Ransomware prevention strategies for Windows Server admins

Start with the endpoints

Ransomware prevention should start at those vulnerable network endpoints. Administrators can take three steps to prevent an endpoint from falling victim to ransomware.

The best way to block ransomware is to practice defense in depth and wrap the organization in multiple layers of protection.

First, equip network endpoints with quality, well-maintained antimalware software. While it's a good preventative measure, most antimalware software relies on malware signatures. New malware comes out at a steady rate, which makes it unrealistic to depend on signature-based antimalware software for complete ransomware protection.

Next, administrators should block the use of unauthorized applications, scripts and executable files on endpoint devices through a software restriction policy via Group Policy or Device Guard. Third-party tools can whitelist authorized applications and prevent others from running.

Lastly, execute comprehensive patch management with endpoints. Keeping the operating system and applications patched prevents malware from exploiting security flaws.

Lock down Windows Server

Administrators do not normally use web browsers or mail clients on network servers, which aids ransomware prevention. But if a network endpoint succumbs to malware, there's a chance that server contents could also be vulnerable.

In some ways, administrators should protect Windows Server systems against ransomware with the same techniques used to protect workstations. Keep the Windows Server operating system up to date with patches and set up antimalware software and an application whitelist for the server. Options may be limited by the server deployment type. For example, it may not be possible to run these protection schemes on Nano Server, Microsoft's minimalist version of its Windows Server 2016 operating system.

Adjust user privileges

Windows Server is vulnerable to ransomware through file shares. If a user's device gets infected by ransomware, it can encrypt data on the user's device and use the permissions to encrypt the contents of any file server drives mapped to that device.

Administrators may prevent ransomware from accessing files on network servers by avoiding the use of traditional file servers. For example, store files within a SharePoint document library to offer an extra degree of protection, as long as network endpoints do not have a drive mapping to the library.

But this strategy isn't always practical and does not guarantee protection. As a best practice, restrict users to only have access to the data they need. A limit on user access compartmentalizes damage from a ransomware infection; if the user cannot access the data, then neither can the ransomware.

Implement continuous data protection

In case of a ransomware outbreak, the IT staff needs a way to recover encrypted data.

Continuous data protection products back up data at the block level on an ongoing basis as the data is modified. If ransomware encrypts the contents of a file server, the continuous data protection system would interpret the malicious encryption as a file modification, and write the modified storage blocks to backup. However, protection software also makes it easy for an administrator to roll back the changes and undo the damage caused by the infection.