Creating and publishing shared folders
Sharing files means that you allow users to access files from across the network. The most basic way to share files is to create a shared folder and make it accessible to users through a mapped network drive. In most cases, you don’t want everyone with access to the network to be able to read, modify, or delete the shared files. Therefore, when you share files, the permissions on the shared folder and the local access permissions are very important in granting appropriate access and restricting access to files when necessary. File sharing and file security go hand in hand. You don’t want to share files indiscriminately, and to help safeguard important data, you can configure auditing. Auditing enables you to track who accessed files and what they did.
Typically, you use file sharing with Volume Shadow Copy Service (VSS). This service offers two important features:
Shadow copying of files in shared folders. You use this feature to configure volumes so that shadow copies of files in shared folders are created automatically at specific intervals during the day. This enables you to go back and look at earlier versions of files stored in shared folders. You can use these earlier versions to recover deleted, incorrectly modified, or overwritten files. You can also compare versions of files to see what changes were made over time.
Shadow copying of open or locked files for backups. With this feature, you can use backup programs, such as Windows Backup, to back up files that are open or locked. This means you can perform a backup when applications are using the files and do not have to worry about backups failing because files are in use. Backup programs must implement the VSS application programming interface (API).
These features are independent of each other. You do not need to enable shadow copying of a volume to be able to back up open or locked files on a volume. Although Resilient File System (ReFS) provides a highly reliable file system, only NTFS volumes support shadow copies. Therefore, if you create shares on ReFS volumes, users won’t be able to go back to previous versions of files and folders stored in shares.
File sharing is one of the most fundamental features of a file server, and file servers running Microsoft Windows Server 2012 R2 have many file-sharing features. The basic component that makes file sharing possible is the Server service, which is responsible for sharing file and printer resources over the network.
Windows Server 2012 R2 supports two file-sharing models: standard file sharing and public folder sharing. Standard file sharing allows remote users to access network resources, such as files, folders, and drives. When you share a folder or a drive, you make all its files and subfolders available to a specified set of users. Standard file sharing also is referred to as in-place file sharing because you don’t need to move files from their current location.
You can enable standard file sharing on disks formatted with extended FAT (exFAT), FAT, FAT32, NTFS, or ReFS. One set of permissions applies to disks formatted with exFAT, FAT, or FAT32. These permissions are called share permissions. Two sets of permissions apply to disks formatted with NTFS or ReFS: NTFS permissions (also referred to as access permissions) and share permissions. Having two sets of permissions enables you to determine precisely who has access to shared files and the level of access assigned. With either access permissions or share permissions, you do not need to move the files you are sharing.
With public folder sharing, you share files just by copying or moving files to a computer’s folder. Public files are available to anyone who logs on to a computer locally regardless of whether that person has a standard user account or an administrator user account on the computer. You can also grant network access to the Public folder. If you do this, however, there are no access restrictions. The Public folder and its contents are open to everyone who can access the computer over the local network.
When you copy or move files to the Public folder, access permissions are changed to match those of the Public folder. Some permissions are added as well. When a computer is part of a workgroup, you can add password protection to the Public folder. Separate password protection isn’t needed in a domain. In a domain, only domain users can access Public folder data.
Windows Server 2012 R2 can use either or both sharing models at any time. However, standard file sharing offers more security and better protection than public folder sharing, and increasing security is essential to protecting your organization’s data.
Compound identities, claims-based access controls, and central access policies provide additional layers of security. Windows Server 2012 R2 enables administrators to assign claims-based access controls to file and folder resources on NTFS and ReFS volumes. Users are granted access to files and folder resources, either directly with access permissions and share permissions or indirectly with claims-based access controls and central access policies.
You can configure the basic file-sharing settings for a server by using Advanced Sharing Settings. Separate options are provided for public folder sharing on the All Networks panel, and the status of public folder sharing is listed as On or Off, as shown in Figure 18-1.
To open the Advanced Sharing Settings page in Control Panel, tap or click View Network Status And Tasks under the Network And Internet heading and then tap or click Change Advanced Sharing Settings. Public folder sharing options control access to a computer’s Public folder. To configure public folder sharing, expand the All Networks panel by tapping or clicking the related Expand button. Choose one of the following options and then tap or click Save Changes:
Turn On Sharing So Anyone With Network Access Can Read And Write Files. Enables public folder sharing by granting access to the Public folder and all public data to anyone who can access the computer over the network. Keep in mind, however, that Windows Firewall settings might prevent external access.
Turn Off Public Folder Sharing. Disables public folder sharing, preventing network access to the Public folder. Anyone who logs on locally to your computer can still access the Public folder and its files.
In a workgroup setting, you can manage password-protected sharing on the All Networks panel. You use password-protected sharing to restrict access so that only people with a user account and password on your computer can access shared resources. Select either Turn On Password Protected Sharing to enable password-protected sharing or Turn Off Password Protected Sharing to disable password-protected sharing and then tap or click Save Changes.
You share file resources over the network by creating a shared folder to which users can map as a network drive. For example, if the D:Data directory on a computer is used to store user data, you might want to share this folder as UserData. This would enable users to map to it using a drive letter on their machines, such as X. After the drive is mapped, users can access it in File Explorer or by using other tools just as they would a local drive on their computer.
All shared folders have a share name and a folder path. The share name is the name of the shared folder. The folder path is the complete path to the folder on the server. In the previous example, the share name is UserData and the associated folder path is D:Data. After you share a folder, it is available to users automatically. All they have to know to map to the shared folder is the name of the server on which the folder is located and the share name.
Whether you are working with Windows 8.1 or Windows Server 2012 R2, you can map network drives in the same way. When you open File Explorer, the This PC node should be opened by default. If you have an open Explorer window and This PC is not the selected node, tap or click the leftmost option button in the address list and then tap or click This PC. Next, tap or click the Map Network Drive button on the Computer panel and then tap or click Map Network Drive. This opens the Map Network Drive dialog box shown in Figure 18-2.
You use the Drive field to select a free drive letter to use and the Folder field to enter the path to the network share. You use the Universal Naming Convention (UNC) path to the share. For example, to access a server called CORPSVR02 and a shared folder called CorpData, you type \CorpSvr02CorpData. If you don’t know the name of the share, you can tap or click the Browse button to the right of the Folder field. In the Browse For Folder dialog box, computers with shared folders are listed by name. When you expand the name of a computer in a workgroup or a domain, as shown in Figure 18-3, you see a list of shared folders. Select the shared folder you want to work with and then tap or click OK.
By default, Windows automatically reconnects mapped network drives at logon. Clear the Reconnect At Sign-In check box if you only want to map the network drive for the current user session. Tap or click Finish. If the currently logged-on user doesn’t have appropriate access permissions for the share, select Connect Using Different Credentials and then tap or click Finish. After you tap or click Finish, you can enter the user name and password of the account with which you want to connect to the shared folder.
As shown in Figure 18-4, enter the user name. To specify the domain, you can enter the name in DomainUsername format, such as CpandlWilliams. Before tapping or clicking OK, select Remember My Credentials if you want the credentials to be saved. Otherwise, you need to provide credentials in the future.
Domain users can browse the network by using Network Explorer to find shares that have been made available, as shown in Figure 18-5. You can open Network Explorer from File Explorer. In File Explorer, tap or click the location path selection button and then tap or click Network. You now see a list of computers on the network for which Network Discovery is enabled. When you double-tap or double-click a computer entry, any publicly shared resources on that computer are listed, and you can connect to them just by double-tapping or double-clicking the associated folder.
To make it easier for users to find shared folders, you can also publish information about shares in Active Directory.
When you publish shared resources, users can use Network Explorer to find them, and administrators can find them by using Active Directory Users And Computers. The procedures are similar regardless of which tool you are using. An example of how you can find shared folders follows.
In Network Explorer, tap or click Search Active Directory on the Network panel or, in Active Directory Users And Computers, press and hold or right-click the domain name in the left pane and tap or click Find.
As shown in Figure 18-6, in the Find list, choose Shared Folders.
In the Name field, type the name of the folder you want to find and then tap or click Find Now. If you know part of the folder name, you can use the asterisk (*) to match partial names. For example, if you know that the folder name ends with the word “data,” you could type *data to search for all folder names that end with the word “data.”
In the Search Results area, you see a list of shared folders that match your search criteria, as shown in Figure 18-7. Press and hold or right-click any of the shared folders to display a shortcut menu. You can then open the shared folder, map a network drive to the folder, and access the share’s properties.
As an administrator, you can use Computer Management and Server Manager to work with shares. You also can view current shares on a computer by typing net share at a command prompt or by typing get-smbshare at a Windows PowerShell prompt. Computer Management, net share, and get-smbshare display information about Server Message Block (SMB)–based shares, including standard SMB folder shares, hidden SMB folder shares (those ending with the $ suffix), and SMB folders shared using distributed file system (DFS). Server Manager displays information about standard SMB folder shares, SMB folders shared using DFS, and folders shared using network file system (NFS). Server Manager does not display information about hidden SMB folder shares.
SMB is the primary file sharing protocol that Windows operating systems use. As Windows itself has changed over the years, so has SMB. To allow for version and feature changes, SMB was designed to enable clients and servers to negotiate and then use the highest version supported by both the client attempting to connect an SMB share and the server hosting the share.
The current version of SMB is version 3.02, which Windows 8.1 and Windows Server 2012 R2 support. Thus, when a computer running Windows 8.1 connects to an SMB share hosted on a server running Windows Server 2012 R2, SMB 3.02 is the version used for the SMB session.
The earliest implementation of SMB was called Common Internet File System (CIFS), which was introduced with Windows NT 4.0, followed by SMB 1.0, which all versions of Windows from Windows 2000 to Windows Server 2003 R2 use. Beginning with Windows 8.1 and Windows Server 2012 R2, support for CIFS and SMB 1.0 is an optional feature that must be enabled. Because CIFS and SMB 1.0 are outdated, perform poorly, and are less secure than their predecessors, SMB 1.0/CIFS File Sharing Support should not be enabled unless required. That said, if a computer running Windows 8.1 needs to connect to a server running an early Windows operating system, the computer must have the SMB 1.0/CIFS File Sharing Support feature enabled. In addition, if a computer running an early Windows operating system needs to connect to a server running Windows Server 2012 R2, the SMB 1.0/CIFS File Sharing Support feature must be enabled on the server.
Table 18-1 provides a summary of the current versions of SMB, the associated versions of Windows, and the major features introduced. You can enter Get-SmbConnection at an elevated, administrator Windows PowerShell prompt to determine the version of SMB a client has negotiated with a file server. In the command output, the version is listed in the Dialect column, as shown in the following sample output:
ServerName ShareName UserName Credential Dialect NumOpens ---------- --------- -------- ---------- ------- -------- Server36 IPC$ CPANDLwilliams CPANDLwilliams 3.02 0 Server36 PrimaryData CPANDLwilliams CPANDLwilliams 3.02 14
Table 18-1. Overview of current SMB versions
SMB Version | Windows Version | Features |
|---|---|---|
SMB 2.0 | Windows Vista SP1, Windows Server 2008 | Increasing scalability and security, asynchronous operations, larger reads/writes, request compounding |
SMB 2.1 | Windows 7, Windows Server 2008 R2 | Large maximum transmission unit (MTU) support, BranchCache support |
SMB 3.0 | Windows 8, Windows Server 2012 | Enhancements for server clusters, BranchCache v2 support, SMB over Remote Direct Memory Access (RDMA), improved security |
SMB 3.02 | Windows 8.1, Windows Server 2012 R2 | Improved performance for SMB over RDMA, additional scale-out options, Hyper-V live migration support |
Important
SMB 3.0 and SMB 3.02 brought many enhancements for performance, especially when you use clustered file servers. A key enhancement that doesn’t rely on a special configuration is end-to-end encryption of SMB data, which eliminates the need to use Internet Protocol security (IPsec), specialized hardware, or wide area network (WAN) accelerators to protect data from eavesdropping. SMB encryption can be enabled on a per-share basis.
Because there are times when you don’t want everyone to see or know about a share, Windows Server also enables you to create hidden shares. Hidden shares are made available to users but are not listed in the normal file share lists or published in Active Directory. You can create hidden shares by adding the dollar sign ($) to the end of the share name. For example, if you want to share E:DataDumps but don’t want it to be displayed in the normal file share lists, you could name it Backup$ rather than Backup.
Hiding a share doesn’t control access to the share, however. Access to shares is controlled using permissions. Two permission sets apply to shared folders: share permissions and local access permissions. Share permissions set the maximum allowable actions available within a shared folder. Access permissions assigned to the share’s contents further constrain the actions users can perform. For example, share permissions can allow a user to access a folder, but access permissions might not allow that user to view or modify files.
Keep in mind that by default, when you create a share, everyone with access to the network has Read access to the share’s contents.
In Windows Server 2012 R2, you’ll find that several shares are created automatically. These shares are referred to as special shares or default shares. Most special shares are hidden because they are created for administrative purposes. Thus, they are also referred to as administrative shares.
The special shares that are available on a system depend on its configuration. This means a domain controller might have more special shares than a member server or that a server that handles network faxing might have shares that other systems don’t.
All drives, except USB drives and CD/DVD-ROM drives, have special shares with access to the root of the drive. These shares are known as C$, D$, E$, and so on, and they are created to enable administrators to connect to a drive’s root folder and perform administrative tasks. For example, if you map to C$, you are connecting to C: and have full access to this drive.
On workstations and servers, members of the Administrators or Backup Operators group can access drive shares. On domain controllers, members of the Server Operators group can also access drive shares.
The ADMIN$ share is an administrative share for accessing the %SystemRoot% folder in which the operating system files reside. It is meant to be used for remote administration. For administrators working remotely with systems, it is a handy shortcut for directly accessing the operating system folder. Thus, rather than having to connect to C$ or D$ and then look for the operating system folder, which could be named Windows or just about anything else, you can connect directly to the right folder every time.
On workstations and servers, members of the Administrators or Backup Operators groups can access the ADMIN$ share. On domain controllers, members of the Server Operators group can also access the ADMIN$ share.
The FAX$ share supports network faxes. By default, the special Everyone group has Read permissions on these shared folders. This means that anyone with access to the network can access this folder.
The IPC$ share is an administrative share that supports named pipes, which are used for interprocess (or process-to-process) communications. Because named pipes can be redirected over the network to connect local and remote systems, they also enable remote administration and are what enable you to manage resources remotely.
The NETLOGON share is used by domain controllers. It supports the Netlogon service, and this service uses it during the processing of logon requests. After users log on, Windows accesses their user profiles and, if applicable, any related logon scripts. Logon scripts contain actions that should be run automatically when users log on to help set up the work environment, perform housekeeping tasks, or complete any other task that must be routinely performed every time users log on.
The PRINT$ share supports printer sharing by providing access to printer drivers. Whenever you share a printer, the system puts the printer drivers in this share so that other computers can access them as needed.
As Figure 18-8 shows, administrators can view information about existing shares on a computer, including the special shares, by using Computer Management. In Computer Management, expand System Tools, expand Shared Folders, and then select Shares.
If you want to work with shares on a remote computer, press and hold or right-click the Computer Management node in the left pane and select Connect To Another Computer. This opens the Select Computer dialog box. Select Another Computer and then type the computer name or Internet Protocol (IP) address of the computer you want to use. If you don’t know the computer name or IP address, tap or click Browse to search for the computer you want to work with.
To create shares on a server running Windows Server 2012 R2, you must be a member of the Administrators or Server Operators group. You can create shares by using File Explorer, Computer Management, Server Manager, New-SmbShare, or Net Share from the command line. When deciding which option to use, keep the following in mind:
File Explorer works well when you want to share folders on computers to which you are logged on. Because users who are not administrators typically share folders by using File Explorer, it’s important to understand the quirks that come with this approach (and this also might help you more easily resolve related access issues).
By using Computer Management, you can share the folders on the local computer and on any computer to which you can connect. You can configure share permissions and offline settings as well.
Server Manager enables you to manage shared folders on any server added for management. You can provision all aspects of sharing, including access permissions, share permissions, encrypted data access, and offline settings for caching.
With New-SmbShare, you can create shares by using Windows PowerShell. Type get-help new-smbshare at the Windows PowerShell prompt for details about using this cmdlet.
By using Net Share, you can create shares from the command line or in scripts. Type net share /? at the command prompt for details about using this command.
After you create a share, you might want to publish it in Active Directory so that it is easier to find.
By using File Explorer, you can share folders on the computer to which you are logged on. In File Explorer, press and hold or right-click the folder you want to share and then select Properties. In the folder’s Properties dialog box, tap or click the Sharing tab to view the current sharing configuration (if any), as shown in Figure 18-9.
Tap or click Share to open the File Sharing dialog box, as shown in Figure 18-10. Tap or click the selection arrow to the right of the text-entry field provided and then select Find People.
In the Select Users Or Groups dialog box, shown in Figure 18-11, check the value of the From This Location field. In workgroups, computers always show only local accounts and groups. In domains, this field is changeable and set initially to the default (logon) domain of the currently logged-on user. If this isn’t the location you want to use for selecting user and group accounts to work with, tap or click Locations to see a list of locations you can search, including the current domain, trusted domains, and other resources that you can access.
Important
Another way to open the File Sharing dialog box is to press and hold or right-click a folder in File Explorer, tap or click Share With, and then tap or click Specific People. Contrary to what you might think, when you set permissions by using the File Sharing dialog box, you are configuring the underlying access permissions rather than share permissions. When you assign a user or group the Read permission level, the user or group is granted Read & Execute permissions on the folder. When you assign a user or group the Read/Write permission level, the user or group is granted Full Control permissions on the folder. The share permissions on the folder are set so that the Everyone and Administrators groups have Full Control.
In the Enter The Object Names To Select field, type the name of a user or a group account previously defined in the selected or default domain. Be sure to reference the user account name rather than a user’s full name. When entering multiple names, separate them with semicolons.
Tap or click Check Names. If a single match is found for each of your entries, the dialog box is automatically updated as appropriate and the entry is underlined. Otherwise, you see an additional dialog box. When no matches are found, you’ve either entered an incorrect name part or you’re working with an incorrect location. Modify the name in the Name Not Found dialog box and try again or tap or click Locations to select a new location. When multiple matches are found, select the name or names you want to use in the Multiple Names Found dialog box and then tap or click OK.
When you tap or click OK, the users and groups are added to the Name list. You can then configure permissions for each user and group added by tapping or clicking an account name to display the Permission Level options and then choosing the appropriate permission level. The options for permission levels are as follows:
Read. Grants the user or group Read & Execute permissions. These are access permissions.
Read/Write. Grants the user or group Full Control permissions. These are access permissions.
Finally, tap or click Share to create the share. The top-level share permissions are set so that the Everyone and Administrators groups have Full Control. After Windows creates the share and makes it available for use, note the share name. This is the name by which the shared resource can be accessed. If you want to email a link to the shared resource to someone, tap or click E-mail. If an email application is not installed on the system from which you are sharing a folder, a dialog box will appear reporting this. If you want to copy a link to the shared resource to the Clipboard, tap or click Copy. Tap or click Done when you are finished. The share is immediately available for use.
If you tap or click the Share button on the Sharing tab when sharing is already configured, you can change share permissions. Grant access to additional users and groups as discussed previously. To change the permission level for a user or group, select the user or group in the Name list and then select the new permission level. To remove access for a user or group, select the user or group in the Name list and then select Remove. When you are finished making changes, tap or click Share to reconfigure the sharing options and then tap or click Done.
If you tap or click the Advanced Sharing button on the Sharing tab, you see the Advanced Sharing dialog box, as shown in Figure 18-12. Use this dialog box to configure top-level share permissions and offline caching.
Figure 18-12. You can configure different shares of the same folder with different names and permissions.
Use the options in the Advanced Sharing dialog box as follows:
Tap or click Add to share the folder again, using a different name and a different set of access permissions. When you create multiple shares for the same folder, the Share Name box of the Sharing tab becomes a selection list that you use to select a share to work with and configure. After you select a share to work with, the options on the Sharing tab apply to that share only. You also have a Remove option, which you can use to remove the additional share.
Tap or click Permissions to view and set the share permissions as discussed in “Managing share permissions” later in this chapter. Share permissions provide the top-level access controls to the share. By default, only users you specify have access to the share. This important security feature is designed to help ensure that permissions aren’t given to users unless you grant them.
By using Computer Management, you can share the folders of any computer to which you can connect on the network. This is handy for when you are sitting at your desk and don’t want to have to log on locally to share a server’s folders. After you start Computer Management, you can connect to the computer you want to work with by pressing and holding or right-clicking Computer Management in the console tree and then selecting Connect To Another Computer. Use the Select Computer dialog box to choose the computer you want to work with. When you are finished, expand System Tools and Shared Folders and then select Shares to display the current shares on the system you are working with.
You can then create a shared folder by pressing and holding or right-clicking Shares and then selecting New Share. This starts the Create A Shared Folder Wizard. Tap or click Next to display the Folder Path page, as shown in Figure 18-13. In the Folder Path field, type the full path to the folder you want to share. If you don’t know the full path or you want to share a new folder, tap or click Browse. You can now do the following:
Use the Browse For Folder dialog box to locate and select the folder you want to share
Select where you want to create a new folder, tap or click Make New Folder, type a name for the folder, and then press Enter
Note
You can start the Create A Shared Folder Wizard by typing shrpubw in the App Search box and pressing Enter.
Tap or click Next when you are ready to continue. In the Share Name field, type a name for the share, as shown in Figure 18-14. This is the name of the folder to which users will connect, and it must be unique on the computer you are working with. Share names can be up to 80 characters in length and can contain spaces. If you want to provide support for early Windows operating system clients, you should limit the share name to eight characters with a three-letter extension. If you want to hide the share from users (which means that they won’t be able to see the shared resource when they try to browse to it in File Explorer or at the command line), type $ as the last character of the share name. Keep in mind that you can hide shares only from normal users. If users have Administrator privileges, they can get a list of the shares.
Optionally, type a description of the share in the Description field. The description is displayed as comments when you view shares in Network Explorer and other Windows dialog boxes. Next, configure offline settings as appropriate.
By default, the share is configured so that only files and programs that users specify are available for offline use. Normally, this is the option you want to use because this option also enables users to take advantage of the new Always Offline feature. However, if you use this setting, you might also want to enable BranchCache. To do this, tap or click Change, select Enable BranchCache (as shown in Figure 18-15), and then tap or click OK. When the BranchCache For Network Files role service is installed on the file server, enabling BranchCache enables computers in a branch office to cache files that are downloaded from the shared folder and then securely share the files with other computers in the branch office.
Alternatively, tap or click Change and then select All Files And Programs That Users Open From The Shared Folder Are Automatically Available Offline. With this setting, client computers automatically cache all files and programs that users open from the share. You can then also select Optimize For Performance to run cached program files from the local cache instead of from the shared folder on the server.
When you are ready to continue, tap or click Next to display the Shared Folder Permissions page, shown in Figure 18-16. The available options are as follows:
All Users Have Read-Only Access. Grants the Read share permission to the Everyone group. Because of this, all users have access to the share. The underlying access permissions determine permitted actions.
Note
Granting Read access instead of Full Control by default is designed to help ensure that permissions aren’t given to users unless you specifically grant them. Although it is a step toward better controls, it isn’t perfect because this permission is assigned to the special Everyone group, which means anyone with access to the network—even Guests—have Read access to the share.
Administrators Have Full Access; Other Users Have Read-Only Access. Grants the Full Control share permission to Administrators and the Read share permission to Everyone. This option gives administrators full access to the share and allows administrators to create, modify, and delete files and folders. On NTFS and ReFS volumes, it also gives administrators the right to change permissions and to take ownership of files and folders. Other users can only view files and read data. They can’t create, modify, or delete files and folders.
Administrators Have Full Access; Other Users Have No Access. Grants the Full Control share permission to Administrators. This option gives administrators full access to the share. Because no others are granted access, it prevents other users from accessing the share.
Customize Permissions. This option enables you to configure access for specific users and groups, which is usually the best technique to use. Setting share permissions is discussed fully in “Managing share permissions” later in this chapter.
After you set up permissions on the share, tap or click Finish. The wizard displays a status report, which should state, “Sharing was successful.” If you want to create another share, select the related check box before you tap or click Finish. This runs the Create A Shared Folder Wizard again.
In Server Manager, the Shares subnode of the File And Storage Services node shows existing shares for file servers that have been added for management. I recommend getting to know the options here and using Server Manager for creating and managing shares whenever possible.
As shown in Figure 18-17, the shares are listed in alphabetical order for each server. If you select a share, the Volume panel provides information about the underlying volume and the Quota panel displays information about File Server Resource Manager (FSRM) quotas.
On the Shares panel, tap or click Tasks and then tap or click New Share to start the New Share Wizard. The New Share Wizard has several file share profiles:
SMB Share - Quick. A basic profile for creating SMB file shares that you can use to configure their settings and permissions.
SMB Share - Advanced. An advanced profile for creating SMB file shares that you can use to configure their settings, permissions, management properties, and FSRM quota profile (if applicable).
SMB Share - Applications. A custom profile for creating SMB file shares with settings appropriate for Hyper-V, certain databases, and other server applications. It’s essentially the same as the quick profile, but it doesn’t allow you to enable access-based enumeration or offline caching. If the share will be used for Hyper-V, you also might need to enable constrained delegation for remote management of the Hyper-V host.
NFS Share - Quick. A basic profile for creating NFS file shares that you can use to configure their authentication settings, manage permissions for hosts, and manage permissions for users.
NFS Share - Advanced. An advanced profile for creating NFS file shares that you can use to configure their authentication settings, manage permissions for hosts and users, add management properties, and assign an FSRM quota profile (if applicable).
Note
The differences between the file share profiles are fundamental. Whether you are working with SMB or NFS, the Advanced profiles enable you to add management properties and assign FSRM quota profiles; the Quick profiles don’t. The Applications profile is the same as the Quick profile except that it disables access-based enumeration and offline caching in the wizard UI because you don’t want to use these settings with server applications and certain databases. If you later edit the properties of a share created with the Applications profile, these properties are configurable.
Important
SMB 3.02 includes enhancements that improve performance for small random reads and writes, which are common with server-based applications such as Microsoft SQL Server online transaction processing (OLTP). Packets use large maximum transmission units (MTUs) as well to enhance performance for large, sequential data transfers, such as those used for deploying and copying virtual hard disks (VHDs) over the network, database backup and restore over the network, and SQL Server data-warehouse transactions over the network.
Choose one of the available SMB share profiles and then tap or click Next. On the Select The Server And Path For This Share page, shown in Figure 18-18, select the server and volume on which you want the share to be created. Only file servers you’ve added for management are available.
Note
Server Manager creates the file share as a new folder in the Shares directory on the selected volume by default. To change this, choose Type A Custom Path and then either type the desired share path, such as D:Data, or click Browse to use the Select Folder dialog box to select the share path. If the folder path doesn’t exist, the wizard will create folders as necessary.
Tap or click Next when you are ready to continue. On the Specify Share Name page, type a name for the share, as shown in Figure 18-19. This is the name of the folder to which users will connect. Note the local and remote paths to the share. These paths are set based on the share location and share name you specified. Keep in mind that share names must be unique for each system and that the wizard creates folders as necessary. For example, if the path is D:SharesEngData and neither the Shares folder nor the EngData subfolder has been created, the wizard will create both folders to ensure that the share path is valid.
Optionally, type a description of the share in the Share Description text box. When you view shares on a particular computer, the description is displayed in Computer Management. When you are ready to continue, tap or click Next.
On the Configure Share Settings page, use the following options to configure the way the share is used:
Enable Access-Based Enumeration. With this setting, the wizard configures permissions so that when users browse the folder, only files and folders to which a user has been granted at least Read access are displayed. If a user doesn’t have at least Read (or equivalent) permission for a file or folder within the shared folder, that file or folder is hidden from view. (This option is dimmed if you are creating an SMB share optimized for applications.)
Allow Caching Of Share. With this setting, the wizard configures the share to cache only the files and programs that users specify for offline use. Although you can later edit the share properties and change the offline files’ availability settings, you normally want to select this option because it enables users to take advantage of the new Always Offline feature. Optionally, if the BranchCache For Network Files role service is installed on the file server, select Enable BranchCache to enable computers in a branch office to cache files that are downloaded from the shared folder and then securely share the files to other computers in the branch office. (This option is dimmed if you are creating an SMB share optimized for applications.)
Encrypt Data Access. With this setting, the wizard configures the share to use SMB encryption, which protects file data from eavesdropping while it is being transferred over the network. This option is useful on untrusted networks.
Tap or click Next. On the Specify Permissions To Control Access page, shown in Figure 18-20, the default access permissions assigned to the share are listed. By default, the special Everyone group is granted the Full Control share permission and the underlying access permissions are as listed. To change the share, access, or both permissions, tap or click Customize Permissions and then use the Advanced Security Settings dialog box to configure the desired permissions. See “Configuring share permissions” later in the chapter for more information on setting permissions.
If you are using the advanced profile, do the following:
Optionally, set the folder management properties and then tap or click Next. These properties specify the purpose of the folder and the type of data stored in it so that data-management policies, such as classification rules, can then use these properties.
Optionally, apply a quota based on a template to the folder and then tap or click Next. You can select only quota templates that have already been created. For more information, see “Managing file-screen templates” in Chapter 20.
On the Confirm Selections page, review your selections. When you tap or click Create, the wizard creates the share, configures it, and sets permissions. The status should state, “The share was successfully created.” If an error appears instead, note the error and take corrective action as appropriate before repeating this procedure to create the share. Tap or click Close.
When you create a share, you can configure many basic and advanced settings, including those for access-based enumeration, encrypted data access, offline settings for caching, and management properties. In Server Manager, the Shares subnode of the File And Storage Services node shows existing shares for file servers that have been added for management. You can modify share settings by pressing and holding or right-clicking the share you want to work with and then tapping or clicking Properties.
In the Properties dialog box, shown in Figure 18-21, you have several option panels that can be accessed by using controls in the left pane. Although you can expand the panels one by one, tap or click Show All instead to expand all the panels at the same time and then just scroll through the properties to review the settings. The available options are the same whether you used the basic, advanced, or applications profile to create the shared folder.
Sometimes, you also want to publish shares in Active Directory to make them easier to find. The quickest way to do this is to use Computer Management. After you start Computer Management and connect to the computer you want to work with, expand System Tools and Shared Folders and then select Shares to display the current shares on the system you are working with.
You can then publish a shared folder by pressing and holding or right-clicking the share in the details pane and then selecting Properties. In the share’s Properties dialog box, tap or click the Publish tab, as shown in Figure 18-22. Finally, select the Publish This Share In Active Directory check box and then tap or click OK.
As discussed previously, Windows Server 2012 R2 has two levels of permissions for shared folders: share permissions and access permissions. Share permissions are applied any time you access a file or folder over the network. These top-level permissions set the maximum allowable actions available within a shared folder. Although share permissions can get you in the door when you work remotely, the access permissions can further constrain access and the allowable actions.
When accessing files locally, only the access permissions are applied. However, when accessing files remotely, first the share permissions are applied and then the access permissions. In the case of file allocation table (FAT) volumes, the share permissions are the only permissions, and if a user has local access to the folder, she can perform any action.
With shared folders, you use share permissions to set the maximum allowed access level. Share permissions are applied only when you access a folder remotely, and they can be used to grant access directly to users or implicitly through the groups to which users belong.
The available share permissions are as follows:
Full Control. By granting this permission, users have Read and Change permissions and additional capabilities to change access permissions and take ownership of files and folders.
Change. By granting this permission, users have Read permissions and the additional capability to create files and subfolders, modify files, change attributes on files and subfolders, and delete files and subfolders.
Read. By granting this permission, you allow users to view file and subfolder names, access the subfolders of the share, read file data and attributes, and run program files.
If you have Read permissions on a share, the most you can do is perform read operations. If you have Change permissions on a share, the most you can do is perform read operations and change operations. If you have Full Control, you have full access. However, in any case, access permissions can further constrain access.
Permissions assigned to groups work like this: If a user is a member of a group that is granted share permissions, he also has those permissions. If a user is a member of multiple groups, the permissions are cumulative. This means that if one group of which the user is a member has Read access and another has additional access, she has additional access as well.
To override this behavior, you must specifically deny an access permission. Denying a permission is the trump card—it takes precedence and overrides permissions that have been granted. When you want to single out a user or group and deny it a permission, configure the share permissions to deny that permission specifically to the user or group. For example, if a user is a member of a group that has been granted Full Control over a share, but he should have only Read permissions, configure the share to deny Change permissions to that user.
The easiest way to configure share permissions is to use Computer Management. After you start Computer Management, connect to the computer you want to work with by pressing and holding or right-clicking Computer Management in the console tree and then selecting Connect To Another Computer. Then use the Select Computer dialog box to choose the computer you want to work with. When you are finished, expand System Tools and Shared Folders and then select Shares to display the current shares on the system you are working with.
To view or manage the permissions of a share, press and hold or right-click the share and then select Properties. In the share Properties dialog box, tap or click the Share Permissions tab, as shown in Figure 18-23. You can now view the users and groups that have access to the share and the type of access they have.
In this example, members of the Domain Admins group have Full Control over the share and members of the Domain Users group have Change access. The Everyone group was removed to enhance security as discussed in the Inside Out “Changes might be needed to enhance security” sidebar earlier in the chapter.
You can grant or deny permission to access a share by following these steps:
In Computer Management, press and hold or right-click the share and then select Properties. In the share Properties dialog box, tap or click the Share Permissions tab.
On the Share Permissions tab, tap or click Add. This opens the Select Users, Computers, Service Accounts, Or Groups dialog box.
The Locations button enables you to access account names from other domains. Tap or click Locations to see a list of the current domains, trusted domains, and other resources that you can access. Because of transitive trusts, you can usually access all the domains in the domain tree or forest.
Type the name of a user or group account in the selected or default domain and then tap or click Check Names. The options available depend on the number of matches found, as follows:
When a single match is found, the dialog box is automatically updated as appropriate and the entry is underlined.
When no matches are found, you’ve either entered an incorrect name part or you’re working with an incorrect location. Modify the name and try again or tap or click Locations to select a new location.
If multiple matches are found, select the name or names you want to use and then tap or click OK.
To add additional users or groups, type a semicolon (;) and then repeat this process.
When you tap or click OK, the users and groups are added to the Name list for the share.
Configure access permissions for each user and group added by selecting an account name and then allowing or denying access permissions. If a user or group should be granted access permissions, select the check box for the permission in the Allow column. If a user or group should be denied access permissions, select the check box for the permission in the Deny column.
When you’re finished, tap or click OK.
Note
You can select the opposite permission to override an inherited permission. In addition, Deny normally overrides Allow. For example, you can explicitly deny permission to a user or group for a child folder or file. This permission is then denied to that user or group of users.
In Server Manager, the Shares subnode of the File And Storage Services node shows existing shares for file servers that have been added for management. Press and hold or right-click the share you want to work with and then tap or click Properties. In the Properties dialog box, tap or click Permissions in the left pane. You can now view the users and groups that have access to the share and the type of access they have.
To change share, folder, or both permissions, tap or click Customize Permissions and then select the Share tab in the Advanced Security Settings dialog box, as shown in Figure 18-24. Users or groups that already have access to the share are listed in the Permission Entries list. You can remove permissions for these users and groups by selecting the user or group you want to remove and then tapping or clicking Remove.
You can change permissions for these users and groups by doing the following:
Select the user or group you want to change and then select Edit.
Allow or deny access permissions in the Permissions list box and then tap or click OK.
To add permissions for another user or group, follow these steps:
Tap or click Add to open the Permission Entry dialog box, shown in Figure 18-25. Next, tap or click Select A Principal to open the Select User, Computer, Service Account Or Group dialog box. Type the name of a user or a group account and then tap or click Check Names. Only one name can be entered at a time. Be sure to reference the user account name rather than the user’s full name.
If a single match is found for each entry, the dialog box is automatically updated and the entry is underlined. Otherwise, you see an additional dialog box. If no matches are found, either you entered the name incorrectly or you’re working with an incorrect location. Modify the name in the Name Not Found dialog box and try again or tap or click Locations to select a new location. When multiple matches are found, in the Multiple Names Found dialog box, select the name you want to use and then tap or click OK.
When you tap or click OK, the user or group is added as the Principal, and the Permission Entry dialog box is updated to show this.
Use the Type list to specify whether you are configuring allowed or denied permissions and then select the permissions you want to allow or deny.
Tap or click OK to return to the Advanced Security Settings dialog box. To assign additional security permissions for controlling access, see “Managing access permissions” in Chapter 19.
Although standard file sharing requires a computer that is joined and connected to the enterprise domain, synced sharing does not. With sync shares, users can use an Internet or corporate network connection to sync data to their devices from folders located on enterprise servers. You implement synced sharing by using Work Folders, a feature that you can add to servers running Windows Server 2012 R2 or later.
Work Folders use a client-server architecture. A Work Folders client is natively integrated into Windows 8.1, and clients for Windows 7, Apple iPad, and other devices are (or will become) available. You deploy Work Folders in the enterprise by performing these procedures:
Identify servers that you want to host sync shares and add the Work Folders role to these servers.
In Group Policy, enable discovery of Work Folders for the appropriate domains and organizational units.
Create sync shares on the servers you’ve selected.
Optionally, enable SMB access to sync shares.
Configure clients to access Work Folders.
Work Folders use a remote web gateway configured as part of the Internet Information Services (IIS) hostable web core. When users access a sync share through a URL provided by an administrator and configured in Group Policy, a user folder is created as a subfolder of the sync share and this subfolder is where the user’s data is stored. The folder-naming format for the user-specific folder is set when you create a sync share. The folder can be named by using only the user alias portion of the user’s logon name or the full logon name in alias@domain format. The format you choose primarily depends on the level of compatibility required. Using the full logon name eliminates potential conflicts when users from different domains have identical user aliases, but this format is not compatible with redirected folders.
To maintain compatibility with redirected folders, you should configure sync folders to use aliases. However, in enterprises with multiple domains, the drawback to this approach is that there could be conflicts between identical user aliases in different domains. Although the automatically configured permissions for a user folder would prevent davidw from the cpandl.com domain from accessing a user folder created for davidw from the adatum.com domain, the conflict would cause problems. If there were an existing folder for davidw from the cpandl.com domain, the server would not be able to create a user folder for davidw from the adatum.com domain.
With Work Folders, you have several important configuration options. You can do the following:
Encrypt files in Work Folders on client devices
Require screens to lock automatically and require a password
Enable SMB access to sync shares
Encryption is implemented using the Encrypting File System (EFS). EFS encrypts files with an enterprise encryption key rather than an encryption key generated by the client device. The enterprise encryption key is specific to the enterprise ID of the user (which by default is the primary SMTP address of the user). Having an enterprise encryption key that is separate from a client’s standard encryption key is important to ensure that encrypted personal files and encrypted work files are managed separately.
When files are encrypted, administrators can use a selective wipe to remove enterprise files from a client device. The selective wipe simply removes the enterprise encryption key and thus renders the work files unreadable (without affecting any encrypted personal files). Because the work files remain encrypted, there’s no need to delete the work files from the client device. That said, you could run Disk Optimizer on the drive where the work files were stored. During optimization, Disk Optimizer should then overwrite the sectors where the work files were stored. Selective wipe only works when you’ve enabled the encryption option on Work Folders.
Encryption is only one way to protect enterprise data. Another way to protect enterprise data is to configure client devices to lock screens and require a password for access, which ensures the following:
A minimum password length of six characters
A maximum password retry of 10
A screen that automatically locks in 15 minutes or less
Note
If you enforce the use of automatic lock screens and passwords, any device that doesn’t support these requirements is prevented from connecting to the Work Folder.
By default, sync shares are not available in the same way as standard file shares, and users can only access sync shares by using the Work Folders client. If you want to make sync shares available to users as standard file shares, you must enable SMB access. After you enable SMB access, users can access files stored in Work Folders by using syncing and by mapping network drives.
When a user makes changes to files in Work Folders, the changes might not be immediately apparent to others using the same Work Folders. For example, if a user deletes a file from a Work Folder using SMB, other users accessing the Work Folder might still see the file as available. This inconsistency can occur because, by default, clients only poll the sync server every 10 minutes for SMB changes. In addition, to minimize support issues related to Work Folders, you want to assure users that changes might not be immediately apparent; therefore, they need to be patient when waiting for changes to propagate.
Sync servers also use the Work Folders client to check periodically for changes users have made using SMB. The default polling interval is 5 minutes. When the server identifies changes, the server relays the changes the next time a client syncs. Following this, you can determine that it could take up to 15 minutes for a change made using SMB to propagate fully.
You can control how frequently the server checks for changes made locally on the server or through SMB by using the –MinimumChangeDetectionMins parameter of the Set-SyncServerSetting cmdlet. However, because the server must check the change information for each file stored in the sync share, you need to be careful that you don’t configure a server to try to detect changes too frequently. A server that checks for changes too frequently can become overloaded. Remember, change detection uses more resources as the number of files stored in the sync share increases.
To deploy Work Folders, you add the File And Storage ServicesWork Folders role to a file server and then configure Work Folders by using Server Manager. Afterward, you can use policy settings to control related options such as the server to which users can connect remotely and access Work Folders.
Clients use secure encrypted communications to connect to work folders as long as the file servers hosting Work Folders have valid Secure Socket Layer (SSL) certificates. When a device initiates an SSL connection, the server sends the certificate to the client. The client evaluates the certificate and continues only if the certificate is valid and can be trusted. If you configure a connection to an exact URL, the client can connect directly to the specified server and synchronize data in Work Folders. The server’s certificate must have a Common Name (CN) or a Subject Alternative Name (SAN) that matches the host header in the request. For example, if the client makes a request to https://server25.cpandl.com, the CN or SAN must be server25.cpandl.com.
In Group Policy, you specify the URL used within your organization for Work Folders discovery by using the Specify Work Folders Settings policy found under Administrative Templates policies for User ConfigurationWindows ComponentsWork Folders. You control the connection to servers in one of two ways:
By specifying the exact URL of a file server hosting the Work Folders for the user, such as https://server29.cpandl.com
By specifying the URL used within your organization for Work Folders discovery, such as https://workfolders.cpandl.com
Any server configured with Work Folders acts as a discovery server by default. If you configure a discovery URL, a client connects to one of several servers and the email address of the user is used to discover which specific server hosts the Work Folders for the client. The client is then connected to this server. Each discovery server needs to have a certificate with multiple Subject Alternative Names (SANs), including the server name and the discovery name. For example, if a client makes a request to https://workfolders.cpandl.com and connects to FileServer83.cpandl.com, the server’s certificate must have a CN or SAN of fileserver83.cpandl.com and a SAN of workfolders.cpandl.com.
If you want to configure Work Folders in Group Policy, use the following technique:
Access Group Policy for the system, site, domain, or OU you want to work with. Access the Work Folders node by using the Administrative Templates policies for User Configuration under Windows ComponentsWork Folders.
Double-tap or double-click Specify Work Folders Settings and then select Enabled (see Figure 18-26).
In the Work Folders URL text box, enter the URL of the file server that hosts the Work Folders for the user or the URL used within your organization for Work Folders discovery.
If you want to prevent users from changing settings when setting up Work Folders, select Force Automatic Setup. When you enforce setup, users cannot opt out of using Work Folders and are prevented from manually specifying the local folder in which Work Folders stores files.
Tap or click OK.
To enable detailed logging of Work Folders, you can enable and configure the Audit Object Access policy setting for a Group Policy Object (GPO) processed by the server. You find this setting in Administrative Templates For Computer Configuration under Windows SettingsSecurity SettingsLocal PoliciesAudit Policies. After you enable Audit Object Access, add an audit entry for the specific folders you want to audit. In File Explorer, press and hold or right-click a folder you want to audit and then select Properties. In the Properties dialog box, on the Security tab, select Advanced. In the Advanced Security Settings dialog box, use the options on the Auditing tab to configure auditing.
You create a sync share to identify a local folder on a sync server that will be synchronized and accessible to domain users through the Work Folders client. Because sync shares are mapped to local paths on sync servers, I recommend creating any folders that you want to use before creating sync shares. This will make it easier to select the exact folders you want to work with.
To create a sync share, complete the following steps:
In Server Manager, select File And Storage Services and then select Work Folders. On the Work Folders panel, select Tasks and then select New Sync Share. This opens the New Sync Share Wizard. If the Before You Begin page is displayed, select Next.
On the Select The Server And Path page, shown in Figure 18-27, select the server you want to work with. Keep in mind that only servers that have the Work Folders role installed are available for selection.
When configuring sync shares, you have several options. You can do the following:
Add syncing to an existing file share by choosing Select By File Share and then selecting the file share that should also be synced
Add syncing to an existing local folder by choosing Enter A Local Path, selecting Browse, and then using the Select Folder dialog box to locate and choose the folder to sync
Add syncing to a new local folder by choosing Enter A Local Path and then entering the path to use
When you are ready to continue, tap or click Next. If you specified a new folder location, you are prompted to confirm whether you want to create this folder. Select OK to create the folder and continue.
On the Specify The Structure For User Folders page, shown in Figure 18-28, choose a folder-naming format for the subfolders where user data is stored. To use only the user alias portion of the user’s logon name for naming user folders, choose User Alias. To use the full logon name for naming user folders, choose User alias@domain.
By default, all folders and files stored under the user folder are synced automatically. If you’d prefer only a specific folder to be synced, select the Sync Only The Following Subfolder check box and then enter the name of the folder, such as Documents. Note that if the specified subfolder does not exist, it will be created for every user to whom this policy is applied. Select Next to continue.
On the Enter The Sync Share Name page, enter a share name and description before selecting Next to continue.
On the Grant Sync Access To Groups page, shown in Figure 18-29, use the options provided to specify the users and groups that should be able to access the sync share. To add a user or group, select Add and then use the Select User Or Group dialog box to specify the user or group that should have access to the sync share.
Note
Any users and groups you specify will be granted permissions on the base folder that allows the users and groups to create folders and access files in their folders. Specifically, Creator/Owner is granted Full Control on subfolders and files only. The users and groups are granted List Folder/Read Data, Create Folders/Append Data, Traverse Folder/Execute File, and Read/Write attributes on the base folder. Local System is granted Full Control of the base folder, subfolders, and files. Administrator is granted Read permissions on the base folder.
By default, inherited permissions are disabled and users have exclusive access to their user folders. Because of this, only the user who stores a file has access to this file on the share.
If the base folder for the share has permissions that you want to be applied to user folders, such as those that would grant administrators access to user folders, clear the Disable Inherited Permissions check box. When you are ready to continue, tap or click Next.
On the Specify Device Policies page, you have two options. You can select Encrypt Work Folders to encrypt files in Work Folders on client devices. You can select Automatically Lock Screen And Require A Password to ensure that the screens on client devices lock automatically and require a password for access.
Tap or click Next to continue and then confirm your selections. Select Create to create the sync share. If the wizard is unable to create the sync share, you see an error; you need to note the error and take appropriate corrective action. A common error you might see occurs when the server hosts both Work Folders (which use the hostable web core) and the full Web Server (IIS) role. Before you can create sync shares, you need to modify the ports used so they do not conflict or install Work Folders on a server that doesn’t have the full Web Server (IIS) role.
If you did not select an existing file share during setup and want to enable the sync share for SMB access, open File Explorer. In File Explorer, press and hold or right-click the folder, select Share With, and then select Specific People. Finally, configure file sharing as discussed earlier in the chapter.
Users with a domain user account can access Work Folders from a client device over the Internet or over the corporate network. You configure Work Folder Access for a user by completing the following steps:
In Control Panel, select System And Security and then select Work Folders. On the Manage Work Folders page, select Set Up Work Folders.
On the Enter Your Work Email Address page, enter the user email address, such as [email protected], and then tap or click Next. If the client device is joined to the domain, you will not be prompted for the user’s credentials. Otherwise, you are prompted for the user’s credentials. After the user enters her credentials, you can select Remember My Credentials to store the user’s credentials for future use and then tap or click OK to continue.
On the Introducing Work Folders page, note where the work files for the user will be stored. By default, work files are stored in a user profile subfolder called Work Folders. For example, the work files for JohnG would be stored under %SystemDrive%UsersJohnGWorkFolders. To store work files in another location, select Change and then use the options provided to specify a new save location for work files. When you are ready to continue, select Next.
On the Security Policies page, review the security policies that will be applied and then have the user select the I Accept These Policies On My PC check box. You cannot continue if you do not select this check box.
Select Set Up Work Folders to create Work Folders on the client device.
After you configure Work Folders for initial use on a client device, the user can access Work Folders in File Explorer. When a user opens File Explorer, the This PC node should be opened by default. If so, the user simply needs to double-tap or double-click Work Folders to view work files. If a user has an open File Explorer window and This PC is not the selected node, he simply needs to tap or click the leftmost option button in the address list and then tap or click This PC.
As the user works with files, the changes he makes trigger sync actions with the server. If the user doesn’t change any files locally for an extended period of time, the client connects to the server every 10 minutes to determine whether there are changes to sync.