As, generally, we want to know what goes on in our environment, I like to enable Auditing wherever I can. Sharepoint is a more and more important resource where we store our data. Auditing can be very useful if files dissapear, auditors need specific information, or worse, cryptolockers rename all your files.
As setting audit logging through the interface is well documented, I wanted to share the Powershell way of doing this, assuming you’ve already installed the Sharepoint Client Components:
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client") | Out-Null [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.Runtime") | Out-Null
$Context = New-Object Microsoft.SharePoint.Client.ClientContext("INSERT YOUR SITE URL HERE")
$secPassword = ConvertTo-SecureString "YOUR PASSWORD" -AsPlainText -force
$Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials("YOUR LOGIN",$secpassword)
$Context.RequestTimeout = 16384000
$Context.Credentials = $Credentials
#set audit logging for the site collection to ALL
$Context.Site.Audit.AuditFlags = "All"
Note: O365Undo is also free and can probably help you fix your crytolocker problem more precisely as it is the next version of O365AntiCryptoLocker
At OGD we sometimes have to deal with users that got infected with CryptoLockers and have both automated and controlled systems in place to prevent damage or restore data to any fileshares. An infection on Sharepoint Online or Onedrive has not yet happened, but eventually it of course will and I like to fix things before they break.
As Sharepoint Online and Onedrive for Business natively use versioning on files, you basically have no real risk of losing data to Cryptolockers, your RPO (Restore Point Objective) is 0. However, restoring the previous versions of files is quite a lot of work if done manually, so your RTO (Restore Time Objective) could be weeks or more.
Unless of course, you use Powershell. I’ve written a script that will restore the most current previous version of any file in a given Document Library.
Example usage for a Onedrive site:
.\O365AntiCryptoLocker.ps1 -siteURL "https://o365mig-my.sharepoint.com/personal/test1_o365mig_onmicrosoft_com" -login "mylogin" -password "mypassword" -libraryTitle "Documents"
Or for a Sharepoint Online Site:
.\O365AntiCryptoLocker.ps1 -siteURL "https://o365mig.sharepoint.com/site1" -login "mylogin" -password "mypassword" -libraryTitle "Documents"
You’ll need the Sharepoint Client Components installed, and you’ll have to have sufficient permissions on the library and its files.
Version 0.9 of O365Migrator is now available as a free download.
What was changed?
- Differential transfer: upload only changed/new files. (does not process renames, moves and deletes yet!)
- Subfolder targeting: upload to a specific subfolder instead of the root if specified
- Better library name detection when admin and user have different language settings
You can find the new version here.
Version 0.8 of O365Migrator is now available as a free download.
A frequently asked feature has been added to O365Migrator: in addition to migrating all your user’s homedirectories, O365Migrator can now also migrate entire fileservers (shares) to Sharepoint Online!
You can find the new version here.
Version 2.28 of OneDriveMapper has been released.
- Added support for Auto-Acceleration in Sharepoint Online in combination with ADFS (or other SSO solutions).
- Added a fix that would prevent mapping of the drive if a user was already logged in without the ‘keep me logged in’ checkbox checked.
Get the new version here