How To Protect Against Ransomware -- And Still Have Useful System

[JHM001]

Folks,

Happy user for four years of NAS4Free - 2 X ufs-formatted 3 TB drives mirrored. System (Dell 755 Optiplex w/8GB) is used for:

1. Backup of other members of LAN (3) -- Windows 10 clients business clients, plus several OpenSUSE clients as well. W10 clients are the key clients of concern.
2. Shared common business folders
3. Large quantity of pictures, audio, video

And the machine itself is backed up to Amazon.
All-in-all a nice situation, very nice to be able to share with various people in group.

HOWEVER -- With the big scare about ransomware and malware that will find mapped drives (and likely UNC drives too), this Garden of Eden has to come to an end.

SUMMARY OBJECTIVE: If someone could provide a reference a guide for what we need to do -- outline here -- that would be ideal!

In the meantime . . .

SOLUTION No. 1 -- Remove all mapped drives on client machines. Only have UNC drives available (i.e. //server/share).
SOLUTION No. 2 -- Create READONLY NAS4Free SMB share for each client. OK, now paranoia is somewhat diminished.

BIG PROBLEM THOUGH -- How can we perform write access to the shared server? For multiple reasons? It just seems almost impossible. What use is a file server that is permanently read only? File servers need to have new files and changed files all the time!!!

USE CASES:

a) BACKUP -- Each machine used to be able to back up to the NAS4Free box.
b) FILE EDITING -- Either business files or picture editing (and moving around too).

How are these two super important use cases to be handled.

RESEARCH:

We have read A LOT of research on these topics, including on ACLs and LInux versus Windows. It's a huge need that perhaps QNAP or Synology has solved -- but if we could afford their boxes, we wouldn't be here, would we? The many, many posts on multiple different perspectives on these problems are often contradictory and/or overwhelming. Which is not to say they aren't useful. But so far we haven't found a reliable guide.

There is a good discussion in the NAS4Free forum, but it doesn't really help the security/convenience question from LAN clients: http://www.nas4free.org/forums/viewtop ... 882#p60134

PROBLEMS:

1. If a drive is opened for read/write by a given user, then for the period of time that the drive is used, there is vulnerability (admittedly small).
2. But then after use, the UNC drive should be disconnected. This seems to be almost impossible, easily, without logoff or resorting to CLI.
3. I thought, maybe there's a sandbox or something whereby you can "be" an elevated user with more rights -- but didn't find anything about how this might work.
4. There are very fancy ACL schemes which may or may not do what we want -- but you need a PhD to make them work.
5. There's the question of inheritance -- you want to be able to add new files to any given directory and have the appropriate permissions apply automatically.
6. We tried making two shares -- one READONLY, one READWRITE, but it didn't work -- everything ended up readwrite -- and there seemed to be no way to figure out how to lock an elevated user to a given share.

WHAT IS THE STANDARD RECOMMENDED PRACTICE?

The use case here (SMB or family shared server on a LAN) should be a super common use case. With all the above figured out by experts. But I can't find it. Some people just seem to be giving up and putting everything in the cloud. Cloud is good, but no thanks for exclusive storage. OK as backup.

SUMMARY NEEDS

1. Shared file server which is not vulnerable to malware or ransomware on a LAN behind a firewall. Casually, "not vulnerable" means no open mapped drives; what this means in detail is not clear. Two or three accounts -- possibly with some restrictions on access -- but for simplicity, let's worry about that later.

2. Easy file management and file work (i.e. read/write and add new files and delete files) on a day to day basis. How "easy edits" work in practice, easily, is completely unclear. You can't work easily in an SFTP client (e.g. FileZilla) which has secure access, but the workflow on the files is incredibly inconvenient. THE TRICKY PART HERE IS WORKING WITH FILES BUT NOT HAVING THE ACCESS REQUIRED FOR THIS CONVENIENCE ALSO BECOME A GENERAL VULNERABILITY FOR MALWARE TO PROPAGATE FROM CLIENT TO SERVER. But is this even possible???

3. Support for LAN-wide backup writes and compares. Backups are done by an elevated privilege backup account -- we haven't tried this yet, but assume that this will work -- however, setting up the ACLs or whatever is completely unclear.

I hope -- along with millions perhaps, even if they don't know it -- that someone can share a nice NAS4Free recipe!

Thanks ever-so-much for any guidance.

BONUS QUERY


It's odd how something so important as permissions is such a missing piece of software. OmniOS/Napp-IT (paid version) seems to address the issue. But for us in the world of NAS4Free (or FreeNAS too), here's the gap:

1) CIFS/SMB Share Setup -- Check
2) USERs and GROUPs -- Check
3) ACCESS CONTROL -- MISSING --Which is the end-result of shares, users, groups and now objects. This gets incredibly complicated -- and not a bad thing -- that's just that life is rich. But software is supposed to help us manage complexity. And just at the moment that we need help -- it's missing. Is this a business opportunity or what?
4) CLIENT/USER -- Then there's the question of the client user on the LAN that can make user of or be denied access to a given resource. The slight differences between Linux security and Windows security seems to cause lots of headaches for some people.

The first two capabilities above are nicely done in a software GUI. But access control (and network management too in the 4th item) are both very CLI-oriented.

Am I missing something? We don't expect computers and sophisticated solutions to build themselves -- we're willing to do the work. But there's no sense of working if the result is not assured of a reasonable chance of success.

Again, super thanks for any pointers or tips in the right direction (like "learn chown" or something, I don't know . . . )

[JHM001]

idea No. 1 -- WinSSHFS -- Have done some research on mounting a NAS file system over SSH -- e.g. with WinSSHFS -- then normal SMB (a.k.a. formerly "CIFS") vulnerabilities eliminiated -- but then two problems: (1) how to manage ACLs associated with WindSSHFS locked to certain accounts and (2) in fact WinSSHFS is not really ready for prime-time, there are multiple versions, some paid (which might work, but quite expensive). Not sure this is a solution . . .

Idea No. 2 is going full-blown Linux server with SAMBA; we already have this working on other boxes. Need to explore how ACLs work and if they can be made simple. Not sure this is a solution.

Again, there are LOTS of recipes out there that purport to be solutions, and are often offered either in enormous detail and/or with with a lot of attitude. But I'd love to find a recipe that is really well researched and proven and which technically savvy non-specialists can implement.

Anyone? Be a hero!

[Riften]

For any kind of 'protection' from ransomware/spyware what-have-you, it must be multi layered, starting with ingress IMO. This could be the edge device (typically some sort of router/firewall) or could be an unaware end user plugging in their infected memory stick, or clicking the link in a malicious email, or even a malicious end user. So we are talking part training/education, part hardening, part policy enforcement, and part physical security. If it's in your network already via an attack vector that was not hardened properly, it is a little too late. I think the NAS is at the end of the chain and you need to be looking at how nasty stuff can get in and what you can do about it before it reaches your data. This is not so easy; a lot of people make big bucks doing that for a living.

A file server that is not vulnerable? Impossible. Mitigate as best you can by identifying attack vectors and addressing each. For my home network, I identified weaknesses such as, home router with almost no security (NAT is about translating internet routable packets to an internal non-internet routable network, it is not security no matter what the manufacturer says), end users with no idea what is an attack, insufficient antivirus/antispyware on computers and passwords that did not expire and force change.

I am no expert on NAS4Free, but I am running a Windows domain at home so was able to apply permissions to the shares to AD users, no guest access. And yes I have backups of the data. I then built a new router using pfSense, and applied intrusion detection/prevention, proxy with blacklist to block known bad sites, antivirus and tight firewall rules. I made sure family members purchased/installed adequate AV and antispyware software, and set it up for those who are not PC-savvy. As I have a central Windows OS patching solution (WSUS for Windows Server) Windows itself is patched, so I went around the house verifying JAVA was uninstalled and other software was patched such as Adobe PDF software. I educated family members on keeping this software up to date and provided information on phishing and malicious websites and the dangers of downloading unknown software from the Internet, and to use their browser in the sandbox provided by their AV software. Lastly, I no longer trust that other family members will change their passwords on their own, so instituted a password policy for the domain, minimum 8 characters complex. With this done (all within the last few months, getting the router setup took a bit of time) I can maybe delve a bit into what I can do at the NAS level. But I suspect that what I have already done will yield greater benefit than what I can do on the NAS.

[provels]

My thoughts - I have a hardware FW solution (pfSense), and multi-layer antivirus/malware protection (Norton/McAfee, Malwarebytes, and the Windows built-in programs). But what concerns me most at this time is the potential of reaching a honest webpage with malicious adverts where drive-by malware can be installed. I have taken to doing my normal web browsing from a dedicated VM and using secure web applications (like financials) from another dedicated VM, rather than using my main workstation for both plus local apps. I also runs Hostsman to avoid connecting to ad servers in the first place. At times it's annoying because it breaks some sites that go through third-party affiliates, but worth the hassle for the speed and security offered. When I was a net admin, I had $ shares statically mapped to many server drives for convenience, but when we had our first case of ransomware come through a couple years ago and encrypt the user's directory on the FS as well as their C:, I stopped that and mapped to UNC only when needed. At home, I keep my NAS off unless needed; that's where my backups and archives reside. Besides it burns 100W at idle... Easy enough to power on with WOL.

[erico.bettoni]

Ditch UFS and use ZFS with daily snapshots and keep them for 30 days or more, depending on your needs.
So if your data gets encrypted you can access data 30 days in the past.
That and daily backup to another medium with longer keeping periods.

[arinci]

Ditch UFS and use ZFS with daily snapshots and keep them for 30 days or more, depending on your needs.
So if your data gets encrypted you can access data 30 days in the past.
That and daily backup to another medium with longer keeping periods.

Enrico that's sound a good idea. We had a ransomware attack few days ago (cerber3 silently installed on a Windows client pc through infected Ammyy Admin executable downloaded from legitimate Ammyy Admin website!), fortunately our Nas4free server has not be attacked.

Can you please explain how to do an automated 7 days auto snapshot with ZFS volume on our NAS4FREE server? This setup will solve the ransomware problem in a very brilliant way.
Thanks!

[erico.bettoni]

Just go to disk - ZFS - snapshot - autosnapshot and set the frequency of the snapshots to be taken.
To access the data you can expose the snapshots via samba itself, as they are readonly.
Just remember to check your data periodically, because if you have data that is important but don't change as fast as your snapshots, you could end up with no old enough snapshot to recover from.

[KimmoJ]

Agreed, ditch UFS. It's total crap compared to ZFS. You can't avoid it on your boot device, but should avoid it like the plague unless you have some very very specific use case, use ZFS everywhere.

The next big ZFS upgrade for NAS4Free should be snapshot handling in general, in my opinion. It's primitive now.

I had to go with a full install and an addition of the brilliant zfsnap script to the system to get the result I wanted. With the built in handling you can do daily snapshots, which is useless. Well, in my opinion, anyway.

I started with this: viewtopic.php?t=7291 (thanks to user amrgb for doing the work there!) and adapted it for my use.

It snapshots every folder I have shared with 10 minute intervals for a week. I didn't bother with longer than that, since I obviously back up the entire file server on a daily basis (I run it in a VM, in my case). Then there's a daily zfsnap job that goes through and erases every snap older than 7 days.

It's saved my ass twice already. The first ransomware incident made me shut down all VB macro possibilities for users and so I thought we were safe, but a javascript based variant slipped through the helpdesk system... so then I killed all scripts on the desktops too. :p But rolling back snapshots was perfect, took 30 seconds to recover from having a fair bit encrypted.

And the devs just added a rollback function in the GUI recently in 10.3, so now you don't even have to go to the CLI to rollback.

And another bonus - those snapshots of our CIFS folders are exposed to the users via shadow copy, so they can self-serve and go retrieve an earlier version of a file at any point, if they happen to damage a file and save it by mistake for instance. So more functionality and nearly ransomware proof.

[juddyjacob]

Migrate to ZFS and keep snapshots ^mentioned above. This is a great method to protect your data. Also their are some paid client services like dns umbrella that will stop these ransomeware software. Good to have a off site backup as a just in case scenario. To further note, most of these malicious software circulate through email. Block all emails that contain a zip attachment. Or get a 3Rd party email filter system like spam soap.

[KimmoJ]

Yeah, there are more you can do than just snapshots on ZFS, snapshots will save your butt if you do get hit, but the primary effort should be to prevent the ransomware from getting in in the first place.

Windows has functions for a lot you need - for instance, you can whitelist apps that run from Program Files (for example) and set it so that everything that isn't in there (like ransomware) literally isn't allowed to run.

You can also prevent users from running stuff from their own profile/temp folder, that too will prevent ransomware from even running.

Obviously, Office needs to be set up to restrict macros - for instance, setting it up via a Group Policy to not run unsigned macros will stop all known ransomware (so far); users have to learn how to sign macros they need though.

Plus you can also shut down the windows scripting host on the desktop, that too will stop a bunch of ransomware.

Obviously, no user should be given administrator privileges.

So ransomware protection will involve a lot more than secure storage; most of the effort required in fact is not storage-related.
Beyond that you can install an IPS, intrusion protection system. You can buy firewall appliances with that built-in or roll your own with something like Snort.

[ms49434]

fyi, 2 posts have been removed because of advertising.

[provels]

fyi, 2 posts have been removed because of advertising.

Yeah, it wasn't much. Installed, uninstalled. You know me, I'll install anything. Time to revert the VM.