Managing File Share Access and Volume Usage

Managing access to file shares and data can be relatively simple if the administrator understands each of the options available in Windows Server 2003. Windows Server 2003 provides several tools and services that can make securing data access simple. The security options for files and folders on a volume are directly related to the file system format of that volume and the method by which the data is accessed. For example, a FAT- or FAT32-formatted volume cannot secure data at the file and folder level, but an NTFS volume can.

Using a FAT volume, administrators do not have many options when it comes to managing data access from the network. The only option that can be configured is setting permissions on the file share. The end user's access is granted or denied using only the file share permissions that apply to every file and folder within.

NTFS volumes provide several data access options such as share permissions just like FAT volumes, but also file- and folder-level security; and to manage data usage, user-based quotas can be configured on a volume. The user quota determines how much data a single end user can store on a volume. NTFS volumes can also be managed by Remote Storage to automatically archive data to remote media when it hasn't been accessed for an extended period of time or when a drive reaches a capacity threshold that triggers file migration or archiving.

Managing File Shares

File shares can be created on FAT, FAT32, and NTFS volumes. When a file share is created, share optionsincluding the share name, description, share permissions limiting the number of simultaneous connections, and the default offline file settingscan be configured. There are many ways to create a share, but in the following example, you will use the Share a Folder Wizard.

To create and configure a file share, follow these steps:

1.	Log on to the desired server using an account with Local Administrator access.
2.	Click Start, All Programs, Administrative Tools, Computer Management.
3.	In the left pane, if it is not already expanded, double-click Computer Management (local).
4.	Click the plus sign next to System Tools and then click the plus sign next to Shared Folders.
5.	Right-click the Shares icon and choose New Share.
6.	After the Share a Folder Wizard opens, click Next on the Welcome screen.
7.	Enter the path of the folder you want to share and click Next to continue.
8.	If you don't know the folder path or it does not exist, click the Browse button to locate the correct drive letter and select or create the folder. Then click OK to create the path and click Next on the Folder Path page to continue.
9.	On the Name, Description, and Settings page, enter the share name, description, and offline settings, as displayed in Figure 30.2. Figure 30.2. Entering the file share configurations.
10.	The default offline settings allow the end users to designate whether to synchronize share data locally. Accept the default settings or change the offline settings option by clicking the Change button, selecting the appropriate radio button, and clicking OK. Click Next to continue.
11.	On the Permissions page, specify which permissions configuration option suits the needs of the share. The default is to allow read-only access to everyone. Select the correct radio button and click Finish. If custom share permissions are required, click the Customize button, create the permissions, and click Finish on the Permissions page when you're done.
12.	If sharing was successful, the next page displays the summary. Click the Close button.
13.	Back in Computer Management, right-click the new share in the right pane and select Properties.
14.	On the General tab, configure the user limit.
15.	If the server is a member of an Active Directory domain, you can select the Publish page and publish the share in Active Directory. To do so, use a description and keywords to locate the share by querying Active Directory.
16.	If the shared folder resides on an NTFS volume, a Security page is displayed. Set the permissions appropriately for the shared directory.
17.	After all the pages are configured, click OK on the Share Properties page to save changes.
18.	Close Computer Management and log off the server.

As a best practice, always define share permissions for every share regardless of the volume format type. When a share is first created, the default permission is set to grant the Everyone group read permissions. This may meet some share requirements for general software repositories, but it is not acceptable for user home directories, public or shared data folders, or shares that contain service logs that will be updated by remote systems.

The level of permission set at the share level must grant enough access to enable users to access their data and modify or add more data when appropriate.

Tip

As a general guideline, when shares are created on domain servers and anonymous or guest access is not required, replace the Everyone group with the Domain Users group and set the share permissions accordingly.

Client-Side Caching

To improve the reliability and availability of shared folders, NTFS partitions allow users to create local offline copies of files and folders contained within a file share. The feature is called client-side caching (CSC), but the common name for such files is offline files. Offline files are stored on a local user's machine and are used when the server copy is not available. The offline files synchronize with the server at logon, logoff, and when a file is opened or saved.

Offline files can be configured on a per-share basis using the shared folder's share property page. To configure client-side caching or offline file options, perform the following steps:

Caution

If roaming user profiles are used on a network, do not enable client-side caching on the file share because doing so may corrupt the end user's profile. By default, roaming user profiles are already copied down to the local server or workstation when the user logs on. Forcing the folder to synchronize with the server may cause user settings to be lost. User profile management can be configured using Group Policy. The settings are located in Computer Configuration\ Administrative Templates\System\User Profiles.