File Screening
Quotas are a great feature, but they have one major flaw: They work on the assumption that the administrator's intention for the disk space matches the end user's intention for the disk space. Conflict can quickly escalate when administrators fail to appreciate that users' most important data is their MP3 collection, which must be highly available and recoverable at all times. A quota does not govern how users fill their 500MB folder with their Britney Spears' collection. It is vital that administrators understand how the users do their job.
Although storage reports tell you how data is used and quotas define how much data can be stored, file screens define what data can be stored. Like quotas, this is performed in real time. Any attempt to write an illegal file type results in an "Access is denied" error message on the client. Everything you discussed with quotas applies to file screening. File screen templates define what type of file groups should be blocked, such as audio, video, or image files.
Microsoft provides several file groups that contain all the popular file extensions for the group type. The content of these file groups can be modified and new file groups defined as needed. To view the file groups, select the File Groups leaf of the File Screening Management component.
Templates are used for file screening the same as quotas, and any combination of the four actions (e-mail, event log, command execution, or storage report) can be configured. File screens have no configurable thresholds. You can't have 95% of an MP3 file being written, so instead, simply select which file groups to block. If you want a custom file type, click Create.
Like quotas, file screening has an active or passive mode. Active mode stops an illegal file type from being written to the volume or folder. Passive mode allows the file to be created and runs the defined set of actions, such as paging the large security guard to escort the user off the company premises. After the templates are created, you can apply a screen. Let's say you have a media folder and no media types should be written to the root of the folder. Apply a screen at the root using these steps:
- Select the File Screens node of File Screening Management.
- Select Create File Screen from the actions pane.
- Select the path for the file screen by clicking the Browse button. Select the template to use.
- Click Create.
Now you can go back and edit a screen. Let's say you selected Audio and Video originally, but now you want to add images. To do this, rightclick the file screen and select its properties. Now select other file groups to block, such as image files. When you now view the file screen instance, the column showing if it matches the template now reads "No" because you've changed the groups.
At this point, attempting to copy or create a file type that matches the audio, video, or image file groups results in an access denied message. Any files that are already in the location of the blocked type can still be accessed and read/executed. They cannot be edited or renamed because the file screen looks for write and modify operations. Because you get a basic access denied message, sending e-mail notification to the user explaining why he was denied access is crucial. Otherwise, he simply raises help desk tickets, saying something is wrong in the environment.
Additionally, exceptions can be defined to allow certain file groups. Let's go back to the folder where you blocked all audio, video, and image files. You can create an Images subfolder onto which you create an exception to explicitly allow image files. This would stop users writing image files to anywhere in the folder structure except in the Images subfolder. This lends itself to a organized file storage environment.
Exceptions are created the same way as normal file screens, except you select Create File Screen Exception in the actions pane. You select the file groups to be excluded. With this exception in place, images can be written to the Images subfolder but not to the parent media.
When combined with a comprehensive communications policy to ensure that users are aware of the company rules, file screening and e-mail notification are great features. The notifications should be just that-a reminder. It should not be the first time the users are informed to not store this type of media on company resources.
Finally, file screening works on file extensions. It is not designed to stop the determined user from renaming all his MP3 files to another extension. The screening is designed to prevent unintentional file placement. Future versions of file screening might use content/signature screening instead of the file extension.
In this tutorial:
- Windows Server File System and Print Management
- File System Types and Management
- New Technology File System (NTFS)
- New NTFS Features in Windows Server 2008
- Formatting and Managing File Systems
- Converting File Systems
- File Management
- File Permissions
- Shares
- NTFS Quotas
- Encrypted File System (EFS)
- Shadow Copy Feature
- File Server Resource Manager
- File Server Resource Manager Options
- Reporting
- Quotas
- File Screening
- Exporting and Importing File Screens and Quotas
- Print Management
- Print Management MMC
- Printer Properties
- Listing a Printer in the Active Directory
- Connecting Users to Network Printers
- Deploying Printers
- Allowing Nonadministrators/Power Users to Install Printers
- Migrating a Printer
- Automatic Network Print Addition
- Print Server Configuration
- Customizing Views of Information