Network Storage Protocols Discussions

CIFS share isolation following virus identification

Hi, I have received a request to put together a process  tostop access to CIFS shares mapped to virtual desktops in the event of a malicous attack to limit the the impact of users inadvertantly spreading the corruption. My first thought is to simply stop sharing the individual CIFS share or disabling CIFS altogether thus disabling access completely.

 

Both would stop access to the shares but I'm wondering if there are any other options either NetApp or third party that anyone has used and would recommend?

 

Thanks in advance,

 

JennerSRB

3 REPLIES 3

Re: CIFS share isolation following virus identification

Hi Jenner,

 

Best thing against malicious attacks would consist of at least the following:

 

1. proper backup (plus snapshot) policy

2. setup fpolicy to prevent known extensions, thus preventing encryption

3. in case of a known malicious attack:

   a. Create a snapshot IMMEDIATELY so you know what is going on

   b. either stop CIFS services

   c. or set all CIFS shares to readonly (this will impact your business less and prevent encryption/deletion as well

The steps in point 3 can be easily automated using powershell SDK or linux shell scripting depending on your environment.

Make sure to make the scripting dynamic so newly created/deleted CIFS shares are automatically added.

 

Besides that you should look into a good security information and event monitoring service so you get early alerting on when attacks happen. Unfortunately we cannot prevent such attacks but timely detection can save you loads of work and problems.

 

/Xander

Re: CIFS share isolation following virus identification


@xandervanegmond wrote:

Hi Jenner,

 

Best thing against malicious attacks would consist of at least the following:

 

1. proper backup (plus snapshot) policy

2. setup fpolicy to prevent known extensions, thus preventing encryption

3. in case of a known malicious attack:

   a. Create a snapshot IMMEDIATELY so you know what is going on

   b. either stop CIFS services

   c. or set all CIFS shares to readonly (this will impact your business less and prevent encryption/deletion as well

The steps in point 3 can be easily automated using powershell SDK or linux shell scripting depending on your environment.

Make sure to make the scripting dynamic so newly created/deleted CIFS shares are automatically added.

 

Besides that you should look into a good security information and event monitoring service so you get early alerting on when attacks happen. Unfortunately we cannot prevent such attacks but timely detection can save you loads of work and problems.

 

/Xander


Hi Xander,

 

Thanks for the reply and I concur with all the points you have made. i hadn't consdiered making the CIFS shares readonly but that is a good suggestion.

 

Thanks again,

 

Jenner.

Re: CIFS share isolation following virus identification

Hi

 

if you want - NetApp has a full DOC about that topic - "The NetApp Solution for Ransomware"

https://www.netapp.com/us/media/tr-4572.pdf

 

Gidi

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK
Forums