I'm not talking about EFS or Bitlocker here.
I'm asking if there's a way to prevent files from being encrypted. I'm referring to some extent to ransomware, but specifically I want the following scenario:
- Windows File server w/ shares (on the E: drive)
I want a way to tell the above server "don't allow files on the E: drive to ever be encrypted by anyone or any software/process."
I can't find any way to do this at the NTFS level, short of "read" access. Modify access allows files to be encrypted.
I've searched around online but get a bunch of EFS/bitlocker/ransomware links that have nothing to do with my question at hand.
So fellow experts. Any way to do the above in bold? I'm not asking about ways to prevent ransomware, etc. The bolded area is specifically what I'm after.
Best Answer
In short: no.
As you said, if you allow users to have write access, then they can encrypt data. I couldn't conceive of a way that an operating system or filesystem could possibly even start to detect and prevent the many types of encryption that are out there.
It's a hard problem, though, and I expect OS vendors are devoting significant efforts towards rendering Cryptolocker et. al. less destructive than they currently are.
Until then, maintaining as many different types of backups as possible and ensuring that those backups can be restored reliably and quickly will be the best protection.