Mapped drive alternative?


#1

Has anyone tested whether Windows Explorer favorites get encrypted during a ransomware infection?
I want to get away from mapped drives and I’m looking at alternatives.


#2

Found this link on stack exchange that might be helpful for you!


(Will Leuschen) #3

As the stack exchange article, that carolingian linked, states anything that opens a connection between the client and the servers runs the same risks as mapped drives. The only real choice is securing those file shares and making sure they are backed up.

From what I know of ransomware and how fast it is evolving, unmapped and depending on the level of sophistication of the ransomware they might even target unmapped connections that the current user credentials has access to. While this isn’t always the case it is best to look at those worst case scenarios when dealing with anything that can halt a business or cause problems of this sort.


(Thomas Paine) #4

I think your best bet is to go either half or full SRP. I call half just blocking the appdata and localappdata folders from running things, but you could turn on blocking everything that isn’t in Program Files.

It is a bit of a pain to manage, as you are occasionally putting in exceptions for this and that and the other, but you will get your environment stable and easy to maintain.


#5

Thanks Thomas. I think blocking appdata and localappdata would be a big management headache for us.
Are you also managing the local firewall via GPO for exceptions?


(Thomas Paine) #6

Hi Carlton.

Sorry for the awful late reply. I didn’t realize I had a reply to this post.

Yes, I am enabling the windows firewall on the workstations, and managing it via GPO as well. Honestly, the SRP of blocking appdata is no management headache at all. I have put in two, or maybe three exceptions. One is Microsoft Office, and I put another one in for my smart card reader software, and I can’t remember if I have one in for firefox as well or not. I update it via ninite pro. I also push google chrome out to the network via GPO, so that all workstations have a proper browser that works.

You will see an exception in the event viewer when the policy blocks something from running I forget the event ID just now, but really, this one implementation has really quieted down my AV on my workstations now as well. I think the last hit was in maybe February where something triggered it.


#7

I’ll look into testing SRP on appdata and localappdata.
Thanks!


(Borg Xaeus) #8

That’s a beginner approach, not a solution and it can be bypasses using path search priority.

A good solution would be to have main snapshots and incremental snapshots of the mapped drive without sufficient access to administer them. And it can be done quite easy.


(Pedro Rivera) #9

We stopped using mapped drives and pushed out shortcuts using UNC instead. It may not make much of a difference, but we think of security as layers and this is just one way of slowing down attacks.