This weekend New Orleans reported that they suffering a cyber attack. In response to this, the city turned off all their workstations and servers while they tried to contain the issue. While I have no issue with what the city of New Orleans had to do in order to contain the outbreak. You do what you need to do, in order to stop the outbreak.
What I do have an issue with is that production servers were impacted by this at all. Things like Ransomeware are going to happen but preparing for these sorts of problems is going to make it much easier to deal with these sorts of problems. When it comes to something to Ransomeware we aren’t really that concerned with the workstations, we only really care about the servers as that’s where the data that we need to protect is.
The first thing that we want to do in order to protect our servers is to prevent normal users from being able to RDP to the servers. We probably don’t even want the IT teams to be able to RDP to the servers directly. What we’ll want to set up is a jump box and that’s the only machine in the server environment which we can RDP to. From there we can RDP from the jump box to other servers. We can probably secure RDP access from one server to another as well.
The same applies to file share access. There should be no servers that users have network file share access to (or any other network access). File servers are going to be the exception to this, and they should be treated differently than the other servers. Those file servers that users have file share access to, should be treated just like the users are treated. File servers should have no RDP or file share access to the other servers in the environment.
Domain controllers should be treated similarly to file servers. Users and other servers will need file share (and other) access to the Domain Controllers in other for authentication to work as expected. But users don’t need RDP access to the Domain Controllers.
On top of all of this, servers should not have access to connect to the Internet. The exception to this will be the Windows Update Server (WSUS) or whatever software is being used to patch the servers. Unless there’s a specific requirement for software to have internet access, that access should be opened up. Other than that access from the server network to the internet should be completely closed down.
While these steps aren’t going to give you 100% protection from things like Ransomeware, but it’s going to give you a lot more protection than the “normal” setup where things are wide open.