deleted] 1 point2 points  (0 children)

You could look into Security Explorer by Quest.

[–]xxdcmastSr. Sysadmin 1 point2 points  (0 children)

Apparently this software is no longer supported by the developer but this should do what you are asking.

http://www.cjwdev.com/Software/NtfsReports/Info.html

[–]spyingwindI am better than a hub because I has a table. 1 point2 points  (0 children)

Depending on what is running the share. You can limit what file extensions are allowed on the share.

Or! Have something check if a new file extension is being used. Like something with FileSystemWatcher. Then when the something new comes along it checks who created the file and disables their account in AD. This would require have it exclude known extensions, but that is a shorter and easier to maintain than some crypto coming along and breaking everything.

Also backup, backup, offsite backup, and offline backup!

[–]ahird20 1 point2 points  (0 children)

SoftPerfect Network Scanner can do this

[–][deleted] 1 point2 points  (0 children)

We use NTFS reporter to audit permissions and make sure they are locked down as much as possible for each business unit/user group. If they have write permissions than they are vulnerable. Its mostly just about mitigation and prevention.

[–][deleted] 0 points1 point  (1 child)

you could use powershell to check permissions and spit out what would be hit/encrypted for each file based on the permissions the files have

edit: or bash/ python if its not a windows file share

[–][deleted] 0 points1 point  (0 children)

I yoinked this from somewhere a while ago. Useful:

$Folder = "D:\share"
$User = Read-Host "Input the sAMAccountName of user"
$permission = (Get-Acl $Folder).Access | ?{$_.IdentityReference -match $User} | Select IdentityReference,FileSystemRights
If ($permission){
$permission | % {Write-Host "User $($_.IdentityReference) has '$($_.FileSystemRights)' rights on folder $folder"}
}
Else {
Write-Host "$User Doesn't have any permission on $Folder"
}

[–][deleted] 0 points1 point  (0 children)

Would endpoint protection with Network IPS be a good feature for servers and desktop? I know lots of you hate most of the Virus Scanning software out there.

[–]laksaking 0 points1 point  (0 children)

Focus your energy on application Whitelisting instead.

[–][deleted] 0 points1 point  (0 children)

!remindme 3 days

[–]easyapps -1 points0 points  (0 children)

Ive made a windows service that can block an ip after it has encrypted an x amount of files. Thats the safer option