This repository has been archived by the owner on Dec 19, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathTriggeredDenySMBPermissions.ps1
73 lines (60 loc) · 4.95 KB
/
TriggeredDenySMBPermissions.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
<#
.Notes
TriggeredDenySMBPermissions.PS1
.Synopsis
This script is called by directly by the FSRM Anti-ransomware screen to block access to the shares on the server.
Also manually called to unblock previously blocked users.
.Description
The primary mission of this script is to apply deny permissions to the specified user for all shares on the server. It's called by FSRM from a file screen and the calling command line can be found in the command tab of the the screens and templates.
There is an option switch that will also cause this script to terminate all SMB sessions in use by the specified users. Under typical circumstances when a passive screen is used the file operations can continue for up to 45 more seconds. Terminating the sessions will stop file operations immediately.
There is also a fail safe built into this script to compensate for incorrect command notification and event notificaiton time configurations in FSRM. The command notification limit is alwasy set to 0 by the FSRM-Anti-ransomware script. If this script detects a manually applied incorrect timer configuration it will force the FSRM service to reload which also resets the timers.
This script is also used to restore access to shares for the specified user when the "-Unlock" switch is used.
Application event log events generated by this script.
event ID 3001 is only generated by the TriggeredDenySMBPermissions.PS1 for locking/denying events
event ID 3002 is only generated by the TriggeredDenySMBPermissions.PS1 for unlocking/clearing events
.Link
https://github.com/SparkyzCodez/FSRM-Anti-ransomware
#>
param(
# This is the full AD user name.
[string]$UserName = "",
# This switch causes the user's SMB session to disconnect AFTER the share deny permissions have been applied.
[switch]$RapidSMBdisconnect,
# This switch causes the script to unwind any previously applied share deny permisisons.
[switch]$Unlock
)
# Leave these two event log variables just as they are unless you are quite sure you want the logging handled differently.
$CurrentVersion = "1.0.0"
[string]$localformattedparmstring = (Get-Command -Name $PSCommandPath).Parameters | Format-Table -AutoSize @{ Label = "Key"; Expression={$_.Key}; }, @{ Label = "Value"; Expression={(Get-Variable -Name $_.Key -EA SilentlyContinue).Value}; } | Out-String
$EventLog = "Application"
$EventLoggingSource = $EventLoggingSource = "FSRM Anti-ransomware Suite"
# if the Unlock flag is $True then execute the else clause to globally un-deny share permissions for the specified user
If ($Unlock.IsPresent -ne $True)
{
$message = "TriggeredDenySMBPermissions.PS1 Script version:`n" + $CurrentVersion + "`nWarning:`nFSRM Anti-ransomware triggered LOCKING/DENYING event for user`n" + $UserName + "`n"
$message = $message + "`nTo clear the lockout condition execute this command at a PowerShell prompt with sufficient privileges:`n`& `'" + $PSCommandPath + "`' -Unlock -UserName " + $UserName + "`n"
$message = $message +"`nParam block variables and values:"+ $localformattedparmstring
Write-EventLog -LogName $EventLog -Source $EventLoggingSource -Category 0 -EventID 3001 -EntryType Warning -Message $message
# apply deny permissions to shares
Get-SmbShare | Where-Object currentusers -gt 0 | Block-SmbShareAccess -AccountName $UserName -force
# forces the SMB connections to close immediately, faster than waiting for the clients to timeout
If ($RapidSMBdisconnect.IsPresent)
{
Close-SmbSession -ClientUserName $UserName -force
}
# fail safe brute force restart of FSRM services if the notification settings are not set to 0, shouldn't be necessary but here if we need it
If (((Get-FsrmSetting).CommandNotificationLimit -ne 0) -or ((Get-FsrmSetting).EventNotificationLimit -ne 0))
{
$message = "TriggeredDenySMBPermissions.PS1 Script version:`n" + $CurrentVersion + "`nWarning:`nFSRM notifcation time limits for command notification and/or event log notification are set incorrectly. Rerun FSRM-Anti-ransomware (or its launcher script) as soon as possible to correct the settings.`nAs a work around we have performed a hard restart on the FSRM service.`n"
$message = $message + "`nParam block variables and values:" + $localformattedparmstring
Write-EventLog -LogName $EventLog -Source $EventLoggingSource -Category 0 -EventID 3002 -EntryType Warning -Message $message
Restart-Service "File Server Resource Manager" -force
}
}
Else
{
$message = "TriggeredDenySMBPermissions.PS1 Script version:`n" + $CurrentVersion + "`nWarning:`nClearing FSRM Anti-ransomware triggered lockout for user`n" + $UserName + "`n"
$message = $message +"`nParam block variables and values:"+ $localformattedparmstring
Write-EventLog -LogName $EventLog -Source $EventLoggingSource -Category 0 -EventID 3101 -EntryType Warning -Message $message
Get-SmbShare | Unblock-SmbShareAccess -AccountName $UserName -force -ErrorAction SilentlyContinue
}