I'm looking for ways to reduce exposure of a server's shares if ransomware gets onto a client. Users need access to the server's shares, and normally that is read/write access. Write access is needed less often, though.
I thought about making the normal privileges on the share read-only, with write access "on demand".
Logging in and out of multiple server accounts with different privileges is not desirable - it complex and time consuming for the user, and seems to lead to 1219 errors in many cases. Users are likely to forget to log out of the read/write account anyway.
Is there any way to temporary elevate a user's permission to read/write (on request by the user), have those permissions persist for a limited time, and then revert to read-only? (Ideally the permission could be set to remain for X minutes after the last write)
I didn't find anything relevant when searching, but maybe I used the wrong terms.
This is a very small environment with a few users on Windows 7 and 10, and one Windows 2008r2 server (workgroup, not AD/Domain)
0 Answers