In this post, configure server roles and features (MCSA) I will cover some of the fundamental services that most Windows servers perform. In the business world, file and printer sharing were the reasons computers were networked in the first place, and with Windows Server 2012 R2, remote management has become a critical element of server administration.
Configure File And Share Access
One of the critical daily functions of server administrators is deciding where users should store their files and who should be permitted to access them.
Creating Folder Sharing
Creating folder sharing makes folder accessible to network users. After you have configured the disks on a file server, you must create folder sharing to enable network users to access them. Also you should have a folder sharing strategy in place by the time you are ready to create your folder sharing.
This strategy should consist of the following information:
- What folders you will share
- What names you will assign to the shares
- What permissions you will grant users to the shares
- What Offline Files settings you will use for the shares
If you have the necessary permissions for a folder, you can share it on a Windows Server 2012 R2 computer by right-clicking the folder in any File Explorer window, selecting Share With, Specific People from the shortcut menu, and following the instructions in the File Sharing dialog box, as shown in Figure 1.
This method of creating folder sharing provides a simplified interface that contains only limited control over elements such as share permissions. You can specify only that the share users receive Read permissions or Read/Write permissions to the share. If you are not the Creator Owner of the folder, you can access the Sharing tab of the folder’s Properties sheet instead. Clicking the Share button launches the same File Sharing dialog box. Clicking the Advanced Sharing button displays the Advanced Sharing dialog box, shown in Figure 2, which provides greater control over share permissions.
To take control of the shares on all your disks on all your servers and exercise granular control over their properties, you can use the File and Storage Services home page in Server Manager.
Windows Server 2012 R2 supports two types of folder shares:
- Server Message Blocks (SMB) SMB is the standard file sharing protocol used by all versions of Windows
- Network File System (NFS) NFS is the standard file sharing protocol used by most UNIX and Linux distributions
When you install Windows Server 2012 R2, the setup program installs the Storage Services role service in the File and Storage Services role by default. However, before you can create and manage SMB shares by using Server Manager, you must install the File Server role service; to create NFS shares, you must install the Server for NFS role service.
To create a folder sharing by using Server Manager, use the following procedure.
- In Server Manager, click the File and Storage Services icon and, in the sub-menu that appears, click Shares. The Shares home page appears.
- From the Tasks menu, select New Share. The New Share Wizard starts, displaying the Select The Profile For This Share page, as shown in Figure 3.
- From the File Share Profile list, select one of the following options:
- SMB Share–Quick Provides basic SMB sharing with full share and NTFS permissions
- SMB Share–Advanced Provides SMB sharing with full share and NTFS permissions and access to services provided by File Server Resource Manager
- SMB Share–Applications Provides SMB sharing with settings suitable for Hyper-V and other applications
- NFS Share–Quick Provides basic NFS sharing with authentication and permissions
- NFS Share–Advanced Provides NFS sharing with authentication and permissions and access to services provided by File Server Resource Manager
- Click Next. Then Select The Server And Path For This Share page appears.
- Select the server on which you want to create the share and either select a volume on the server or specify a path to the folder you want to share. Click Next. The Specify Share Name page appears.
- In the Share Name text box, specify the name you want to assign to the share and click Next. The Configure Share Settings page appears, as shown in Figure 4.
Select any or all of the following options:
- Enable Access-Based Enumeration Prevents users from seeing files and folders they do not have permission to access
- Allow Caching Of Share Enables offline users to access the contents of this share
- Enable Branch Cache On The File Share Enables Branch Cache servers to cache files accessed from this share
- Encrypt Data Access Causes the server to encrypt remote file access to this share
- Click Next to move to the Specify Permissions To Control Access page.
- Modify the default share and NTFS permissions as needed and click Next. The Confirm Selections page appears.
- Click Create. The View Results page appears as the wizard creates the share.
- Close the New Share Wizard.
After you create a folder sharing by using the wizard, the new share appears in the Shares tile on the Shares home page in Server Manager. You can now use the tile to manage a share by right-clicking it and opening its Properties sheet or by clicking Stop Sharing.
Using Windows Server 2012 R2, you can control access to a file server to provide network users the access they need while protecting other files against possible intrusion and damage, whether deliberate or not. To implement this access control, Windows Server 2012 R2 uses permissions.
Permissions are privileges granted to specific system entities, such as users, groups, or computers, enabling them to perform a task or access a resource. For example, you can grant a specific user permission to read a file while denying that same user the permissions needed to modify or delete the file.
Windows Server 2012 R2 has several sets of permissions, which operate independently of each other. For the purpose of file sharing, you should be familiar with the operation of the following permission systems:
- Share permissions Control access to folders over a network. To access a file over a network, a user must have appropriate share permissions (and appropriate NTFS permissions if the shared folder is on an NTFS volume).
- NTFS permissions Control access to the files and folders stored on disk volumes formatted with the NTFS file system. To access a file, either on the local system or over a network, a user must have the appropriate NTFS permissions.
All these permission systems operate independently of each other and sometimes combine to provide increased protection to a specific resource. For network users to be able to access a shared folder on an NTFS drive, you must grant them both share permissions and NTFS permissions. As you saw earlier, you can grant these permissions as part of the share creation process, but you can also modify the permissions at any time afterward.
Understanding The Windows Permission Architecture
To store permissions, Windows elements have an access control list (ACL). An ACL is a collection of individual permissions in the form of access control entries (ACEs). Each ACE consists of a security principal (that is, the name of the user, group, or computer granted the permissions) and the specific permissions assigned to that security principal.
When you manage permissions in any of the Windows Server 2012 R2 permission systems, you are actually creating
and modifying the ACEs in an ACL.
To manage permissions in Windows Server 2012 R2, you can use a tab in the protected element’s Properties sheet, like the one shown in Figure 5, with the security principals listed at the top and the permissions associated with them at the bottom. Share permissions are typically found on a Share Permissions tab and NTFS permissions are located on a Security tab.
All the Windows permission systems use the same basic interface, although the permissions themselves differ. Server Manager also provides access to NTFS and share permissions by using a slightly different interface.
Understanding Basic And Advanced Permissions
The permissions protecting a particular system element are not like the keys to a lock, which provide either full access or no access at all. Permissions are designed to be granular, enabling you to grant specific degrees of access to security principals.
To provide this granularity, each Windows permission system has an assortment of permissions you can assign to a security principal in any combination.
Depending on the permission system with which you are working, you might have dozens of different permissions available for a single system element.
Windows provides pre-configured permission combinations suitable for most common access control tasks. When you open the Properties sheet for a system element and look at its Security tab, the NTFS permissions you see are called basic permissions. Basic permissions are actually combinations of advanced permissions, which provide the most granular control over the element.
For example, the NTFS permission system has 14 advanced permissions you can assign to a folder or file. However, there are also six basic permissions, which are various combinations of the 14 advanced permissions. You can also assign both types of permissions in a single ACE, combining a basic permission with one or more advanced permissions, to create a customized
combination. In most cases, however, administrators work only with basic permissions. Many administrators rarely, if ever, have reason to work directly with advanced permissions.
If you find it necessary to work directly with advanced permissions, Windows makes it possible. When you click the Advanced button on the Security tab of any Properties sheet, an Advanced Security Settings dialog box appears, as shown in Figure 6, which enables you to access directly the ACEs for the selected system element. System Manager provides access to the same dialog box through a share’s Properties sheet.
Allowing and denying permissions
When you assign permissions to a system element, you are, in effect, creating a new ACE in the element’s ACL. There are two basic types of ACE: Allow and Deny.
This makes it possible to approach permission management tasks from two directions:
- Additive Start with no permissions and then grant Allow permissions to individual security principals to give them the access they need.
- Subtractive Start by granting all possible Allow permissions to individual security principals, giving them full control over the system element, and then grant them Deny permissions for the access you don’t want them to have.
Most administrators prefer the additive approach, because Windows, by default, attempts to limit access to important system elements. In a properly designed permission hierarchy, the use of Deny permissions is often unnecessary. Many administrators frown on their use, because combining Allow and Deny permissions in a hierarchy can make it difficult to determine the effective permissions for a specific system element.
The most important principle in permission management is that permissions tend to run downward through a hierarchy. This is called permission inheritance. Permission inheritance means that parent elements pass their permissions down to their subordinate elements.
For example, when you grant Alice Allow permissions to access the root of the D drive, all the folders and subfolders on the D drive inherit those permissions, which means Alice can access them.
The principle of inheritance greatly simplifies the permission assignment process. Without it, you would have to grant individual Allow permissions to security principals for every file, folder, share, object, and key they need to access. With inheritance, you can grant access to an entire file system by creating one set of Allow permissions.
In most cases, whether consciously or not, system administrators take inheritance into account when they design their file systems and their Active Directory Domain Services OU structures. The location of a system element in a hierarchy is often based on how the administrators plan to assign and delegate permissions.
In some situations, an administrator might want to prevent subordinate elements from inheriting permissions from their parents. There are two ways to do this:
- Turn off inheritance When you assign advanced permissions, you can configure an ACE not to pass its permissions down to its subordinate elements. This effectively blocks the inheritance process.
- Deny permissions When you assign a Deny permission to a system element, it overrides any Allow permissions that the element might have inherited from its parent objects.
Understanding Effective Access
A security principal can receive permissions in many ways, and it is important for an administrator to understand how these permissions combine. The combination of Allow permissions and Deny permissions a security principal receives for a given system element—whether explicitly assigned, inherited, or received through a group membership—is called the effective
access for that element. Because a security principal can receive permissions from so many sources, it is not unusual for those permissions to overlap.
The following rules define how the permissions combine to form the effective access.
- Allow permissions are cumulative. When a security principal receives Allow permissions from more than one source, the permissions are combined to form the effective access permissions.
- Deny permissions override Allow permissions. When a security principal receives Allow permissions—whether explicitly, by inheritance, or from a group—you can override those permissions by granting the principal Deny permissions of the same type.
- Explicit permissions take precedence over inherited permissions. When a security principal receives permissions by inheriting them from a parent or from group memberships, you can override those permissions by explicitly assigning contradicting permissions to the security principal itself.
Of course, instead of examining and evaluating all the possible permission sources, you can just open the Advanced Security Settings dialog box and click the Effective Access tab. On this tab, you can select a user, group, or device and view its effective access, without accounting for group membership or while accounting for group membership.
Setting Share Permissions
In Windows Server 2012 R2, shared folders have their own permission system, which is independent from the other Windows permission systems. For network users to access shares on a file server, you must grant them the appropriate share permissions.
By default, the Everyone special identity receives the Allow Read Full Control share permission to any new shares you create using File Explorer. In shares you create using Server Manager, the Everyone special identity receives the Allow Full Control share permission.
To modify the share permissions for an existing share by using File Explorer, you open the Properties sheet for the shared folder, select the Sharing tab, click Advanced Sharing, and then click Permissions to open the Share Permissions tab, as shown in Figure 7.
By using this interface, you can add security principals and allow or deny them the three share permissions. To set share permissions by using Server Manager, either while creating a share or modifying an existing one, use the following procedure.
- In Server Manager, click the File and Storage Services icon and, in the submenu that appears, click Shares to open the Shares home page.
- In the Shares tile, right-click a share and, from the shortcut menu, select Properties. The Properties sheet for the share opens.
- Click Permissions. The Permissions page opens.
- Click Customize Permissions. The Advanced Security Settings dialog box for the share opens.
- Click the Share tab to display the interface shown in Figure 8.
- Click Add to open a Permission Entry dialog box for the share.
- Click the Select A Principal link to display the Select User, Computer, Service Account, Or Group dialog box.
- Type the name of or search for the security principal to whom you want to assign share permissions and click OK. The security principal you specified appears in the Permission Entry dialog box.
- Select the type of permissions you want to assign (Allow or Deny).
- Select the check boxes for the permissions you want to assign and click OK.
- The new ACE you just created appears in the Advanced Security Settings dialog box.
- Click OK to close the Advanced Security Settings dialog box.
- Click OK to close the share’s Properties sheet.
- Close the Server Manager window.
Understanding NTFS Authorization
The majority of Windows installations today use the NTFS file systems as opposed to FAT32. One of the main advantages of NTFS is that they support permissions, which FAT32 does not. As described earlier in this chapter, every file and folder on an NTFS drive has an ACL that consists of ACEs, each of which contains a security principal and the permissions assigned to
In the NTFS permission system, the security principals involved are users and groups, which Windows refers to by using security identifiers (SIDs). When a user attempts to access an NTFS file or folder, the system reads the user’s security access token, which contains the SIDs for the user’s account and all the groups to which the user belongs. The system then compares these SIDs to those stored in the file or folder’s ACEs to determine what access the user should have. This process is called authorization.
Assigning Basic NTFS Permissions
Most file server administrators work almost exclusively with basic NTFS permissions because there is no need to work directly with advanced permissions for most common access control tasks.
To assign basic NTFS permissions to a shared folder, the options are essentially the same as with share permissions. You can open the folder’s Properties sheet in File Explorer and select the Security tab or you can open a share’s Properties sheet in Server Manager, as described in the following procedure.
- In Server Manager, open the Shares home page.
- Open the Properties sheet for a share and click Permissions to open the Permissions page.
- Click Customize Permissions to open the Advanced Security Settings dialog box for the share, displaying the Permissions tab, as shown in Figure 9. This dialog box is as close as the Windows graphical interface can come to displaying the contents of an ACL.
- Click Add. This opens the Permission Entry dialog box for the share.
- Click the Select A Principal link to display the Select User, Computer, Service Account, or Group dialog box.
- Type the name of or search for the security principal to whom you want to assign NTFS permissions and click OK. The security principal you specified appears in the Permission Entry dialog box.
- In the Type drop-down list, select the type of permissions you want to assign (Allow or Deny).
- In the Applies To drop-down list, specify which subfolders and files should inherit the permissions you are assigning.
- Select the check boxes for the basic permissions you want to assign and click OK. The new ACE you just created appears in the Advanced Security Settings dialog box.
- Click OK twice to close the Advanced Security Settings dialog box and the Properties sheet.
- Close the Server Manager window.
Assigning advanced NTFS permissions
In Windows Server 2012 R2, the ability to manage advanced permissions is integrated into the interface you use to manage basic permissions.
In the Permission Entry dialog box, clicking the Show Advanced Permissions link changes the list of basic permissions to a list of advanced permissions. You can then assign advanced permissions in any combination, just as you would basic permissions.
Combining share permissions with NTFS permissions
It is important for file server administrators to understand that the NTFS permission system is completely separate from the share permission system and that for network users to access files on a shared NTFS drive, the users must have the correct NTFS share permissions and the correct share permissions.
The share and NTFS permissions assigned to a file or folder can conflict. For example, if a user has the NTFS Write and Modify permissions for a folder but lacks the Change share permission, that user will not be able to modify a file in that folder.
The share permission system is the simplest of the Windows permission systems and it provides only basic protection for shared network resources. Share permissions provide only three levels of access, in contrast to the far more complex system of NTFS permissions. Generally, network administrators prefer to use either NTFS or share permissions, not both. Share permissions provide limited protection, but this might be sufficient on some small networks. Share permissions might also be the only option on a computer with FAT32 drives because the FAT file system does not have its own permission system.
On networks already possessing a well-planned system of NTFS permissions, share permissions are not really necessary. In this case, you can safely grant the Full Control share permission to Everyone and allow the NTFS permissions to provide security. Adding share permissions would complicate the administration process without providing any additional protection.
Configuring Volume Shadow Copies
Volume Shadow Copies is a Windows Server 2012 R2 feature that enables you to maintain previous versions of files on a server, so if users accidentally delete or overwrite files, they can access a previous copy of those files. You can implement Volume Shadow Copies only for an entire volume; you cannot select specific shares, folders, or files.
To configure a Windows Server 2012 R2 volume to create Shadow Copies, use the following procedure.
1. Open File Explorer. The File Explorer window appears.
2. In the Folders list, expand the Computer container, right-click a volume and, from the shortcut menu, select Configure Shadow Copies. The Shadow Copies dialog box appears, as shown in Figure 10.
3. In the Select A Volume box, choose the volume for which you want to enable Shadow Copies. By default, when you enable Shadow Copies for a volume, the system uses the following settings:
■ The system stores the shadow copies on the selected volume.
■ The system reserves a minimum of 300 MB of disk space for the shadow copies.
■ The system creates shadow copies at 7:00 A.M. and 12:00 P.M. every weekday.
4. To modify the default parameters, click Settings to open the Settings dialog box.
5. In the Storage Area box, specify the volume where you want to store the shadow copies.
6. Specify the Maximum Size for the storage area or choose the No Limit option. If the storage area becomes filled, the system begins deleting the oldest shadow copies. However, no matter how much space you allocate to the storage area, Windows Server 2012 R2 supports a maximum of 64 shadow copies for each volume.
7. Click Schedule to open the Schedule dialog box. By using the controls provided, you can modify the existing Shadow Copies tasks, delete them, or create new ones, based on the needs of your users.
8. Click OK twice to close the Schedule and Settings dialog boxes.
9. Click Enable. The system enables the Shadow Copies feature for the selected volume and creates the first copy in the designated storage area.
10. Close File Explorer.
After you complete this procedure, users can restore previous versions of files on the selected volumes from the Previous Versions tab on any file or folder’s Properties sheet.
Configuring NTFS quotas
Managing disk space is a constant concern for server administrators, and one way to prevent users from monopolizing storage is to implement quotas. Windows Server 2012 R2 supports two types of storage quotas. The more elaborate of the two is implemented as part of File Server Resource Manager. The second, simpler option is NTFS quotas.
NTFS quotas enable administrators to set a storage limit for users of a particular volume. Depending on how you configure the quota, users exceeding the limit can either be denied disk space or just receive a warning. The space consumed by individual users is measured by the size of the files they own or create.
NTFS quotas are relatively limited in that you can only set limits at the volume level. The feature is also limited in the actions it can take in response to a user exceeding the limit. The quotas in File Server Resource Manager, by contrast, are much more flexible in the limits you can set and the responses of the program (which can send email notifications, execute
commands, generate reports, or create log events.
To configure NTFS quotas for a volume, use the following procedure.
1. Open File Explorer. The File Explorer window appears.
2. In the Folders list, expand the Computer container, right-click a volume and, from the shortcut menu, select Properties. The Properties sheet for the volume appears.
3. Click the Quota tab to display the interface shown in Figure 11.
4. Select the Enable Quota Management check box to activate the rest of the controls.
5. If you want to prevent users from consuming more than their quota of disk space, select the Deny Disk Space To Users Exceeding Quota Limit check box.
6. Select the Limit Disk Space To option and specify amounts for the quota limit and the warning level.
7. Select the Log Event check boxes to control whether users exceeding the specified limits should trigger log entries.
8. Click OK to create the quota and close the Properties sheet.
9. Close File Explorer.
Configuring Work Folders
Work Folders is a Windows Server 2012 R2 feature that enables administrators to provide their users with synchronized access to their files on multiple workstations and devices while storing them on a network file server. The principle is roughly the same as Microsoft’s SkyDrive service, except that the files are stored on a private Windows server instead of a cloud server
on the Internet. This enables administrators to maintain control over the files, backing them up, classifying them, and/or encrypting them as needed.
To set up the Work Folders environment, you install the Work Folders role service in the File and Storage Services role on a server running Windows Server 2012 R2 and create a new type of share called a sync share. This installs the IIS Hostable Web Core feature, which makes it possible for the server to respond to incoming HTTP requests from Work Folders clients on
On the client side, you configure Work Folders in the Windows 8.1 Control Panel, specifying the email address of the user and the location of the Work Folders on the local disk. The system also creates a system folder called Work Folders, which appears in File Explorer and in file management dialogs. When the user saves files to the Work Folders on the client system,
they are automatically synchronized with the user’s folder on the Work Folders server.
Users can create as many Work Folders clients as they need on different computers or other devices. After saving files to their Work Folders on their office workstations, for example, users can go home and find those files already synchronized to their home computers. In the same way, Work Folders can synchronize a user’s files to a portable device at the office
and the user can work on them while offline during the commute home. Arriving home and connecting to the Internet, the device synchronizes the files back to the server, so that the user finds the latest versions on the office computer the next day.
Work Folders is not designed to be a collaborative tool; it is just a means synchronizing folders between multiple devices while enabling administrators to retain control over them. It is possible to specify that Work Folders files remain encrypted during synchronization and administrators can impose security policies that force the use of lock screens and mandatory data wipes for lost machines.
This was all about “Configuring server roles and features (Configure file and share access)” do let me know if you have any doubts.