Managing access to file shares and data can be relatively simple if the administrator understands each of the options available in Windows Server 2003. Windows Server 2003 provides several tools and services that can make securing data access simple. The security options for files and folders on a volume are directly related to the file system format of that volume and the method by which the data is accessed. For example, a FAT- or FAT32-formatted volume cannot secure data at the file and folder level, but an NTFS volume can. Using a FAT volume, administrators do not have many options when it comes to managing data access from the network. The only option that can be configured is setting permissions on the file share. The end user's access is granted or denied using only the file share permissions that apply to every file and folder within. NTFS volumes provide several data access options such as share permissions just like FAT volumes, but also file- and folder-level security; and to manage data usage, user-based quotas can be configured on a volume. The user quota determines how much data a single end user can store on a volume. NTFS volumes can also be managed by Remote Storage to automatically archive data to remote media when it hasn't been accessed for an extended period of time or when a drive reaches a capacity threshold that triggers file migration or archiving. Managing File SharesFile shares can be created on FAT, FAT32, and NTFS volumes. When a file share is created, share optionsincluding the share name, description, share permissions limiting the number of simultaneous connections, and the default offline file settingscan be configured. There are many ways to create a share, but in the following example, you will use the Share a Folder Wizard. To create and configure a file share, follow these steps:
As a best practice, always define share permissions for every share regardless of the volume format type. When a share is first created, the default permission is set to grant the Everyone group read permissions. This may meet some share requirements for general software repositories, but it is not acceptable for user home directories, public or shared data folders, or shares that contain service logs that will be updated by remote systems. The level of permission set at the share level must grant enough access to enable users to access their data and modify or add more data when appropriate. Tip As a general guideline, when shares are created on domain servers and anonymous or guest access is not required, replace the Everyone group with the Domain Users group and set the share permissions accordingly. Client-Side CachingTo improve the reliability and availability of shared folders, NTFS partitions allow users to create local offline copies of files and folders contained within a file share. The feature is called client-side caching (CSC), but the common name for such files is offline files. Offline files are stored on a local user's machine and are used when the server copy is not available. The offline files synchronize with the server at logon, logoff, and when a file is opened or saved. Offline files can be configured on a per-share basis using the shared folder's share property page. To configure client-side caching or offline file options, perform the following steps:
Caution If roaming user profiles are used on a network, do not enable client-side caching on the file share because doing so may corrupt the end user's profile. By default, roaming user profiles are already copied down to the local server or workstation when the user logs on. Forcing the folder to synchronize with the server may cause user settings to be lost. User profile management can be configured using Group Policy. The settings are located in Computer Configuration\ Administrative Templates\System\User Profiles. |