Skip to content

antipaucity

fighting the lack of good ideas

can you disable encryption on a windows server?

Posted on 30 March 201629 March 2016 By antipaucity 2 Comments on can you disable encryption on a windows server?

This was asked recently on Server Fault.

I’m asking if there’s a way to prevent files from being encrypted. I’m referring to some extent to ransomware, but specifically I want the following scenario:

  • Windows File server w/ shares (on the E: drive)

I want a way to tell the above server “don’t allow files on the E: drive to ever be encrypted by anyone or any software/process.”

And, of course, the answer to this question is “no”, as I and others said:

No, you cannot prevent files from being encrypted. How is the OS supposed to know if a file is encrypted vs being of some format it doesn’t “know” about?

You can disable OS-level encryption, and perhaps some programs from running via GPO, but that cannot stop every program, nor users uploading already encrypted files.

What you want to do is ensure users are only putting files where they are supposed to – and no where else.

But more interesting is why you would even ask something like this: is it because you really only want “plaintext” files on the share? (Even when the “plaintext” is a binary format (like an EXE, PNG, etc?) I suppose there could be “value” is disallowing even the concept of encrypted files .. but since encrypted files look like files (albeit ones that are not readably openable).

And I think this really belies an exceptionally-poor understanding of what encryption is – and what it is not. Encryption is meant to protect (or hide) specific content (the “specific content” might be the entirety of your phone or hard drive, or an email, or a trade secret, etc) from eyes who shouldn’t be allowed to see what is happening. Yes, there is ransomware that will encrypt or obfuscate files or file systems and demand payment to be decrypted – but attempting to solve for that corner case by attempting to disallow even the concept of encrypted data is highly misguided: the way to prevent/mitigate ransomware is by a combination of good system management practices, solid IDS and IDP software/appliances, sane anti-virus policies, and general good user behavior. (And, maybe, by using OSes less targeted by ransomware authors.)

commentary, technical Tags:encryption, ransomware, security, windows

Post navigation

Previous Post: how to turn a google+ community into a quasi “mailing list”
Next Post: improve your entropy pool in linux

More Related Articles

turn on spf filtering with postfix and centos 7 technical
why do i use digital ocean? personal
do not commit to anyone – law 20 – #48laws by robert greene books
nasa searching for new challenges hmmm
new documentation should always augment the status quo commentary
centos 6 – first thoughts technical

Comments (2) on “can you disable encryption on a windows server?”

  1. George Morris says:
    23 February 2017 at 02:49

    I believe they were just trying to make it harder for Ransomware that uses Windows Bitlocker Drive Encryption to encrypt files. With all the Ransomware going around that uses the Bitlocker service against us, it is a good question. We found a way to disable Bitlocker using GPO’s. We do not require the Bitlocker service for any reason. So this was not a hard decision. As far as OS File System Encryption (EFS), I do not believe they were referring to that (I could be wrong). But thinking that a majority of people will suddenly develop an understanding of file encryption is kind of a silly thing to say. :-/ Perhaps the system admins will… But the end user… never gonna happen… Better to just protect them and train them the best we can on how to spot malicious attempts.

  2. Warren says:
    23 February 2017 at 03:32

    You should go read the full original question again. It starts off with: “I’m not talking about EFS or Bitlocker here.”

    And, to quote another of the answers (http://serverfault.com/a/762466/2321), “most ransom ware programs aren’t using an encryption program”

Comments are closed.

March 2016
S M T W T F S
 12345
6789101112
13141516171819
20212223242526
2728293031  
« Feb   Apr »
  • Patrick Henry 23 March 1775
  • Reincarnation by Wallace McCrae (adapted by Warren Myers)
  • Famed was Beowulf
  • Fuzzy Wuzzy (anonymous)
  • One bright morning in the middle of the night (various)

Books

  • Debugging and Supporting Software Systems
  • Storage Series

External

  • Backblaze
  • Cirkul
  • Digital Ocean
  • Fundrise
  • Great Big Purple Sign
  • Password Generator
  • PayPal
  • Tech News Channel on Telegram
  • Wish List

Other Blogs

  • Abiding in Hesed
  • Chris Agocs
  • Eric Hydrick
  • Jay Loden
  • Paragraph
  • skh:tec
  • Tech News Channel on Telegram
  • Veritas Equitas

Profiles

  • LinkedIn
  • Server Fault
  • Stack Overflow
  • Super User
  • Telegram
  • Twitter

Resume

  • LinkedIn
  • Resume (PDF)

Services

  • Datente
  • IP check
  • Password Generator
  • Tech News Channel on Telegram

Support

  • Backblaze
  • Built Bar
  • Cirkul
  • Digital Ocean
  • Donations
  • Fundrise
  • PayPal
  • Robinhood
  • Wish List

Copyright © 2023 antipaucity.

Powered by PressBook Green WordPress theme