1

We have a MS Windows Server 2012 installed. After the attacks of last week, I was wondering how we could improve the security of the server against ransomware/cryptoware.

We did install the latest updates from Microsoft.

What else can we do?

Anders
  • 65,052
  • 24
  • 180
  • 218
Ludisposed
  • 858
  • 1
  • 8
  • 21
  • 2
    This is too broad a question. We have no way to know to what you are vulnerable to, so we can't answer this. Are you talking about ransomware protection ? Otherwise, you should first identify what are your risks and vulnerabilities and find solution to minimise your risks. – M'vy May 17 '17 at 07:47
  • Yes I am talking about ransomware protection. Sorry if my question is too broad I'll edit it. I hope this will make it more clear as of what I'm asking – Ludisposed May 17 '17 at 07:52

1 Answers1

8

The basics for protection against ransomware is :

  • Update frequently (OS, AntiVirus, ...)
  • Don't open phishing / infected emails which usually convey the ransomware (user awareness)
  • Backup, backup, backup (and check them!)

The majority of the ransomware risk is cancelled by a proper backup strategy. If your data are safe in some offline place, they can crypt whatever they want. It's surely a hindrance to go through the restore procedure, but it does not cost more.

Some basic techniques might also help, email filters, macros scanning/disabling, using a least privilege policy for your user.

M'vy
  • 13,053
  • 3
  • 48
  • 69
  • Thank you for your answer. New to this section, so excuse my noobiness. We do Update frequently; we have backups at multiple locations; we also have a strict mail/browser policy. So we are reasonable safe? – Ludisposed May 17 '17 at 08:11
  • 3
    I cannot reasonably tell you "you're ok". Security depends a lot on context. If you want to have a 'level' of 'safeness' you really should do a proper risk analysis. – M'vy May 17 '17 at 08:15
  • What do you mean by frequently? In some of clients that I worked, they also mention "updates frequently" and it was quarterly. Quarterly updates wouldn't cover you in this case of WCry ransomware. You need a proper patch management process, with tight SLAs for critical patches (max 1 week to remediate critical patches). – Ricardo Reimao May 17 '17 at 09:56
  • 1
    Frequently = as often you need so that the impact of a successful attack is lower than what you can accept as loss. This is basic risk management. You define a level of risk acceptance, you asses the risks and compute their level of risk, then you put on measure to lower the risk under the level of acceptance. Again, there is no 'absolute' thruth here. It all depends on your context. – M'vy May 17 '17 at 10:04
  • @RicardoReimao We check for updates weekly, but only do the standard Windows Updater. Is there a protocol/user-guide for this 'patch management process' I can check out? – Ludisposed May 17 '17 at 10:06
  • @Ludisposed A good backups process is one thing, but do you also have a good *recovery* process which you test regularly? I heard lots of horror stories about poor sysadmins who *thought* they had backups but when they really needed them they noticed that their backup process broke a few years ago due to some infrastructure change and all their backups were useless. – Philipp May 17 '17 at 10:40
  • 2
    @Philipp my fav from a decade ago: a full backup programme with daily, weekly, monthly, yearly tape rotations. Top of the line tape backup systems. Every new IT employee first trained on backups. Backups were the top priority before anything else. Disaster struck and they needed to recover: found out that the tapes all had their "write protection" tab turned on. All tapes were blank... – schroeder May 17 '17 at 10:54