Even though ransomware seems like yesterday's news, ransomware attacks are still happening everyday. While larger organizations seems more or less poised to defend against ransomware, a lot of small to medium sized businesses are still at risk, partly due to the fact that smaller organizations don't have dedicated IT staff to implement the necessary lines of defenses to properly protect against the threat.
IT Security is all about defense in layers. No solution is fail-safe regardless what the sales pitch tells you. Proper IT security measure is always implemented in layers. While security solutions come in flavours more than colours of the rainbow, below is a 10 step basic checklist of implementations to help guard against ransomware.
*the below steps are primarily for on-premise Active Directory based environment. Use Office 365 and Azure instead? Read How to Secure Your Data in the Cloud instead.
1. Properly Patched Machines
Almost all security implementation starts with the basics, which means utilizing free and readily available tools before investing in heavy artillery. One of the easiest and simplest things to implement is security patching. Almost all software vendors release software vulnerability patches when new threats and exploits are discovered. Since cyber attacks rely on exploits, properly patching these security holes can help safe guard against a number of vulnerability exploits.
Almost all users I've run across are aware of the importance of a good anti-virus. When you install one, make sure your virus definition is up to date. Most well known names in Anti-Virus will do its due diligence in keeping its virus definitions up to date. Ensure you keep your anti-virus updated just as you would workstation and server patching. Look for features such as heuristics detection that monitors for code execution and behaviour rather on completely relying on definitions, and sand-boxing.
3. Random Local Admin Passwords (especially important on Workgroup machines)
Most viruses, and particularly ransomware, need to traverse the network in order to do most of their damage. One way for the infection to traverse is to find the local Administrator password. Most environments I've seen use the default Administrator account with a simple easy to guess password - particularly in an Active Directory environment since the local admin user and password is rarely used once the machine is domain joined. This leaves the machine in a vulnerable state. Use tools to set random admin passwords. Microsoft offers a free tool called LAPS for this.
4. Limit Administrative Rights
Least privilege administrative model should be no surprise to any self respecting admin. This means only provide just enough permissions for the job duty. Too often I've seen Domain Admin permissions across the board because it's easy and lazy. Yes, finding the right permissions for certain functions may be tricky depending on the application but it will save you headaches in the long run, such as having to recover your entire environment from an attack.
Create separate Domain Admin accounts even for IT administrators so their regular accounts are just regular domain users.
Refer to Microsoft doc for Least Privilege Administrative Model for more detail discussion in this scope and some tips for implementation.
Using Office 365 instead? Activate MFA for all your administrators or subscribe to Azure AD Premium for more options to secure user logins.
5. Proper Share and NTFS Permissions - for on-premise file servers
Folder permissions follow the concept of Least Privilege. Full permission should never be provided to users. In any environment, regular users only need Write permission. Leave the full access permissions to a few privileged admin accounts.
6. Implement File Screen - for on-premise file servers
On any file server running on Microsoft Server, there exists a built-in function called File Server Resource Manager (FSRM). FSRM allows you to create policies to warn, block or audit against known file extensions. While this is not a comprehensive solution, it does prevent against known ransomware extensions and gives administrators a heads up as soon as attacks happen.
7. Spam Filter
Similar to file screen, setup an email spam filter appliance to screen for potentially harmful file extensions. Most ransomware relies on some form of code execution so the spam appliance should be set up to block any file extensions that signals code, or contains macros such as .xlsm. In most organizations, it is not necessary for regular users to run macros or execute any code that doesn't come from a trusted source managed by IT.
Let's go a step further from the email spam filter appliance since not all files come from email. Quite a few intrusions are physically initiated by end users such as plugging in unknown flash keys to corporate devices. If you have corporate domain joined devices, Implement a GPO to specifically block macros from executing in Office applications such as Word and Excel. These are the most common entry points.
Another GPO should be a user folder redirection. This GPO redirects user's My Documents folder to a server so that no files are ever saved locally on a PC. Users should also have separate private folders with proper permissions so that ransomware cannot traverse to affect another user's private files.
Using Office 365 instead? Click here to learn how you can redirect your My Documents folders to the cloud instead.
9. Proper Backup (Shadow Copy and nightly back ups)
How quickly you can recover is also dependent on proper backups. Ensure you setup Shadow Copy and configure backups so that you can recover if you are ever hit. How frequently you backup is dependent on how frequently your files are changed.
10. User Education
End users will always be the easiest entry point for an attack. From phishing to ransomware, attackers rely on the end user's lack of technical knowledge and clever social engineering as points of entry. Since most organization have more end users than IT staff, proper user education in IT security and various counter measures will go far.
Have you implemented other solutions that were helpful in guarding against ransomware?