Chapter 13 Files, Folders, and Basic Shares

One of the core functions of any server is to serve resources such as files and folders. In Windows Server 2012 R2, the File Services and Storage Services roles have been combined into one role called File and Storage Services. This role is installed by default; however, any additional roles that serve File and Storage Services will need to be added via the wizard in Server Manager. The File Services role includes role services such as the File Server Resource Manager (FSRM), services for Network File System (to support Unix clients), the Windows Search service, and BranchCache for remote offices. Now that Storage Services is available in conjunction with File Services, Windows Server 2012 R2 has unleashed some new and improved roles and features like Deduplication, Storage Spaces, and Storage Pools that have made this version of Windows Server the best yet.

When you plan on sharing files and folders, it’s important that you understand not only how to share the data but also how to protect it with permissions including both New Technology File System (NTFS) and share permissions. Although both sets of permissions are applied independently, they also work with each other cumulatively to provide multiple levels of enhanced security options to us. You should be able to quickly determine what the ultimate permissions are for a user who accesses a share over the network. And, if you want to protect entire hard drives, you can still use BitLocker Drive Encryption to encrypt them just as you could in Windows Server 2008 R2. One of the most notable new features in Windows Server 2012 R2 drive encryption is the new BitLocker Drive Encryption options. You can now use the “Encrypt used disk space only” option! No more waiting for hours for the entire volume to finish encrypting when you are only using a small portion of the total disk space. We will take a deeper dive into BitLocker’s new features toward the end of the chapter.

The underlying protocol that handles file transfers is Server Message Block (SMB), which has been upgraded to version 3.0 in Server 2012. SMB 3.0 comes with many new features that have redefined file shares as a foundation for enterprise storage solutions for small and medium-size companies. This protocol stack provides some significant benefits for file transfers over the network—as long as you’re connecting to the right kinds of clients. Both SMB 1.0 and SMB 2.0, with all of their inherent challenges, will still be used when connecting to legacy machines. Currently only Windows 8 and the Windows Server 2012 family can take full advantage of the new SMB 3.0 features that will be discussed in this chapter.

In this chapter, you will learn to:

Install additional File and Storage Services roles on a server
Combine share and NTFS permissions
Implement BitLocker Drive Encryption

Understanding the File and Storage Services Role

The File and Storage Services role combines multiple file and storage technologies that assist administrators with setting up file servers for their organization. The default installation would allow basic administration of storage functionality by using Server Manager or PowerShell, but to build a proper file server you would want to install the File Server role alongside other important roles like File Server Resource Manager and DFS Replication. Not that DFS is needed all the time—it can definitely be a great addition when you need replication for availability or geographically dispersed locations. The important thing is to have a plan and an end goal in place for your server roles. Try to get the most out of the wizard the first time around by planning accordingly. We will add roles in the next section.

The core component of any server is its ability to share files. In fact, the Server service in the entire Windows Server family (including Server 2012 R2) handles the server’s basic file- and print-sharing capabilities. But what exactly does that mean, and why is it so important? By default, just because you have a server running doesn’t mean it has anything available for your users. Before they can actually get to resources on the server, you must share your resources. Let’s say you have a folder on your local F drive named Apps with three subfolders, as shown in Figure 13.1.

Figure 13.1 Subfolders in the F:\Apps folder

When you share this folder on the network under the name Apps, you allow your clients to map a new drive letter on their machines to your F:\Apps folder. By mapping a drive, you are placing a virtual pointer directly on the remote drive. If you map your client’s M drive to the Apps share of the server, the M drive will look identical to the server’s F:\Apps folder, as shown in Figure 13.2.

Figure 13.2 The BF1\Apps share mapped to the M drive

Don’t worry; we’ll slow down and explain how to create this share and how to connect to it later in this chapter. That’s really all there is to it. Sharing resources means that you allow your users to access those resources from the network. No real processing goes into it as far as the server is concerned; it just hands out files and folders as they are.

Additional Role Services and Features

Server Manager is a single console that includes several sections that can be used to manage the different server roles including the File and Storage Services role. File and Storage Services in Windows Server 2012 R2 helps you do much more than just share folders. The File and Storage Services role includes several additional role services:

File Server This is the primary role service required to support the File and Storage Services role. This role provides you the ability to create and manage shares alongside allowing users to share and access files that are available on the network. One nice feature of File Server is that it is automatically added when a folder is shared. This role uses the new SMB 3.0 protocol, which is discussed in more depth toward the end of this chapter.

Distributed File System Distributed File System (DFS) includes both DFS Replication and DFS Namespaces and is covered in more depth in Chapter 14, “Creating and Managing Shared Folders.”

Data Deduplication Data Deduplication (Dedup) allows you to save more disk space by locating and removing duplication within data files. Instead of storing multiple copies of the same identical files, only a single copy takes up space and all duplicates reference the original. The main idea of Data Deduplication is to store more data in less space by segmenting files into small blocks, identify the duplicates, and then maintain a single copy of those duplicates. Dedup on Server 2012 R2 is now block-based at the operating system level; many storage providers’ solutions use file-based Dedup at the storage level. Many people wonder how much disk savings they can expect for different file types. Table 13.1 shows some very impressive numbers provided by tests in a lab environment. These tests may be somewhat optimized for better performance.

Table 13.1: Storage Savings Dedup Provided in a Test Environment

File Type	Savings
General files	50–60% storage savings with Deduplication enabled
Documents	30–50% storage savings with Deduplication enabled
Application library	70–80% storage savings with Deduplication enabled
VHD library	80–95% storage savings with Deduplication enabled

File Server Resource Manager File Server Resource Manager (FSRM) provides a rich set of additional tools that can be used to manage the storage of data on the server, including configuring quotas, defining file-screening policies, and generating storage reports. A full section on FSRM is included later in this chapter in the “File Server Resource Manager” section, including what’s new with FSRM in Windows Server 2012 R2.

Network File System This service enables you to grant access to files from Unix client computers and any other machines that can talk using the Network File System (NFS). Windows Server 2012 R2 has really come a long way since Windows Server 2008 by delivering an impressive clustered implementation solution with this server edition. Server 2012 provides seamless failover for mixed-mode clients in a clustered environment. Recognizing the need for and growth of the virtualization world, Microsoft has designed NFS Server specifically for clustered virtual environments, where I/O continuity exists regardless of the operation being performed at the time of failover. NFS version 4.1 is now used, making the implementation of NFS the most reliable and easiest to deploy within the Windows Server family so far.

Windows Server 2012 R2 also introduces a number of new PowerShell cmdlets for NFS. For a full list of all the cmdlets that are available use the Get-Command -Module NFS cmdlet. As you can see, there is a cmdlet for just about everything you would want to do with NFS. For syntax information or to learn more about a particular command, you can use any of the following cmdlets:

Get-Help <cmdlet name> -Detailed
Get-Help <cmdlet name> -Examples
Get-Help <cmdlet name> -Full

Storage Services Windows Server 2012 R2 has added some great features with Storage Services. It now includes both storage spaces and storage pools. By combining Storage Services with Data Deduplication, Windows Server 2012 R2 can now not only provide but contend with services that would normally require a separate storage area network.

File Server VSS Agent Service Once enabled, this role will allow you to perform shadow copies of applications that store data on your file server. New to Server 2012, the VSS for SMB File Shares feature allows backups to run while live data is written to SMB file shares. Previous versions of VSS would only allow shadow copies to work on local volumes.

iSCSI Target Server This role is the server component that provides block storage to other servers and applications on the network. It contains all the management tools needed for iSCSI targets. Target Server runs the iSCSI target over an Ethernet network without having to use any additional hardware. This role service supports heterogeneous storage, which allows a Windows Server to share storage in a mixed software environment by utilizing various types of iSCSI initiators. This role can be managed using the new integrated Server Manager GUI or by using the new Windows PowerShell cmdlets included with Windows Server 2012 R2.

BranchCache for Network Files BranchCache can be used in a multiple-site environment to allow computers in branch offices to cache commonly downloaded files. BranchCache needs to be enabled on the shared folder. You’ll see how to do this in the “Using Offline Files/Client-Side Caching” section later in this chapter.

File Server Role Added When a Folder Is Shared

If you just use Windows Explorer to share a folder, the File Server role is added automatically. You don’t have to add the role using Server Manager. However, when you plan to utilize any additional roles, you will need to add those roles from the Add Roles and Features Wizard found in Server Manager.

How to Add Roles to the File and Storage Services Role

You can add File and Storage Services roles by following these steps:

1. Launch Server Manager by selecting the Server Manager icon pinned to the taskbar on your desktop or by selecting the Server Manager tile from the Start screen, as shown in Figure 13.3.

Figure 13.3 Selecting Server Manager from the taskbar or Start screen

2. From your Dashboard tab, select the link “Add roles and features,” shown in Figure 13.4.

Figure 13.4 Launching the Add Roles and Features Wizard

3. The Add Roles and Features Wizard will walk you through the rest of the process. Review the information on the Before You Begin page, and click Next.

4. The Installation Type page defaults to a role-based or feature-based installation. The second option has role services for VDI deployment. Keep the default, and click Next.

5. On the Server Selection page, choose the server you wish to add role services to, and click Next.

6. On the Server Roles page, select the following role services, as shown in Figure 13.5: File Server, File Server Resource Manager, and BranchCache for Network Files. Click Next.

Figure 13.5 Selecting File and Storage Services Role Services

Now that you have selected your roles, it is time to install any additional features that help support your role services. There are many useful features to choose from.

Roles vs. Features

A role is considered a major function of the server, whereas a feature is a smaller add-on package that usually provides additional support to a major role. Major roles would include Active Directory, DNS, and DHCP. Features like PowerShell, Windows Server Backup, and Remote Assistance provide additional functionality to help you better manage your server roles.

7. For the moment let’s install BitLocker Drive Encryption, BranchCache, and Enhanced Storage. You will notice that selecting BitLocker Drive Encryption automatically calls out the Enhanced Storage features to be installed as well, shown in Figure 13.6. Click Next.

Figure 13.6 Selecting additional features for role services

8. Review the information on the Confirmation page to make sure you haven’t missed anything.

The wizard nicely displays all selected roles, features, and tools that support them. There are a few additional options available on this page that can be useful: “Restart the destination server automatically if required,” “Export configuration settings,” and “Specify an alternate source path.”

9. Click Install.

The final page of this wizard is the Results page. An installation progress bar will be displayed. The task will run in the background if you wish to close the page and exit. You can always view task details in the command bar by clicking Notifications.

10. Upon successful installation, reboot the server manually, or if you selected the Restart Automatically option from the Confirmation page, the server will reboot when the install has finished.

At this point, Server Manager now includes all of the roles and features you installed from the exercise. If you open Server Manager and go to your dashboard, you’ll see that you can now view and use the installed roles and features by clicking tools and selecting the desired resource. The File Server Resource Manager features are shown in Figure 13.7.

Figure 13.7 File Server Resource Manager tools

Creating Shares

The process of creating shares has undergone some nice changes in this server edition. It feels as though everything has a wizard to guide us through our tasks and actions. There are many different ways to create shares that are discussed throughout this Mastering book. In this section we will focus on creating shares using Server Manager. No matter which method you use, you’ll need either Administrator or Power User rights on the computer where you’re creating the shares.

Once a share is created, it can be published to Active Directory to make it easy for users to locate the share. You’ll learn how to create shares using Server Manager and publish the shares to Active Directory in this section.

Creating Shares with Server Manager

It’s relatively easy to add shares using Server Manager. The Shares tab, found in File and Storage Services, has a New Share Wizard to help you with this task:

1. If it’s not already started, launch Server Manager by selecting the Server Manager icon pinned to the taskbar on your desktop, or by selecting the Server Manager tile from the Start screen.

2. Select File and Storage Services, and then select Shares.

3. Right-click the Shared Folder Location page, and click New Share. You can also select New Share from the Tasks drop-down menu. Either action will launch the New Share Wizard, as shown in Figure 13.8.

Figure 13.8 Create a new share using Server Manager.

The first screen, Select Profile, gives you the choice of which profile protocols to use when creating your share. There are two main choices and a few subchoices. You can either create an SMB share or an NFS share. In general:

SMB shares are used for Windows operating systems.
NFS shares are used to talk to Unix-based machines.

SMB and NFS have both Quick and Advanced share profile options. The Advanced profile has a few additional configuration options that include enabling quotas. You can always add the extra features later using Server Manager. If you decide to enable quotas, you will be required to build a new quota template first or edit an existing template. SMB has one extra share profile called SMB Share - Applications. This profile creates an SMB file share with additional settings used in a virtual environment.

4. For this exercise let’s use the SMB Share - Quick profile shown in Figure 13.9. Select the Quick profile and click Next.

Figure 13.9 Selecting a share profile

NFS for Unix Clients

The NFS option will not be usable if the Services for Network File System role is not added to the server. If you later decide you want to add support for Unix clients, you can always add the service. The NFS selection will then be available to use in the New Share Wizard once the feature is turned on.

5. On the Share Location page, choose which server will host the share, and also select which volume on the server will serve as the share location.

Please note that you can only create a share on a server that has the File Services Resource Manager role installed.

6. Click Next.

The Share Name page allows you to define the name of the share and provide a share description, and it shows you both the local and remote network paths needed to reach the resource.

7. Take note of this information, because you will need to provide these network paths to your users for access. Figure 13.10 provides an example of naming your share. Click Next.

Figure 13.10 Naming a new share

The Other Settings page gives you four additional features to help make your share more robust:

The “Enable access-based enumeration” feature will automatically hide a folder from a user who does not have permission to read the folder.
The “Allow caching” option gives offline users access to the shared data when working offline.
Since you installed the BranchCache role in the previous exercise, you can now select the “Enable BranchCache on the file share” option on this page of the wizard.
The last option on this page, “Encrypt data access,” secures remote file access to and from the share.

If you have not yet turned on encryption for server, go ahead and select this option now. If it’s greyed out and already checked, then you already have encryption turned on for this server.

8. Make your selections and click Next.

9. The Permissions page gives you an opportunity to change the NTFS permissions if desired. We’ll cover NTFS permissions later in the chapter, but for now click Next to accept the default NTFS permissions.

10. The Confirmation page gives you a summary of all the choices you have made for creating your new share. Review them for accuracy, make any desired changes, and then click Create. Figure 13.11 shows the Confirmation page.

Figure 13.11 The Confirmation page

The final page of this wizard is the Results page. Two progress bars will be displayed: one bar for the Create SMB Share task and one bar for the Set SMB Permissions task. Once the Status shows Completed, the share is built and ready for use.

11. Click Close to finish the wizard.

Creating Shares on Remote Computers Using Server Manager

It’s also possible to perform the previous procedure to create shares on remote computers using Server Manager. Just like in previous server editions, Server Manager can perform management tasks on remote computers. Remote Management is installed and enabled by default with servers running Server 2012. In Figure 13.12 you can see the different options that Server Manager provides when another server has been added.

Figure 13.12 Management tasks on a remote server

Managing Windows Server 2008 from Server 2012 R2

In order to fully manage servers running Windows Server 2008 or Windows Server 2008 R2, a few updates are required. First install .NET Framework 4.0 and then install Windows Management Framework 3.0. You will then need to ensure the remote computer is configured correctly, which can be done by entering three commands:

1. Enter the following command at the command prompt on the computer that you want to administer remotely. This command will enable the WinRM listener:

winrm qc

2. When prompted, type Y and press Enter.

3. Ensure the Virtual Disk Service is running on the remote computer. You can do this from the command line with the following command:

sc config vds start= auto
net start vds

Setting User Limits

You can configure how many users can connect to a share simultaneously by configuring the “User limit” option on the properties page of the share. To set the user limit; open Administrative Tools, double-click Computer Management, expand Shared Folders, select Shares, right-click the share you wish to set a user limit on, and then select Properties. Here is a screenshot of setting the user limit on a share.

As an example, if an application under your share is licensed for 100 concurrent users, you can configure your server share to maintain that limit, even though you may have 200 users on your network. Just select the “Allow this number of users” radio button, and fill in the appropriate number (it defaults to 1). As users connect to the share, they build up to the user limit. As users log off or disconnect from the share, the number drops. This type of licensing enforcement can be handy in reducing your licensing costs.

Be careful with your licensing, though. Not all applications have a concurrent license mode, although they might have a client license mode. With client license mode, the manufacturer doesn’t care how many users are accessing the application at any given time; they just care about how many people have installed the application altogether. This user limit option will not protect you in these cases.

Another thing to keep in mind is that this user connection concurrency limit is based on the entire share. It cannot be defined for each folder within a share. For example, you could have two applications in a single share. Application 1 has a concurrency limit of 100, and application 2 has no limits. You might inadvertently limit access to application 2 when the share limits the connections to 100. The easy solution is to use different shares if different limits are needed.

Finally, you need to consider how your users connect to the share to use these applications before you limit them based on concurrency. If your users all connect to the share upon logging in (such as with a mapped drive) but don’t disconnect until logging off, your concurrency limit may be used up based on who shows up for work first, and you’ll have 100 people using up your concurrency limit even if only a small percentage of them are actually using the application. If connections are made only when actually using the application, the user limit will work quite nicely.

Watch the Spaces with sc

The sc config command is used to change the configuration of a service. By default the Virtual Disk Service (VDS) is not started, so you will use this command to automatically start the VDS on the server. You will need this service running to use remote management capabilities. For more information about the sc command’s options and features, open up a command-line interface and type sc config?. The server config (sc) command is very particular about spaces. The following command has a space after the = symbol and will work:

sc config vds start= auto

On the other hand, this next command will fail since the space is missing:

sc config vds start=auto

4. Create a firewall exception for the Remote Volume Management group with the following command. Even though this spans two lines in the book, the entire command should be entered on a single line.

netsh advfirewall firewall set rule~CA
group="Remote Volume Management" new enable=yes

When the command is entered correctly, the output indicates that that it has “Updated 3 rules.”

Once the remote computer is configured, you can launch Server Manager on your local computer, select Manage, and then select Add Servers. There are three ways to find and add new machines to your local Server Manager. You can add a server by searching through your Active Directory and selecting a domain-joined computer, you can also add a server using the DNS tab by typing in the computer name or IP address, and lastly the Import tab will let you directly call out the network path to the desired machine or browse network locations to find the needed resource. Using one of these methods, find the machine you wish to manage and click OK. After a moment, Server Manager will be connected to the remote computer. You can now view and manage the remote computer on the All Servers tab in Server Manager. Simply right-click the newly connected remote computer, and a list of management functions will be displayed for you to use, as shown in Figure 13.13.

Figure 13.13 Managing a remote computer

Publishing Shares in Active Directory

One of the great things about Active Directory is that it can unify all resources in an enterprise into a single directory, whether it’s printers, groups, users, organizational units, or just about anything you can dream up—or more appropriately, serve up. This counts for shares too. The primary reason to publish a share to Active Directory is to allow users to easily find it.

To publish a share, you need to be in the Active Directory Users and Computers Management Console. Right-click the organizational unit of choice, and select New Shared Folder. From there, you’ll be asked to provide a name for this publication of the share and, of course, the share name. That’s all there is to it—your share is now published in Active Directory.

Once the share is published, you can also add keywords to help users easily find the published share:

1. Right-click the shared folder object in Active Directory Users and Computers.

2. Select Properties, and click the Keywords button.

3. Add any keywords you like that users might use to help them find this share.

Figure 13.14 shows keywords being added to the Colorado Springs published share.

Figure 13.14 Adding keywords to a published share

Users can then use the Active Directory Search tool to search based on the keyword. Figure 13.15 shows the Active Directory Search tool with Shared Folders selected in the Find drop-down box. We added the keyword Colorado and clicked Find Now, and the share was located. At this point, we could just double-click the share to access it.

Figure 13.15 Using Active Directory Search to locate a published share

Managing Permissions

One of the great strengths of both NTFS-formatted drives and shares is the ability to assign permissions and control who can access different files and folders. While Chapter 14 will cover the inner workings of these permissions in much greater detail, this chapter gives a basic introduction to both NTFS and share permissions. You’ll notice that not much has changed in regard to permissions with this server edition. Mostly there’s just a new way to navigate and use the same features and tools you are familiar with from Windows Server 2008 R2.

There are many similarities between NTFS and share permissions, which you’ll learn about in this section. These include how each permission can be assigned Allow or Deny, how permissions are cumulative, how Deny takes precedence, and how the principle of implicit deny is used.

When a user accesses a share that has both NTFS and share permissions applied, the resulting permission is commonly called the least restrictive permission. Since you may be asked to resolve the problem of why a user can’t access a file or folder, you should know how to calculate the resulting permission, which you’ll learn in this section.

NTFS Permissions

NTFS permissions apply to any file or folder on a disk that has been formatted with NTFS.

Read When a user is assigned Read permission, the user is allowed to view the contents, permissions, and attributes associated with a file or folder.

Read & Execute The Read & Execute permission is used to grant permission for a user to execute files. Any executable files (such as .exe, .bat, and .com) are files that can be executed or launched. If a user has only Read permission, and not Read & Execute, the files can’t be executed.

List Folder Contents The List Folder Contents permission allows a user to view the contents of a folder. It will allow a user to see that files exist in a folder but will not apply Read permissions to those files.

Write If a user is assigned Write permission to a file or folder, the user can modify the file or folder. This includes adding new files or folders to a folder or making changes to existing files or folders. However, it does not include deleting files from a folder.

Modify Modify includes all of the permissions from Read, Read & Execute, and Change and adds the ability to delete files and folders.

Full Control Full Control is a combination of all the available permissions. It adds the ability to change permissions and take ownership of files or folders.

Share Permissions

Share permissions apply to shares only when they are accessed over the network. There are only three share permissions:

Read Users granted Read permission can read files and folders within the share.

Change Users granted Change permission can read, execute, modify, and delete files and folders within the share.

Full Control Users granted Full Control permission have all the permissions from Change and can also modify permissions on the share.

Share and NTFS Permission Similarities

Now that you have a basic understanding of the overall NTFS and share permissions, it’s easier to explore the similarities, and there are many. These include:

Both can be assigned either Allow or Deny.
Both are cumulative.
Deny takes precedence with both.
Both support implicit deny.

Assigning Allow or Deny

As you start working with permissions, you’ll notice that they have both Allow and Deny check boxes for each of the listed permissions. Here’s an overview of how they work:

If the permission is set to Allow for a user or group, the user or group has this permission.
If the permission is set to Deny for a user or group, the user or group does not have the permission.
Permissions are cumulative. If a user has multiple Allow permissions assigned (such as Allow Read and Allow Change), the user has a combination of the assigned permissions.
If both Allow and Deny permissions are assigned for a user, Deny takes precedence.

If there aren’t any permissions assigned to a user, then the user does not have access to the object. This is referred to as an implicit deny. Both share permissions and NTFS permissions use the discretionary access control (DAC) model to control access. Each object has a discretionary access control list (DACL, pronounced “dackel”). The DACL is a list of access control entries (ACEs).

Each ACE identifies a user or a group with their associated security identifier (SID) and Allow or Deny permission. Any object can have multiple ACEs in the DACL; said another way, any object can have multiple permissions assigned.

Security Identifiers

Every user and every group is uniquely identified with a SID. When the user logs on, a token is created that includes the user’s SID and the SIDs of any groups where the user is a member. This token is used by the operating system to determine whether a user should have access. The SIDs in the token are compared to the SIDs in the access control entries of the DACL to determine access.

When a user accesses a file, folder, or share, the operating system compares the DACL with the user’s account and group memberships. If there’s a match, the user is granted the appropriate permission.

Cumulative Permissions

Objects can have multiple permissions assigned. As an example, imagine a share named ProjectData. Administrators could be granted Full Control, another group could be granted Change, and another group could be granted Read permission. When multiple permissions are assigned, permissions are cumulative. In other words, if multiple permissions apply to a user, the user has the combination of all the permissions.

Imagine that Sally is a member of both the G_Sales group and the G_SalesAdmins group, and these groups are granted the following permissions to the Sales share:

G_Sales	Allow Change permission
G_SalesAdmins	Allow Full Control permission

Since Sally is a member of both groups, she is granted both Change and Full Control; said another way, she is granted the combination of both the Change and Full Control permissions.

Deny Takes Precedence

If both Allow and Deny for any permission are assigned to a user, Deny takes precedence. As an example, imagine you have granted the G_Sales group Full Control to a share that includes proprietary information. For some reason, Billy-Joe-Bob (who is a member of the G_Sales group) has fallen out of grace with the company. You’re asked to leave him in the G_Sales group so he can access other shares but prevent him from accessing the proprietary share.

Figure 13.16 shows what you can do. The share permissions started with personnel in the G_Sales group having Full Control permissions on the share. To prevent Billy-Joe-Bob from accessing the data at all, his account was added and assigned Deny Full Control. Said another way, his account is explicitly denied.

Figure 13.16 Selecting custom share permissions

Notice the conflict. The user is granted access as a member of the G_Sales group and denied access for his specific account. The conflict is resolved in favor of the Deny permission. This makes sense if you think about it. When you take the extra steps needed to deny access, you don’t want anything overriding it. Deny takes precedence.

Implicit Deny

There’s also something known as implicit deny. If permissions aren’t explicitly granted, they are implicitly denied.

Imagine a share named ProjectData where the only group granted access to the share is the G_Sales group. Maria is in the G_HR group and is not a member of the G_Sales group, so she does not have any access to the share. She hasn’t been explicitly granted access, so she is implicitly denied access.

This is similar to your home. If you never give the keys to anyone for your house, they shouldn’t be able to get in. Of course, you still need to worry about bandits and hackers, but from the basic perspective, giving no permissions results in no access.

Modifying Share and NTFS Permissions

You can modify both the share and NTFS permissions using Server Manager, Computer Management, or Windows Explorer. The steps are a little different for each method, but ultimately you’ll get to the same permissions pages. For this discussion, we’re limiting the procedure to using Server Manager.

Imagine that you’ve created a share and granted the Everyone group Read permission. However, now you want to change the permissions so that users in the G_Sales group have Change permissions and no other users besides administrators can view or use this set of folders and files. You can follow these steps to make the changes:

1. Launch Server Manager, and browse to File and Storage Services

Shares.

2. Right-click the Apps share, and select Properties.

3. Click the Permissions button, and then click Customize Permissions. Your display will look similar to Figure 13.17.

Figure 13.17 Viewing the share permissions

4. On the Share tab, click Add. Then click “Select a principal,” and enter the name of the group you want to grant access to the share (for example, G_Sales) and click OK.

5. Since you don’t want everyone to have access, select the Everyone group, and click Remove. Click OK.

6. Click Apply, and then navigate off the Share tab to the Permissions tab.

Notice that the Permissions tab delegates NTFS permissions and the Share tab delegates Share permissions. We will go over mixing these permissions in the next section.

7. Now on the Permissions tab, click Add, and enter the name of a group you want to add (such as G_Sales). Click OK after you’ve added the group.

By default any user or group you add is automatically granted Read, Read & Execute, and List Folder Contents permissions.

8. Select the Allow Write permission for the group you’ve added to ensure they can also make changes to the files, and then click OK.

9. Remember to remove the Everyone group from this set of permissions as well: Select the Everyone group and click Remove.

Share permissions and NTFS permissions are managed separately but work together to provide proper permissions. Your display will look similar to Figure 13.18.

Figure 13.18 Viewing the NTFS permissions

10. Click Apply and OK on the Advanced Security page to finalize permissions.

11. Click Apply and OK on the Apps Properties Permissions page to finish the exercise.

Combining Share and NTFS Permissions

People sometimes find it challenging to identify the permissions a user will have when they access a file or folder via a share. We like to keep it simple with these three steps:

1. Determine the cumulative NTFS permissions.

2. Determine the cumulative share permissions.

3. Determine which of the two provides the least access (commonly called the most restrictive permission).

Imagine that Sally is a member of the G_Sales and G_ITAdmins groups. The assigned permissions for the SalesData folder (shared as the SalesData share) are shown in Table 13.2.

Table 13.2: Combining NTFS and Share Permissions

Group	NTFS Permissions	Share Permissions
G_Sales	Read, Read & Execute, List Folder Contents	Read
G_ITSalesAdmins	Full Control	Change

In step 1, you need to determine the cumulative NTFS permissions. Sally has the Read, Read & Execute, and List Folder Contents permissions as a member of the G_Sales group. Additionally, she has Full Control permission as a member of the G_IT SalesAdmins group. Since Full Control includes all the other permissions, her cumulative NTFS permissions are Full Control.

In step 2, you need to determine the cumulative share permissions. Sally has the Read permission as a member of the G_Sales group. Additionally, she has the Change permission as a member of the G_IT SalesAdmins group. Since Change includes both Read and Write, her cumulative share permissions are Change.

The last step involves a simple question. Which permission provides the least access or is the most restrictive: Full Control or Change? The answer is Change. Change is the permission that Sally will have if accessing the share over the network.

How about a trick question? What is Sally’s permission when she accesses the SalesData folder locally?

The answer is Full Control. Remember that share permissions apply only when a user accesses the share over a network. If the folder is accessed locally, only NTFS permissions apply.

Connecting to Shares

Now that you have these shares, how do people use them? Assuming that you have a share called Apps on a server called BF1, how would someone attached to the network access that share?

Primarily, you connect to a share using the universal naming convention (UNC) of \\ServerName\ShareName. Alternatively as a simple example, you can press the Windows key + R from the desktop to open the Run dialog box and enter \ServerName (using the server name of any server connected to your network) followed by a backslash, as shown in Figure 13.19. Another way to open the Run dialog box in Server 2012 is to go to the Start screen, type Run, and press Enter. In the figure, we’ve used \BF2\ to connect to the server named BF2.

Figure 13.19 Searching for shares

Once the operating system connects, it retrieves a list of shares that are available. On this server there are currently four shares, well, four shares that aren’t hidden. Chapter 14 will show you how additional hidden shares are available. You could type in Apps to the end of \\BF1\and complete the entry as \\BF1\Apps, or simply click the Apps share from the menu shown in Figure 13.19 and click OK to connect the Apps share.

Besides using the Search menu, you can connect to the share in the following ways:

Mapping a Drive You can map a drive letter to a share on your network. For example, users may need access to a share each time they boot. You can right-click either Computer or Network from the Windows Explorer menu and select Map Network Drive. Take a moment to enjoy the new feel of the Server 2012 R2 user interface. With the Windows Explorer page open, select Computer, and then select the Computer option from the top action bar. A new ribbon will be displayed similar to the ones that you are familiar with seeing in programs like Microsoft Word. Many new options are available from the ribbon, including Map a Network Drive. Figure 13.20 shows the Map Network Drive dialog box. With “Reconnect at sign-in” selected, the user will always have the Z drive mapped to the share when they boot.

Figure 13.20 Mapping a share to a drive letter

Searching Active Directory If a client is a member of a domain, the Search Active Directory command appears on the Network console. You can launch Network by selecting Start

Network on Windows Server 2012 R2.

Using net use You can use the net use command at the command line. The basic syntax is as follows:

net use driveletter \\servername\sharename

For example, to attach to the share Apps on the server named BF1 and then to be able to refer to that share as drive Z, you could use this command:

net use Z: \\BF1\apps

If you later want to remove the mapping, you can use this command:

net use Z: /delete

“A Set of Credentials Conflicts”

Sometimes when you’re trying to attach to a share, you’ll get an error message that says something like “A set of credentials conflicts with an existing set of credentials on that share.”

Here’s what’s happening. You’ve already tried to access this share and failed for some reason—perhaps you mistyped a password. The server that the share is on has constructed some security information about you that says you’re a deadbeat, and it doesn’t want to hear anything else about you. You need to get the server to forget about you so that you can start all over. You can do that with the /d option.

Suppose you’ve already tried to access the \\BF1\Apps share and apparently failed. It might be that you are actually connected to the share but with no permissions. (We know it doesn’t make sense, but it happens.) You can find out what shares you’re connected to by typing just net use all by itself. Chances are, you’ll see that \BF1\Apps is on the list. You have to disconnect from that BF1 server so that you can start over. To do that, type this:

net use \BF1\apps /d

Then do another net use to make sure that you have all of those connections cleaned up; you may find that you have multiple attachments to a particular server. Or . . . in a few cases, you may have to disconnect all of your file shares with this command:

net use * /d

With all the connections closed, you can try net use again, and it will work.

Using net use on a WAN

Now you are into one of the most difficult networking areas: connecting to your resources across long distances and great unknowns. If you’ve ever had to rely on long-distance remote computing, you know not to rely on it. But you have a new little function set in your net use arsenal that takes a lot of the “unknown” out of the picture.

Instead of relying on getting to the appropriate name resolution server, getting through to that server, and getting accurate reliable resolution over an inaccurate and unreliable network link, you can now just map a drive straight to your server via its IP address. Granted, you now need to know that IP address, but it is a good fail-safe. In our case, we work from several different locations connected with frame-relay WAN links. The network isn’t always so good about being able to convert server names into IP addresses, so net use \\BF1 usually tells us that our machine couldn’t find \BF1. Even if it does work, name resolution—converting a name such as BF1 to a network address—takes time.

If you know the IP address of the server you’re trying to contact, then you can use the IP address in lieu of the server’s name. If you know that BF1’s IP address is 134.81.12.4, you can simply type this:

net use \134.81.12.4\apps

And, because you’re probably connecting from a different network, you might have to add the /user: information. And it’s never a bad idea to add /persistent:no so that your system doesn’t spend five minutes trying to reconnect to it the next time that you start up. So, for example, if BF1 is a member of a domain named BigFirm.com and you have an account on BigFirm.com named boss, you could ensure that BF1 will know who you are and log you on like so:

net use \134.81.12.4\apps /user:bigfirm.com\boss /persistent:no

Although there are many conventional methods of connecting to shares using different GUIs, don’t overlook the net use command. You’ll find it useful.

Common Shares

In Windows Server, several common shares have already been created for you. Most of these shares are hidden. If you know of these shares, you can connect to any of them using the UNC path.

C$, D$, and So On All drives, including CD-ROM drives, are given a hidden share to the root of the drive. This share is what is called an administrative share. You cannot change the permissions or properties of these shares, other than to configure them for Offline Files (we’ll talk about Offline Files at the end of this chapter). Only the Administrators and Backup Operators groups can connect to administrative shares, and you can’t stop sharing these administrative shares without modifying the registry or by stopping the Server service (which stops all sharing). These shares come in handy for server administrators who do a lot of remote management. Mapping a drive to the C$ share is the equivalent of being at C:\ on the server.

ADMIN$ The ADMIN$ share is another administrative share and it maps to the location of the operating system. If you installed the operating system at D:\Windows, the ADMIN$ share would map to D:\Windows.

PRINT$ Whenever you create a shared printer, the system places the drivers in this share. This allows the drivers to be easily downloaded when clients connect to the shared printer.

IPC$ The IPC$ share is probably one of the most widely used shares in interserver communications, though you will rarely interact with it directly. When you try to access shared resources on other computers (to read event logs, for example), the system uses named pipes. A named pipe is a piece of memory that handles a communication channel between two processes, whether local or remote, and the IPC$ is used by the named pipes.

NETLOGON The NETLOGON share is used in conjunction with processing logon requests from users. Once users successfully log in, they are given any profile and script information that they are required to run. This script is often a batch file. For example, we have a common batch file that we want all of our users to run every time they log in. This allows us to have all clients run a standard set of commands, like copying updated network information, mapping standard network drives, and so on. These batch files, scripts, and profiles go in the NETLOGON share. The NETLOGON share is required on all domain controllers.

SYSVOL The SYSVOL share is used to house Group Policy information and scripts that are accessed by clients on the network. You will always see SYSVOL shares on domain controllers, but they can be replicated to member servers.

File Server Resource Manager

File Server Resource Manager (FSRM) is an important addition that’s configurable with the File and Storage Services role. It includes several additional capabilities that make it easier to manage a file server:

Creating and managing quota policies
Creating and managing file screen policies
Viewing reports

These techniques are covered in the following sections.

Creating Quota Policies

NTFS has long included quota management capabilities, but they have been significantly improved with FSRM. In short, quotas allow you to monitor and limit the space users can consume on a volume or folder.

Storage Usage Monitoring vs. Quota Policies

Although storage usage monitoring uses the same technology as quota policies available with NTFS, it has a subtle difference from the quota policies. Storage monitoring monitors the entire volume and is configured by default to let you know when the drive reaches 85 percent of capacity. Quota policies can be configured on individual folders, which allows you to fine-tune what you monitor.

When creating quotas, you have the ability to set warning limits, set enforcement limits, provide notification of reached limits via email or event log entries, and even execute commands in response to any limit. Quotas can be set for any share on a server or any specific path.

Quotas can be very useful for monitoring storage on file servers. For example, you may have a file server with 2 TB of storage. You may think this is more than enough space, but if some users are creating and editing audio and video files, 2 TB of free space could disappear quickly. A quota policy can help you limit users to a specific amount. However, these audio and video files may be integral to your business, and you may not want to limit the storage space but instead just ensure you’re informed when the storage space reaches a certain threshold. Instead of actually limiting the storage, you can use the quota policy to just monitor the usage.

On the surface, quota policies can be very simple to understand and implement. However, you can get pretty sophisticated with them if you need to do so.

Quota Templates

Microsoft has included several quota templates in FSRM that can easily be applied as is, or you can modify them to fit your needs. You can even create your own templates. Figure 13.21 shows the Configure Quota screen with the default templates.

Figure 13.21 Viewing the available quota templates

Once you have an idea of how the quotas work, the information on this page gives you the basic information you need to understand what the quota will do. A significant piece of information is the quota type: hard or soft. A hard quota limit will enforce the limit and prevent users from exceeding the limit. A soft quota limit is just used for monitoring; it will provide notification but does not enforce the limit.

The 200 MB Limit with 50 MB Extension template provides an excellent example of responding to a quota limit being reached. You can view or edit the template properties of any template by right-clicking the template and selecting Edit Template Properties.

The figures in 13.22 show the template being edited. On the left you can see the basic template. Notice on the bottom that there are three notification thresholds that have been configured: 85 percent, 95 percent, and 100 percent. The 85 percent warning only sends an email, the 95 percent warning sends an email and logs an event, and the 100 percent warning also executes a command.

Figure 13.22 Viewing a quota template

The page on the right of the figure was reached by selecting the Warning (100%) notification threshold and clicking Add. It is using the dirquota.exe command-line tool to modify the quota. Specifically, it is changing the quota from a limit of 200 MB to 250 MB. The commands you put here are limited only by your imagination. If necessary, you also set the security context of the command depending on what permissions the command needs to execute.

In addition to executing a command, the other threshold responses are sending an email, logging an event, and creating a report.

E-mail Message Tab

The E-mail Message tab allows you to configure an email response if the threshold is reached. If you want an email sent to an administrator, simply add the administrator’s email address (or an administrator’s distribution group) on this page in the format of account@domain, such as ITAdmins@bigfirm.com. You can also configure it to send an email to the user who exceeded the threshold simply by selecting a box. FSRM uses Active Directory to look up the user’s email address.

The templates include a preconfigured subject line and message body, and both can include variables. In Figure 13.23 the message body includes several variables: Source I/O Owner, Quota Path, Server, and more. If you click within either the subject line or the message body, the variable drop-down box will be enabled. You can select any of these variables to see a short explanation of what it is. We know when we first saw [Source lo Owner], we couldn’t figure out what “lo” was, but after selecting it from the drop-down box, we saw it meant I/O, or input/output.

Figure 13.23 Viewing the E-mail Message tab

You can add to your email messages by clicking the Additional E-mail Headers button. On the right side of Figure 13.23, you can see the additional headers. It also includes variables that you can add by selecting the variable in the drop-down box and clicking Insert Variable.

SMTP Server Must Be Configured

For FSRM to send email messages, it must be configured with the server name or IP address of an SMTP server that will accept the email messages. This is done on the File Server Resource Manager Options page, covered later in this chapter.

Event Log Tab

You can configure the events to be logged in the Application log if desired. It’s as simple as selecting the Event Log tab and selecting the box to send the warning to the event log, as shown in Figure 13.24. Any events sent from here are logged into the Application log.

Figure 13.24 Viewing the Event Log tab

Just as you can add variables to email messages, you can also add variables to log entries. In Figure 13.24, we’ve selected the variable drop-down box to show some of the variables that can be added. A lot of variables can be selected, but not all of them are showing in the figure.

Report Tab

The fourth tab that can be manipulated for notification thresholds is the Report tab. You can configure reports to be generated in response to a threshold and automatically be sent via email to administrators and/or the user. Reports can also be created on demand, as you’ll see later in this chapter.

Creating a Quota

Once you understand the basics, it’s pretty simple to create and apply a quota. There are a few different ways in Windows Server 2012 R2 to configure quotas at different share and folder levels. If you already have both share and quota templates created, you can easily configure a quota by right-clicking the share on the Shares tab of the File and Storage Services role in Server Manager and selecting Configure Quota. Adjusting the properties and creating quota templates is done directly through FSRM found in the Tools directory on Server Manager.

Imagine you want to monitor the amount of data that is being stored in a folder named Graphics on your system. Specifically, you want to know whether the amount of storage used is getting close to 500 MB. If the limit is reached, you want to send a report to the user letting her know which files are duplicates, which files are the largest, and which files haven’t been used recently.

You can use the following steps to create this quota:

1. Launch Server Manager, and browse to Tools

File Server Resource Manager.

2. Expand Quota Management, right-click Quotas, and select Create Quota.

3. Enter the path to the folder you want to monitor in the Quota Path text box.

For example, you could enter I:\ Finance. Alternately, you could click Browse and browse to the path. You are given the choice here to apply this new quota to only the selected folder, or you can propagate this quota template to all existing and new subfolders within the Graphics directory.

The next choice on this page allows you to define the quota properties.

4. For this exercise select the 200 MB Limit Reports to User option. We will edit this property later on.

5. Review the summary of quota properties and click Create.

The new quota will now be displayed, allowing you to further modify your desired settings.

6. Right-click the new quota and select Edit Quota Properties.

On the Quota Properties page provide a description of your new quota.

7. Then manually adjust the Space limit to 500 MB and keep the default setting of “Hard quota.” Now you can edit your Notification thresholds, as shown on the left side of Figure 13.25.

Figure 13.25 Viewing the Report tab of a new quota

8. Select the Warning (100%) notification threshold, and click Edit.

9. Review the information on the E-mail Message, Event Log, and Command tabs.

If a warning appears indicating that an SMTP server is not configured, review the information, and click Yes to continue; you can configure the SMTP server later. Notice that you can modify the data on any of these tabs.

10. Click the Report tab. Your display will look similar to the right side of Figure 13.25.

Notice that the reports are already configured. The Generate Reports check box is checked, and three reports are configured to be generated: Duplicate Files, Large Files, and Least Recently Accessed Files. Additionally, the quota is configured to send the report to the user exceeding the threshold.

11. Click OK to close the 100% Threshold Properties page.

12. Click OK to close the Quota Properties page.

Creating File Screen Policies

File screens are used to filter or screen files to ensure certain types of files aren’t stored on a server. Imagine that after implementing a quota policy and reviewing some of the reports, you realize that your F drive is almost full because one of the users has stored several gigabytes of backup MP3 files on the server.

Although it’s admirable that the user is backing up his files, you may not want him using your server to back up his MP3 files. Additionally, you may not want anyone storing MP3 files or any other type of audio or video files on your server.

You can create a file screen that will block users from saving specific types of files and generate notifications when anyone attempts to save these blocked files on the server. File screens can be created on entire volumes or specific folders, and just as quotas have templates, file screens also have templates. Figure 13.26 shows Server Manager open to the file screen templates.

Figure 13.26 Viewing the file screen templates

Notice that several well-known file group types are identified in the templates such as audio and video files and image files. The specific extensions of these file types are identified in the File Groups node. For example, audio and video files include .mp1, .mp2, .mp3, .mp4, and .mpeg—and that’s not even all of the ms.

When you create a file screen, you can simply select one of the file groups. This will meet your needs most of the time, but if you want to add file types or exclude specific file types from the screen, you can modify the contents to meet your needs.

Imagine that your company has recently learned that many users are storing Outlook .pst files on a server that are more than 1 GB in size and eating up the storage space. The company states that users cannot store email files on a file server. You can use the following steps to enforce the rule:

1. Launch Server Manager, and browse to the File Screen Templates node.

2. Right-click the Block E-mail Files template, and select the Create File Screen from Template option.

3. Enter the volume name that you want to screen (such as F:\) in the File Screen Path text box.

Since we chose the Block E-mail Files Template, our screen properties are already preselected. We could also change to a different template’s screen properties or define our own custom properties if we wish. Keep the default option and review the summary at the bottom of the page.

4. Click Create.

5. Select the File Screens node (right above File Screen Templates) in the FSRM directory structure.

6. Right-click the new file screen you just created, and select Edit File Screen Properties. Your display will look similar to Figure 13.27.

Figure 13.27 Viewing the properties of a file screen

Notice that you can select either Active or Passive screening. Since you want to specifically block users from storing the files on the server, leave it as Active screening. Passive screening is used for monitoring.

7. Click through the E-mail Message, Event Log, Command, and Report tabs.

If a warning appears indicating that an SMTP server is not configured, review the information, and click Yes to continue. You’ll see that these are very similar to the tabs used with quotas. Only the notification content is changed.

8. Click OK once you’ve reviewed the tabs.

Generating Reports

Several different reports are available. You can generate reports as part of any quota policy or file screen policy. You can also configure reports to be generated on a schedule or generate them on demand.

Thankfully, the reports are well named, and it’s easy to determine the primary content just by the name. The different reports available are Duplicate Files, File Screening Audit, Files by File Group, Files by Owner, Files by Property, Large Files, Least Recently Accessed Files, Most Recently Accessed Files, and Quota Usage.

Additionally, you can save the reports in several different formats such as DHTML, HTML, XML, CSV, and text. You can access the reports with the following steps:

1. Launch Server Manager. Right-click the Storage Reports Management node within the File Server Resource Manager, and select Generate Reports Now.

On the Settings tab, you can select as many reports as you’d like to view, but if you select them all, be patient; they take some time to generate on large volumes. Some of the reports have additional parameters that you can modify. For example, if you select the Quota Usage report, you can click the Edit Parameters button and modify the minimum quota usage that will be included in the report.

2. Select the reports you want to generate and then check the boxes next to the report formats that you’d like to view. Your display will look similar to Figure 13.28.

Figure 13.28 Selecting report types and formats

3. Click the Scope tab.

On this page you get to select what type of data will be accumulated in your reports.

4. After making your file type selections, click Add.

This allows you to browse to and add the folders you want to run reports against.

5. Make your folder selection and click OK.

The last tab in Storage Reports Task Properties is the Delivery tab. You can have the reports emailed to an administrator.

6. Simply check the box and fill in the person’s email address that you wish to send the reports to.

This comes in handy with Scheduled reports. Have all your reports run on Sunday, and have them waiting in your email Monday morning for you to review.

7. In the Generate Storage Reports dialog box, select Generate Reports in the Background, and click OK.

This will create a report task that will be deleted after it completes. The dialog box defaults to “Wait for the reports to generate and then display them.” You can watch the task run, and once it has finished, the reports will be displayed to you. The default location that the reports are saved to locally on the server is \\c$\StorageReports\Interactive. Depending on the amount of data in the reports, this could take several minutes to complete.

8. While the report task is running, right-click Storage Reports Management, and select Schedule a New Report Task.

9. On the Settings Tab, give your new scheduled report task a proper name, select which reports you want to generate, and then select which report formats to generate the reports in.

10. Select the Scope tab.

Here you will want to choose which type of data to report on and which folders to report against.

11. On the Delivery Tab, check the box, and input an email address to have the reports sent to every week.

A properly configured SMTP server will be required for any email notifications provided by the FSRM.

12. The schedule defaults to Weekly: Select Sunday at 5 a.m. Your display will look similar to Figure 13.29.

Figure 13.29 Scheduling reports

13. Click OK to accept the schedule.

The new schedule is now displayed in the FSRM Storage Reports Management window. If you have SMPT configured, right-click the task and run it once now to test your work.

Monitor Disk Consumption of Reports

If you create a report schedule that will create report files on your system, you’ll want to monitor the amount of space taken up by the reports. The worst-case scenario is that a report schedule is created and reports are regularly created, steadily consuming the disk space. One way to avoid this impacting the operation of the server is to change the default location of the reports by modifying the Report Locations tab of the File Server Resource Manager options.

The report task you created earlier should be done at this point.

14. Navigate to the reports located in the %systemdrive%\StorageReports\Interactive folder. Use Windows Explorer to browse to this folder.

15. Double-click some of the HTML files to view the available information. Double-click any of the text files to see how the information is displayed.

As you can see, FSRM provides rich reporting capabilities.

File Server Resource Manager Options

You can modify several FSRM options. One of them, Email Notifications, must be configured before you can use any of the email capabilities of the server. You can access the options page by right-clicking File Server Resource Manager within Server Manager and selecting Configure Options. A properties sheet appears with seven tabs:

Email Notifications If you want to use email notifications, you must enter the name or IP address of an SMTP server that will accept email from your server. You can also enter the default email address for administrator recipients and a default From address on this page. You can send a test email to make sure your settings are configured properly.

Notification Limits Once a threshold is reached (such as 85 percent usage on a disk), the threshold remains until action is taken. Instead of having the notifications harass the user every 30 seconds, you can set time limits in minutes for these notifications. The default is 60 minutes for each of the threshold responses: email notification, event log entry, command execution, and report generation.

Storage Reports Many of the reports have parameters that can be modified. Each parameter that can be modified starts with a default. You can use this page to modify the default parameters.

Report Locations Reports have default locations on the system drive (which is normally c:\). Three folders are created within the %systemdrive%\StorageReports folder. They are Incident (created from notifications), Scheduled (created from scheduled report tasks), and Interactive (created from on-demand reports). You can change the default locations for any of the reports from this page.

File Screen Audit This page has only one option: “Record file screening activity in an auditing database.” If selected, the screening activity will be recorded in a database, which can be reviewed by running a file screen auditing report.

Automatic Classification It’s possible to manage files based on classification properties and rules you create, instead of where files are located within a directory tree. If you use classification management (not many people do), you can use this tab to schedule the execution of classification rules and generate reports. If you’d like to learn more about file classification, check out this TechNet article: http://technet.microsoft.com/library/dd758765.aspx.

Access-Denied Assistance New with Windows Server 2012, the Access-Denied Assistance tab allows you to customize your own access-denied error message that is displayed to a user who does not have the proper permissions to access a certain folder or file. On top of that, you can enable users to request assistance directly from the error message by clicking the hyperlink. This is a very useful feature.

Although NTFS is a great file system and has included extras such as NTFS quotas, you can get a lot more capabilities by using File Server Resource Manager. If you’re managing a file server, these extras are worth digging into.

Understanding SMB 3.0

Server Message Block (SMB) is an application-layer network protocol that is used primarily to provide shared access to files, printers, ports, and communication between machines on a network. SMB is commonly referred to as Common Internet File System (CIFS). This protocol is used primarily for Windows operating systems and serves as the basis for Microsoft’s Distributed File System implementation.

SMB 3.0 has changed quite a bit in this server edition. Many new features have made this protocol a robust, high-performance alternative to Fibre Channel and iSCSI appliances. Let’s take a look at some of the new features:

SMB Transport Failover This feature allows administrators to perform maintenance on clustered computers without having to incur any downtime. In the event of a cluster failover, the SMB 3.0 clients will automatically reconnect to another clustered machine without losing any access to the file shares they were using. Clustered file server machines eliminate the single point of failure of having only one file server or a nonclustered environment.

SMB Scale Out SMB clients are no longer limited to the bandwidth of a single cluster node. When clustered, the machines load balance between themselves using their aggregate resources. Now every server in a file server cluster is an active node serving content to clients. SMB scale-out file shares are always configured with the Continuously Available property set.

SMB Multichannel This feature allows file servers to use multiple network connections simultaneously, which greatly increases throughput since you can transmit more data across multiple high-speed network adapters at the same time. This also means you have a new level of fault tolerance on the network. While using multiple connections at the same time, the clients will continue to work uninterrupted in the event of a single connection loss. Another nice benefit of SMB Multichannel is automatic discovery. It will discover the existence of available network paths and dynamically add connections as required.

SMB Direct SMB Direct is a new transport protocol for SMB 3.0 that allows direct data transfers between servers with minimal CPU utilization and low latency when RDMA-capable network adapters are present. This makes a network file server capable of housing local storage for applications like Microsoft SQL Server 2012 and Microsoft Hyper-V.

SMB Windows PowerShell Cmdlets and WMI Objects Another big win in Server 2012 is all the PowerShell management cmdlets that are now included with the operating system. The new SMB cmdlets allow administrators to manage and monitor file servers and file shares. You can also write scripts to automate common file server administrative tasks. With the new WMI objects, developers benefit from the ability to create automated solutions for file server configuration and monitoring.

SMB Encryption This new feature allows you to encrypt data in motion on a per-file or per-share server basis. It will protect the data being transferred against eavesdropping and tampering attacks without IPsec or any additional dedicated hardware in place. SMB Encryption is also very useful when remote users are trying to access data from unsecured networks. It will secure the data transmission from the corporate network resources to the user’s unsecure remote network. If you recall from earlier in the chapter, we enabled SMB encryption by selecting the check box on the Other Settings page of the New Share Wizard during the creating new shares exercise. This feature can also be directly enabled in Server Manager without the wizard.

SMB Directory Leasing This feature uses BranchCache to provide faster access to documents over high-latency WAN networks. Directory leasing reduces the communication round-trips from client to server over a WAN. The client caches directory and file metadata in a consistent manner for longer periods of time. The server notifies the client when information changes and initiates a sync that updates the client’s cache. This feature is designed to work with user home folders and published shares.

SMB 3.0 Protocol Specification

Although we’ve highlighted some of the important features of SMB 3.0, we certainly haven’t covered everything in depth. If you’d like to look at the full protocol specification, you can check it out at http://support.microsoft.com/kb/2709568.

Compatibility with SMB 2.0 and 1.0

To maintain backward compatibility, newer operating systems support both SMB 2.0 and SMB 1.0. To take full advantage of the features available in SMB 3.0, both the server and client must have and be able to use SMB 3.0. Table 13.3 shows which SMB version is used with which operating system. If you match the server operating system across the top row with the client operating system down the left-hand column, the table will show you which version of SMB will be used during communication. For example, if you were to choose Server 2008 R2 from the top row as the server operating system and match a Windows 7 client from the left-hand column, the table would show you that the highest supported version of SMB you could use is SMB 2.1.

Table 13.3: SMB Version in Relation to Operating System Version

SMB 3.0 is used whenever possible by the clients that support it. Since SMB 3.0 is not supported by other operating systems (such as Windows 7 or Windows Server 2008), newer clients can use older versions of the protocol to talk to legacy machines. The good news is that all of this is automatic. You don’t need to do any special configuration to take advantage of SMB 3.0 or to switch back to SMB 2.0 or SMB 1.0 for legacy clients. Here’s what automatically occurs with SMB:

If both clients support SMB 3.0, SMB 3.0 will automatically be used.
If one of the clients does not support SMB 3.0 (Windows 7, for example), then the OS that it does support (SMB 2.1 in this example) will be used for the session.

You’ve probably heard some of Microsoft’s “Better Together” marketing campaigns. That’s not just marketing for marketing’s sake. SMB is one example where you’ll truly enjoy better performance when you match up new technologies with each other. A network running Windows Server 2012 R2 servers but still running Windows 7 desktops won’t be using SMB 3.0. If it’s a busy network, the difference will be noticeable.

SMB Security

This server edition has introduced a number of security improvements in SMB 3.0. SMB 3.0 introduces a new algorithm for SMB signing, AES-CMAC. CMAC is based on a symmetric key block cipher (Advanced Encryption Standard (AES)), whereas HMAC used in SMB 2.0 is based on a hash function (Secure Hash Algorithm (SHA)). Advanced Encryption Standard (AES) was the specification adopted by the U.S. government in 2002 and was approved by the National Security Agency for encryption of top secret information.

AES-CMAC provides stronger assurance of data integrity than a checksum or an error-detecting code. CMAC is designed to detect intentional, unauthorized modifications of the data, as well as accidental modifications. The verification of an error-detecting code or of a checksum detects only accidental modifications of the data.

HMAC SHA-256 used in SMB 2.0 provides data integrity—assurances that the data hasn’t been modified. Although SMB 1.0 also provides data integrity, the security is better with HMAC SHA-256 and best with AES-CMAC.

A hash is simply a number created by performing a hashing algorithm on a packet, message, or file. As long as the packet is the same (not modified), the hashing algorithm will always provide the same hash (the same number). Generically, a hash provides data integrity to packets, messages, or files by following these steps:

1. Create the packet.

2. Calculate the hash on the packet.

3. Send the packet and hash to their destination.

4. The destination calculates the hash on the received packet and compares it to the received hash:

If both hashes are the same, data integrity is maintained.
If the hashes are different, data integrity has been lost. This could be because an attacker modified the data or simply because bits were lost in transit.

However, if an attacker could modify the data in transit, why not modify the hash in transit too? To prevent this, the hash is encrypted with a session key known only to the client and the server. This is called digitally signing the packet in SMB 1.0 and 2.0. The process is as follows:

1. Create the packet.

2. Calculate the hash on the packet.

3. Encrypt the hash with a session key (or shared key).

4. Send the packet with the encrypted hash.

5. The receiver decrypts the encrypted hash.

6. The receiver calculates the hash on the received packet.

7. The receiver compares the two hashes to determine whether integrity is lost.

Enabling digital signing for SMB 1.0 packets could decrease performance by as much as 10 to 15 percent. Although you’ll still see a performance hit with SMB 2.0, it won’t be as great. One of the primary reasons is that SMB 2.0 is streamlined, resulting in fewer packets being sent and fewer packets needing to be signed.

Implementing BitLocker

BitLocker Drive Encryption is a technology designed to provide protection for entire disk drives. BitLocker To Go is a newer technology that came out with Windows 7 and is designed to allow you to encrypt USB flash drives. Our focus here will simply be using BitLocker Drive Encryption to secure drives on Server 2012.

The primary vision of BitLocker is to encrypt data on hard drives so that if the hard drive is stolen or lost, the data can’t be accessed. This has significant application with laptops and servers located where physical security is weak. Laptops are easy to pilfer—people leave them in a conference room for lunch or forget them on a chair, and quickly they’re gone.

Similarly, servers located in remote office locations often have weak physical security, or at least weaker physical security than the main business location. You probably have very strong physical security in your primary server room, but your server in a remote office may be hidden behind a closet door that can be jimmied with a crowbar or even a credit card.

BitLocker Enhances Physical Security

BitLocker enhances physical security but can’t protect against all possible attacks. Malware such as rootkits can introduce weaknesses that might allow access to data if the computer is later stolen.

Additionally, if disk drives on a decommissioned server are not cleaned, they may include data you wouldn’t want shared. BitLocker will protect this data from being used inappropriately.

On the surface, it may look like the data on these drives is protected through permissions. However, an attacker could set up a domain and place his account in Enterprise Admins. If he had physical access to your server, he could then remove the drive from your server, place it into his server, and easily take ownership of all the files. At that point, he would own all your data. However, if the files are encrypted, it will be much more difficult to access the data—we hesitate to say impossible, but it will be difficult enough to deter the vast majority of attackers.

What’s New in BitLocker

Microsoft has added some new and exciting features to BitLocker with the release of Windows 8 and Windows Server 2012. BitLocker can now be provisioned before the installation, and then only used disk space will need to be encrypted. This saves you a lot of time on both sides of the install. One of the downfalls of the original BitLocker release was how long it took to encrypt a drive. I’m very glad to see the vast performance increases in this Server Edition of BitLocker. Following are some new features and functionality of the latest release:

BitLocker Provisioning Using the Windows Preinstallation Environment (WinPE), administrators can now enable BitLocker prior to operating system deployment.

Used Disk Space Only Encryption This feature allows for a much faster encryption experience by only encrypting the used disk space. There are two encryption methods: Full Volume Encryption and Used Disk Space Only.

Standard User PIN and Password Change Administrative privileges are still required to configure BitLocker, but now standard users are given the ability to change the PIN or password for the operating system volume or a fixed-data volume by default.

Network Unlock Network Unlock is a new BitLocker protector option for operating system volumes in Windows Server 2012 R2. Domain machines joined to a trusted wired network can have the system volume unlocked upon a system reboot. This is very useful when a PIN is lost.

Support for Encrypted Hard Drives for Windows Windows 8 and Windows Server 2012 now include BitLocker Support for Encrypted Hard Drives. BitLocker will support pre-encrypted Windows hard drives from the manufacturer.

Encryption for Clustered Shared Volumes BitLocker volume encryption is supported for failover clusters that are running Windows Server 2012 R2. In an Active Directory environment running at a Windows Server 2012 domain functional level, both traditional clustered disks and clustered shared volumes can use volume-level encryption provided by BitLocker. Each node performs decryption by using the computer account, called the cluster name object (CNO). Doing this enables physical security for deployments outside a secure data center and helps meet compliance requirements for volume-level encryption.

Hardware Requirements

To provide the best protection, your hardware should include Trusted Platform Module (TPM) version 1.2. TPM 1.2 is a hardware component built into the computer, typically on the motherboard.

If the system has TPM 1.2 and BitLocker has been enabled, the system will do an integrity check when it boots up. If it senses changes in the hardware that indicate the hard drive is in a different computer, the drive will lock. It will stay locked until it is manually unlocked using a recovery key.

However, many computers don’t have TPM 1.2. There are alternatives that can be used to encrypt drives with BitLocker:

Password BitLocker can encrypt the drive, and a password can be used to unlock it.

Smart Card BitLocker can encrypt the drive, and a smart card with a PIN can be used to unlock the drive.

You select TPM, a password, or a smart card when enabling BitLocker on a specific drive. In Figure 13.30, the system does not have a TPM, so only the password and smart card options are shown.

Figure 13.30 Unlocking a BitLocker-protected drive

It’s also possible to select the option to have the drive automatically unlock when accessed on the same computer. This requires that the drive hosting Windows be also protected by BitLocker. When used this way, the encryption will be apparent only when the drive is moved to another computer (or enough hardware is changed in the current computer to make BitLocker think the drive has been moved).

BitLocker can be implemented on partitions without encrypting the entire drive. For example, if your system has a single physical hard drive divided into two partitions (C and D), you can lock the D drive with BitLocker without locking the C drive.

Recovery Key

The BitLocker recovery key can be used if TPM detects that the drive has been moved onto a different computer. Once TPM detects that it has been moved (or the hardware has been changed), it will lock the drive until the recovery key is used to unlock it.

BitLocker includes a recovery mechanism in case the password is forgotten or the smart card is lost. Microsoft recommends that you save the recovery key to Active Directory Domain Services, save it to a file, print it, or store it in a safe place. The BitLocker wizard gives you three options:

Save the recovery key to a USB flash drive.
Save the recovery key to a file.
Print the recovery key.

This key should be protected at a level comparable to the data stored on the drive. In other words, if you have secret proprietary data on the drive, protect the key like its secret proprietary data.

Enabling BitLocker

BitLocker is not enabled by default. Before you can enable BitLocker, you must first add the BitLocker Drive Encryption feature. If you recall from our adding roles exercise in the beginning of the chapter, we have already enabled the BitLocker role. Please refer to that exercise if you need to refresh yourself on the process of adding the role to the server. The following steps assume that TPM 1.2 is not available on your system and the BitLocker role is already installed on the server.

1. Launch Control Panel, and click System and Security.

At this point, you’ll see the BitLocker Drive Encryption feature in the System and Security Center. If you looked here before adding the feature, it didn’t appear.

Searching Control Panel

Control Panel has a neat feature that is quite valuable but easily overlooked. In the upper-right corner is a search box. You can type in any search term (such as BitLocker or User), and it’ll list only the relevant applets. This is also available in Windows Vista, Windows 7, Windows 8, and Windows Server 2008. Now if they could only make this feature available for Group Policy.

2. Click BitLocker Driver Encryption. You’ll see a display similar to Figure 13.31.

Figure 13.31 Turning on BitLocker Drive Encryption

3. Click Turn on BitLocker.

The BitLocker Drive Encryption page will be displayed, allowing you to select how to unlock this drive. Without TPM installed, the two options present are Use a Password and Use a Smart Card.

4. Select Use a Password to Unlock the Drive, and enter your password twice.

Alternatively, if you have a smart card and the system supports smart card usage, you could choose to protect it with a smart card.

5. Click Next.

6. Select Save the Recovery Key to a File. Browse to a location on your computer, and click Save.

Ideally, you’d save this file on a separate drive (such as a USB flash drive). If you attempt to save the file on the same physical drive, you’ll be prompted to save it somewhere else, but you can click Yes to override the prompt.

7. Click Next.

The next page allows you to select how much of your drive to encrypt. Here you can use the new Encrypt Disk Space Only feature. If you choose Encrypt Entire Drive, it can take quite a while depending on the size of the drive. We’ve seen 1 GB take about 30 seconds, so if you have a 500 GB drive, this might be a good time for a break if you were to select that option.

8. Keep the default and click Next.

The next page has you verify that you wish to encrypt this drive.

9. When you are ready, click Start Encrypting. A progress bar is displayed.

10. Click Close once the process is completed.

If you reboot your system, the drive will be listed as encrypted and won’t be accessible.

11. You can unlock it by right-clicking the drive and selecting Unlock Drive, as shown in Figure 13.32. Enter your password and unlock the drive.

Figure 13.32 Unlocking an encrypted drive

Once the drive is unlocked, you can access the data normally.

12. Right-click the drive, and select Manage BitLocker.

This menu gives you the ability to change the password and manipulate other options for the drive.

BitLocker To Go

BitLocker To Go is a great capability that’s easy to use once you’ve added the feature to the server.

1. Access BitLocker Drive Encryption via Control Panel.

2. Insert your USB flash drive, and click Turn On BitLocker.

3. Enter a password, save your recovery key, and click Start Encrypting.

If the drive is placed into another computer, it won’t be readable.

However, you can insert the drive into another computer and enter the password when prompted, and you’ll have access to all your data. Although it works best on Windows 8 or Windows Server 2012 R2 you can also access your data on other systems such as Windows 7 by launching the BitLockerToGo.exe file to decrypt and copy the data.

Many organizations are taking extra steps to protect “data at rest,” and BitLocker To Go looks like it will meet those needs. We fully expect it to be widely used in the near future.

Using Offline Files/Client-Side Caching

If you have laptop users in your network environment, you’ll love the Offline Files or Client-Side Caching (Microsoft uses both names interchangeably) feature. In fact, it will appeal to almost anyone who uses a network. Offline Files provides three main advantages: it makes the network appear faster to its users, smoothes out network “hiccups,” and simplifies the task of keeping laptop files and server files in sync.

How Offline Files Works

Offline Files is enabled on shares hosted on a server. When enabled, it automatically caches accessed files, storing the cached copies in a folder on a local hard drive (a folder not surprisingly called Offline Files). It then uses those cached copies to speed up network access (or apparent network access), because subsequent accessing of a file can be handled out of the local hard disk’s cached copy rather than over the network.

This is great for users on the road. Offline Files can use the cached copies of the files to act as a stand-in for the network if it isn’t present (as it isn’t for mobile users) or even if the network has failed.

Offline Files uses a write-through caching mechanism; when you write a file out, it goes to the network location to save it, and it is also cached to your local hard disk. And when you want to access a file that Offline Files has cached, Offline Files would prefer to give you the cached (and faster) copy, but first Offline Files checks that the file hasn’t changed at the server by examining the file date, time, and size both on the server and in the cache. If they’re the same, then Offline Files can give you the file out of the cache without any worries; otherwise, Offline Files fetches the network copy so you have the most up-to-date copy.

Offline Files increases the chances that it has the most up-to-date copies of your cached files by doing background synchronizations in several user-definable ways. This synchronization is largely invisible to the user, who simply utilizes the share over the network.

You’ll like Offline Files for several reasons:

Always Offline Mode This new configurable feature in Windows 8 and Windows Server 2012 provides an improved user experience with faster access to files and lower bandwidth usage by always working offline. Unlike previous editions that switched from online to offline depending on network connectivity, Always Offline Mode stays offline even when connected through a high-speed network connection. Windows will automatically update files by synchronizing with the Offline Files cache. This new feature helps drive better performance. Always Offline Mode requires the machine to be domain joined and have Group Policy Management installed to be configured for use.

Faster Access Because these oft-used cached files will reside on the local hard disk in the Offline Files folder, you’ll immediately see what seems to be an increase in network response speed. Opening a file that appears to be on the network but that is really in a local disk folder will yield apparently stunning improvements in response time, because little or no actual network activity is required.

Reduced Network Traffic Since cached files don’t need to be retransmitted over the LAN, network traffic is reduced. Having frequently used files in a local cache folder also solves the problem of “What do I do when the network’s down and I need a file from a server?” If you try to access a file on a server that’s not responding (or if you’re not physically connected to the network), Offline Files shifts to “offline” mode. When in offline mode, Offline Files looks in your local Offline Files network cache and, if it finds a copy of that file in the cache, it delivers the file to you just as if the server were up, running, and attached to the user’s workstation.

Automatic Synchronization Anyone who’s ever had to get ready for a business trip knows two of the worst things about traveling with a laptop: the agony of getting on the plane only to realize that you’ve forgotten one or two essential files and the irritation of having to remember when you return to make sure that whatever files you changed while traveling get copied back to the network servers. Offline Files greatly reduces the chance of the first of those problems because, again, often-used files can be configured to automatically end up in the local network cache folder. It greatly reduces the work of the second task by automating the laptop-to-server file synchronization process.

BranchCache

BranchCache is designed to optimize the availability of data in branch offices that are connected with slower WAN links. When enabled, BranchCache allows data to be cached on computers in the remote office for use by other computers in the remote office.

Imagine your company headquarters is located in Colorado Springs and a branch office is located in Tampa via a slower link. If users in Tampa needed to access data shared from a server in Colorado Springs, they’d have to connect over the WAN link, even if they just accessed and closed the file a moment previously.

With BranchCache, files can be cached on a computer in the remote office after they are accessed the first time. Users who need to access the file later can access the locally cached copy. BranchCache still checks to ensure the file is the most recent version, but a quick round-trip check of the timestamp is much quicker than downloading the entire file again.

BranchCache supports two modes:

Hosted Cache Data is hosted on one or more servers in the remote office running either Windows Server 2008 R2 or a later Windows Server operating system like Windows Server 2012 R2.

Distributed Cache Data is hosted on PCs in the branch office. A server is not needed, but data can only be cached on Windows 7 and Windows 8 computers. Older client OS versions are not supported for hosting.

BranchCache is supported on Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 servers, as well as Windows Vista, Windows 7, and Windows 8 clients. You can’t enable BranchCache on server versions before Windows Server 2008 R2 or client versions older than Windows Vista. When using Distributed Cache mode, data will be cached only on Windows 7 and Windows 8 computers, but a computer running Windows Vista can still access data cached using BranchCache even though the Windows Vista machine cannot be a host. Before BranchCache can be enabled, it must be added as a role service under the File and Storage Services role.

Group Policy includes several settings that you can use to enable and manage BranchCache. These settings are located in the Computer Configuration\Policies\Administrative Templates\Network\BranchCache node of Group Policy.

Enabling Offline Files on the Server

Offline Files is relatively easy to enable on the server. There are two ways to enable caching of the share. You can enable this setting on the Other Settings page of the New Share Wizard when creating a new share, or if the share is already created you can modify the share properties.

1. Launch Server Manager and browse to the Shares tab of File and Storage Services, where you’ll see all the shares that are currently shared on the network.

2. Right-click any of the available shares and then select Properties.

3. Click the Settings button, and then select the Caching tab.

Your display will look similar to Figure 13.33. On this page you can enable both caching of the share and BranchCache if it is not already enabled.

Figure 13.33 Viewing Offline Files settings

While this section explained Offline Files and showed you how to configure it on the server, it needs to be configured on the client side as well. Different client operating systems (Windows XP, Windows Vista, Windows 7, and Windows 8) approach this differently. You can check out these web links for different clients:

Windows XP:

http://support.microsoft.com/kb/307853

Windows Vista:

http://windows.microsoft.com/en-US/windows-vista/Working-with-network-files-when-you-are-offline

Windows 7:

http://www.windows7update.com/Windows7-Offline-Files.html

Window 8:

http://technet.microsoft.com/en-us/library/hh848267

The Bottom Line

Install additional File and Storage Services roles on a server. The File and Storage Services role includes services designed to optimize serving files from the server. A significant addition is the File Server Resource Manager role, which can be used to manage quotas, to add file screens, and to produce comprehensive reports.

Master It How do you add FSRM to the server?

Combine share and NTFS permissions. When a folder is shared from an NTFS drive, it includes both share permissions and NTFS permissions. It’s important to understand how these permissions interact so that users can be granted appropriate permission.

Master It Maria is in the G_HR and G_HRManagers groups. A folder named Policies is shared as Policies on a server with the following permissions:

NTFS: G_HR Read, G_HR_Managers Full Control

Share: G_HR Read, G_HR Change

What is Maria’s permission when accessing the share? What is her permission when accessing the folder directly on the server?

Implement BitLocker Drive Encryption. BitLocker Drive Encryption allows you to encrypt an entire drive. If someone obtains the drive that shouldn’t have access to the data, the encryption will prevent them from accessing the data.

Master It What are the hardware requirements for BitLocker Drive Encryption, and what needs to be done to the operating system to use BitLocker?