search

m-dwyer / CryptoBlocker

A script to deploy File Server Resource Manager and associated scripts to block infected users
GNU General Public License v2.0
53 stars 103 forks source link

Removal of Deny Permissions on Shares #6

Open nm777 opened 8 years ago

nm777 commented 8 years ago

On servers with many shares, removal of the share-level deny ACL applied when an infection is detected is very tedious. By modifying your KillUserSession.ps1 script, I was able to write a script to restore user share access after an infection has been cleaned. I'm sharing my script below for your review and possible inclusion in your project.

Function RemoveDenySharePermission ([string] $ShareName, [string] $DomainUser)
{
    $domainUserSplit = $DomainUser.Split("\")

    $shss = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -Filter "Name='$ShareName'"
    $sd = Invoke-WmiMethod -InputObject $shss -Name GetSecurityDescriptor | Select -ExpandProperty Descriptor

    $sclass = [wmiclass] "ROOT\CIMV2:Win32_SecurityDescriptor"
    $newsd = $sclass.CreateInstance()
    $newsd.ControlFlags = $sd.ControlFlags

    foreach ($oace in $sd.DACL)
    {
        if ($oace.Trustee.Domain -ne $domainUserSplit[0] -or $oace.Trustee.Name -ne $domainUserSplit[1]) {
            $newsd.DACL +=  [System.Management.ManagementBaseObject] $oace
        }
    }

    $share = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -Filter "Name='$ShareName'"
    $setResult = $share.SetSecurityDescriptor($newsd)

    #return $setResult.ReturnValue
}

# Verify the script is being run as an administrator
If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] “Administrator”))
{
    Write-Warning “You do not have Administrator rights to run this script!`nPlease re-run this script as an Administrator!”
    Break
}

# Request the username
Write-Host "This script will remove the Deny ACLs that were created on shares`nto protect against crypto virus infection.`n"
$DomainUser = Read-Host -Prompt "User account (DOMAIN\User)"

# Let's try altering share permissions..
$Username = $DomainUser.Split("\")[1]

$affectedShares = Get-WmiObject -Class Win32_Share |
                    Select Name, Path, Type |
                    Where { $_.Type -eq 0 }

$affectedShares | % {
    Write-Host "Removing deny ACL for [$DomainUser] on share [$($_.Name)]..."
    RemoveDenySharePermission -ShareName $_.Name -DomainUser $DomainUser
}

Write-Host $affectedShares
Solaris17 commented 8 years ago

This is a great edition, I was very worried about how long it would take to reverse the changes. Has this been implemented as of yet?