On servers with many shares, removal of the share-level deny ACL applied when an infection is detected is very tedious. By modifying your KillUserSession.ps1 script, I was able to write a script to restore user share access after an infection has been cleaned. I'm sharing my script below for your review and possible inclusion in your project.
Function RemoveDenySharePermission ([string] $ShareName, [string] $DomainUser)
{
$domainUserSplit = $DomainUser.Split("\")
$shss = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -Filter "Name='$ShareName'"
$sd = Invoke-WmiMethod -InputObject $shss -Name GetSecurityDescriptor | Select -ExpandProperty Descriptor
$sclass = [wmiclass] "ROOT\CIMV2:Win32_SecurityDescriptor"
$newsd = $sclass.CreateInstance()
$newsd.ControlFlags = $sd.ControlFlags
foreach ($oace in $sd.DACL)
{
if ($oace.Trustee.Domain -ne $domainUserSplit[0] -or $oace.Trustee.Name -ne $domainUserSplit[1]) {
$newsd.DACL += [System.Management.ManagementBaseObject] $oace
}
}
$share = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -Filter "Name='$ShareName'"
$setResult = $share.SetSecurityDescriptor($newsd)
#return $setResult.ReturnValue
}
# Verify the script is being run as an administrator
If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] “Administrator”))
{
Write-Warning “You do not have Administrator rights to run this script!`nPlease re-run this script as an Administrator!”
Break
}
# Request the username
Write-Host "This script will remove the Deny ACLs that were created on shares`nto protect against crypto virus infection.`n"
$DomainUser = Read-Host -Prompt "User account (DOMAIN\User)"
# Let's try altering share permissions..
$Username = $DomainUser.Split("\")[1]
$affectedShares = Get-WmiObject -Class Win32_Share |
Select Name, Path, Type |
Where { $_.Type -eq 0 }
$affectedShares | % {
Write-Host "Removing deny ACL for [$DomainUser] on share [$($_.Name)]..."
RemoveDenySharePermission -ShareName $_.Name -DomainUser $DomainUser
}
Write-Host $affectedShares
On servers with many shares, removal of the share-level deny ACL applied when an infection is detected is very tedious. By modifying your KillUserSession.ps1 script, I was able to write a script to restore user share access after an infection has been cleaned. I'm sharing my script below for your review and possible inclusion in your project.