RANSOMWARE PREVENTION
Coming Soon: Beyond critical backups (and solid antimalware) other layers in the ransomware prevention stack that help such as FSRM
OPEN SOURCE HELP
Coming Soon: Links to free resources for malware remediation and support as well as ransomware advice
BLUE TEAM TOOLS
Coming Soon: Links to trusted sources for Blue Team tools for defense and reporting
File Server Resource Manager (FSRM) Overview and Use in Ransomware Defense
File Server Resource Manager (FSRM) is a powerful feature available in Windows Server versions newer than 2008. It offers a range of functionalities for managing file servers and is, in many ways, a precursor to the modern File Classification infrastructure found in Azure. In this demonstration, I will install and configure FSRM using a widely adopted PowerShell script. This script automates FSRM installation, sets up file screens, and enables automated responses when file screens detect unauthorized file modifications—particularly those associated with ransomware attacks that encrypt files and alter their extensions.
Originally, FSRM was designed to enhance file server permissions and enforce storage quotas with greater granularity. It introduced both hard and soft quotas, advanced file classification, and file screening—a filtering mechanism that monitors and restricts certain file types from being saved in shared folders. File screens are particularly useful for controlling the type and amount of data stored within a shared folder, allowing administrators to block files such as images or videos from being uploaded to specific shares.
While not originally intended as an anti-malware tool, FSRM has proven effective in mitigating ransomware threats. I have successfully implemented FSRM-based ransomware defenses across multiple production environments. By leveraging FSRM’s file screen capabilities, organizations can protect critical file shares by blocking unauthorized file extension changes that match known ransomware patterns.
This defense can be further strengthened by event-driven automation. By monitoring system logs, FSRM can trigger actions when a file extension change matches a known ransomware signature. In my implementation, I utilized a PowerShell script that automatically revokes SMB share permissions from the user account responsible for the unauthorized modification, effectively halting further file encryption attempts.
The core concept is simple:
Establish protected file shares for critical data.
Configure file screens to monitor those folders.
Automatically block changes that indicate ransomware activity.
Utilize event logs and automated response scripts to disable affected user accounts, preventing further damage.
By integrating these strategies, FSRM becomes a valuable tool in defending against file-based malware attacks, providing an additional layer of security to file servers in both on-premises and hybrid cloud environments.
Checklist: Using File Server Resource Manager (FSRM) to Block Ransomware
1. Install and Configure FSRM
✅ Open Server Manager and install FSRM via the “Add Roles and Features” wizard.
✅ Launch File Server Resource Manager from Administrative Tools.
2. Set Up File Screening to Block Ransomware
✅ Navigate to File Screening Management > File Screens in FSRM.
✅ Click Create File Screen and select the folder(s) to protect (e.g., shared drives, user directories).
✅ Choose Create a new file screen template and select Active Screening to block specific file types.
3. Define Blocked File Extensions (Common Ransomware File Types)
✅ Add high-risk file extensions often used by ransomware, such as:.exe, .bat, .cmd, .scr, .js, .vbs, .hta, .ps1 (script-based threats).locky, .crypted, .ransom, .enc, .crypto (encrypted ransomware file extensions)
Any suspicious file extensions commonly used in recent ransomware attacks
4. Set Up Alerts and Actions
✅ Enable email notifications to admins when a blocked file is detected.
✅ Configure event logging to track potential ransomware attempts.
✅ Optionally, trigger PowerShell scripts to disable compromised user accounts automatically.
5. Test the Configuration
✅ Try saving a blocked file type in a protected folder to ensure FSRM blocks it.
✅ Verify that alerts and logs are properly triggered.
6. Regularly Update and Monitor
✅ Continuously update the list of blocked extensions based on emerging ransomware threats.
✅ Review logs and alerts frequently for signs of suspicious activity.
✅ Educate users on safe file practices and reinforce security policies.
By setting up FSRM as a ransomware defense layer, you can help prevent malicious files from executing and reduce the impact of ransomware attacks on your file servers.