Applocker might be the better choice here if have enterprise licensing. From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On Behalf Of Lemmiksoo, Todd Sent: Wednesday, May 4, 2016 2:01 PM To: 'powersh...@lists.myitforum.com' Subject: [powershell] RE: [PowerShell] RE: Server 2008 R2
Not sure how fast ransomeware encrypts files as it circles through a share either. The last time we were hit we were still restoring files 1 week later. Todd Lemmiksoo 225-237-1836 From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> [mailto:listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim Sent: Wednesday, May 4, 2016 12:39 PM To: 'powersh...@lists.myitforum.com' Subject: [powershell] RE: [PowerShell] RE: Server 2008 R2 What about disable the account, and hit the logged in computer and issue shutdown -s -f -t 00 with psexec. You would have to find the logged on computer, I have a logon script that records that…could grep that I suppose. But that said, can you do this fast enough? I am just asking, dunno how fast it happens once it starts. From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> [mailto:listsadmin@lists.myitforum.com] On Behalf Of Lemmiksoo, Todd Sent: Wednesday, May 4, 2016 1:24 PM To: 'powersh...@lists.myitforum.com' Subject: [powershell] RE: [PowerShell] RE: Server 2008 R2 I really appreciate all of the suggestions u’ll have provided. Thank you. Not sure that I can get it working as we still have “Everyone” in the permissions on our file server. Last year management was not interested in allocating time to fix that. Todd Lemmiksoo 225-237-1836 From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> [mailto:listsadmin@lists.myitforum.com] On Behalf Of Kennedy, Jim Sent: Wednesday, May 4, 2016 12:06 PM To: powersh...@lists.myitforum.com<mailto:powersh...@lists.myitforum.com> Subject: RE: [powershell] RE: Server 2008 R2 Group membership is included in the users Kerberos TGT, so they will still have that when they hit the share. From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> [mailto:listsadmin@lists.myitforum.com] On Behalf Of Devin Rich Sent: Wednesday, May 4, 2016 12:58 PM To: powersh...@lists.myitforum.com<mailto:powersh...@lists.myitforum.com> Subject: Re: [powershell] RE: Server 2008 R2 An alternative idea. If you determine that a user account is running ransomware, make your script immediately take note of all groups that the user is in and then remove them from all groups. Every share where that user is a part of a group that has access will stop accepting read or write requests (assuming no "everyone" access). Any share where that user has explicit permissions won't be affected however. In our company, almost no one has any personal preferences set, so this would work just fine for us. Might not work at all for you. Thanks, Devin Rich Systems Administrator On Wed, May 4, 2016 at 10:25 AM, Wolf, Daniel <da.w...@neopost.com<mailto:da.w...@neopost.com>> wrote: Unfortunately the way authentication works, disabling an account only works once the Kerberos ticket is refreshed, which will likely be hours. The account must be disabled and the computer rebooted/signed off for it to prevent access. From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> [mailto:listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com>] On Behalf Of Lemmiksoo, Todd Sent: Wednesday, May 4, 2016 10:40 AM To: 'powersh...@lists.myitforum.com<mailto:powersh...@lists.myitforum.com>' <powersh...@lists.myitforum.com<mailto:powersh...@lists.myitforum.com>> Subject: [powershell] RE: Server 2008 R2 What my I am trying to do is lock the users AD account if they have been infected with ransomeware and are encrypting files on our Windows Server 2008R2 file server. I have setup FSRM to monitor a ”Honeypot share and file” for changes. The idea being to lock the user account so the ransomeware cannot encrypt files on the file server. Todd Lemmiksoo 225-237-1836 From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> [mailto:listsadmin@lists.myitforum.com] On Behalf Of Michael B. Smith Sent: Wednesday, May 4, 2016 10:19 AM To: powersh...@lists.myitforum.com<mailto:powersh...@lists.myitforum.com> Subject: [powershell] RE: Server 2008 R2 Down-level operating system environments often don’t have the same WMI/CIM plumbing as newer operating system environments. Prior to the SmbShare module, I would use the “net share” command in PowerShell and wrap it so it looked like native PowerShell. You can also use the Wscript.Network object – it works just as well in PowerShell as it does in VBScript. I don’t know exactly what you are trying to do, so I can only give this general advice. From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> [mailto:listsadmin@lists.myitforum.com] On Behalf Of Lemmiksoo, Todd Sent: Wednesday, May 4, 2016 10:20 AM To: 'powersh...@lists.myitforum.com<mailto:powersh...@lists.myitforum.com>' Subject: [powershell] RE: Server 2008 R2 I copied the modules\smbshare folder to the 2008R2 server and now get “Invalid namespace” error. [cid:image001.png@01D1A60D.C94EDEF0] Will try the WMI command. Still get the invalid namespace error. Todd Lemmiksoo 225-237-1836 From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> [mailto:listsadmin@lists.myitforum.com] On Behalf Of Kelley, Matthew Sent: Wednesday, May 4, 2016 8:53 AM To: powersh...@lists.myitforum.com<mailto:powersh...@lists.myitforum.com> Subject: [powershell] RE: Server 2008 R2 I would try to copy the folder over and see if it works, or just read through the script and see if you can pull out the part you need. C:\Windows\System32\WindowsPowerShell\v1.0\Modules\SmbShare I opened up the cmdlet definition. It is querying this WMI namespace/class: gwmi -Namespace "ROOT/Microsoft/Windows/SMB" -Class msft_smbshare | select * Maybe you can just use that somehow to get what you need? From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> [mailto:listsadmin@lists.myitforum.com] On Behalf Of Lemmiksoo, Todd Sent: Wednesday, May 04, 2016 9:38 AM To: powersh...@lists.myitforum.com<mailto:powersh...@lists.myitforum.com> Subject: [powershell] Server 2008 R2 I am trying to run a script the has “Get-SmbShare” in it. Is this command not available on Server 2008 R2. I have upgraded the PowerShell version on the server to ver 5. Todd Lemmiksoo System Engineer 225-237-1836 General Health System IS 8490 Picardy Ave Suite 500B Baton Rouge, LA 70809 Confidentiality Notice: This email and its attachments may contain privileged and confidential information and/or protected health information (PHI) intended solely for the use of the recipient(s) named above. If you are not the recipient, or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any review, dissemination, distribution, printing or copying of this email message and/or any attachments is strictly prohibited. If you have received this transmission in error, please notify the sender immediately by phone or notify the Compliance Hotline at 1-866-737-4448 and permanently delete this email and any attachments. ********************************************************** Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues Confidentiality Notice: This email and its attachments may contain privileged and confidential information and/or protected health information (PHI) intended solely for the use of the recipient(s) named above. If you are not the recipient, or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any review, dissemination, distribution, printing or copying of this email message and/or any attachments is strictly prohibited. If you have received this transmission in error, please notify the sender immediately by phone or notify the Compliance Hotline at 1-866-737-4448 and permanently delete this email and any attachments. Confidentiality Notice: This email and its attachments may contain privileged and confidential information and/or protected health information (PHI) intended solely for the use of the recipient(s) named above. If you are not the recipient, or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any review, dissemination, distribution, printing or copying of this email message and/or any attachments is strictly prohibited. If you have received this transmission in error, please notify the sender immediately by phone or notify the Compliance Hotline at 1-866-737-4448 and permanently delete this email and any attachments. The information contained in this message is privileged, confidential, and protected from disclosure. If you are not the intended recipient, you are hereby notified that any review, printing, dissemination, distribution, copying or other use of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Confidentiality Notice: This email and its attachments may contain privileged and confidential information and/or protected health information (PHI) intended solely for the use of the recipient(s) named above. If you are not the recipient, or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any review, dissemination, distribution, printing or copying of this email message and/or any attachments is strictly prohibited. If you have received this transmission in error, please notify the sender immediately by phone or notify the Compliance Hotline at 1-866-737-4448 and permanently delete this email and any attachments. Confidentiality Notice: This email and its attachments may contain privileged and confidential information and/or protected health information (PHI) intended solely for the use of the recipient(s) named above. If you are not the recipient, or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any review, dissemination, distribution, printing or copying of this email message and/or any attachments is strictly prohibited. If you have received this transmission in error, please notify the sender immediately by phone or notify the Compliance Hotline at 1-866-737-4448 and permanently delete this email and any attachments.
