-2

Scenario

Customers are provided with a server-client solution to accomplish some business-related task. There is a central server installed on a respective machine. Clients are installed on individual machines of users of the software.

The server uses PostgreSQL and stores serialized data as well as media on the designated server-machine.

A related company has experienced a ransomware attack in the past 6 months and we are worried this scenario might also hit our customers. These customers supposedly implemented some security measures, such as a RAID setup, but we remain unconvinced based on prior communication. Even though this is a problem outside our scope of responsibility, adverse effects resulting from a possible attack are likely to affect us as well. This is why I am looking to at least increase security for their database wherever possible.

Question

Given that scenario, one small tweak to their server-system is to enable Windows protection for the folders related to their database.

This guide describes how to activate this function using Windows UI:

https://www.isumsoft.com/windows-10/how-to-protect-files-folders-against-ransomware-attacks.html

I would like to accomplish this without relying on the customer's sysadmins, using our NSIS-based installers only. Therefore my resulting question is - can additional protected folders be declared via registry manipulation? If not, is there a different way to achieve this?

Community
  • 1
  • 1
Koenigsberg
  • 1,726
  • 1
  • 10
  • 22
  • Aren't you afraid of an attacker hijacking your NSIS installer? Are you, maybe, lowering the overall security by trying to improve it? – IInspectable Sep 02 '19 at 14:14
  • No, I am not. The installers are provided to customers directly via password protected links in an encrypted state and are immediately installed by their sysadmins. They are not distributed otherwise. If an attacker is able to hijack the installer on their machine, then the system is already compromised either way. – Koenigsberg Sep 02 '19 at 14:22

1 Answers1

1

There is a PowerShell API, see "Customize controlled folder access":

Set-MpPreference -EnableControlledFolderAccess Enabled

Add-MpPreference -ControlledFolderAccessProtectedFolders "<the folder to be protected>"

Add-MpPreference -ControlledFolderAccessAllowedApplications "<the app that should be allowed, including the path>"
zett42
  • 25,437
  • 3
  • 35
  • 72