Providing access to data stored on a Windows Server
2008 R2 server can be very simple to configure using Windows shares.
Existing folders and entire drives can be shared with a few clicks, but
understanding who can access that data is critical to security and, in
some cases, licensing. Server shares are accessed using the UNC or
Universal Naming Convention of \\server\sharename. Administrators can
configure a few different settings when creating or updating shares.
Share options or features include the following:
Determining whether the share will be visible or hidden, based on the share name
Setting the description of the share
Configuring the type of share; if Server for NFS is installed, there will be two options
Configuring the number of simultaneous connections allowed through the share
Configuring the cache or offline sync settings of the share
Enabling or disabling BranchCache
Configuring access-based enumeration to control folder and file visibility based on NTFS permissions
Configuring NTFS permissions on the folder or volume hosting the file share
Configuring share permissions to manage whether users can read, change, or have full control over a share
Because sharing can be
performed for CD drives, DVD drives, and FAT and NTFS volumes, the
configurable share permissions are limited to Full Control, Change, and
Read. Full Control permissions allow users to manage all data and to
reset permissions. Change allows users to manage all data and Read only
allows users to read the data. Because share permissions are not very
granular, folder shares should be created only on NTFS volumes, when
possible, to increase the security of data.
When shares are created on
NTFS volumes, both the Share and NTFS folder and file permissions are
applied to the user. Windows Server 2008 R2 will combine the
permissions, and the most restrictive permissions will apply. For
example, if a folder located at c:\users is shared and testuser1 is
granted Read permission at the share and Change or Modify permissions on
the NTFS folder, testuser1 will only have Read permission when
accessing the data across the network through the share. If testuser1
logs on to the system console and accesses the c:\users folder directly,
testuser1 will have Change or Modify permissions.
Access-Based Enumeration
A new sharing feature
included with Windows Server 2008 and Windows Server 2008 R2 is called
access-based enumeration. Access-based enumeration, when enabled on a
share, hides the folders or files within the share from view for users
who do not have access to the
data. Access-based enumeration, however, does not hide the share
itself. This feature can simplify data access for end users as they will
only see what they can access, but, on the flip side, users who are
collaborating and trying to instruct their co-workers on where to locate
the data might be confused when the folders cannot be located.
Client-Side Caching and Offline Files
To provide flexibility for
mobile users and to provide centralized storage for end-user data,
Windows Server 2008 R2 shares can be configured to allow, enforce, or
disable client-side caching of shared server data. Client-side caching
(CSC) is a feature that enables data shared on a server to be
synchronized between the server and end-user workstations. This enables
end users to access data when the server is unavailable or when the
workstation is not connected to the company network. This feature also
can be used to ensure that any data stored in a synchronized end-user
workstation folder is copied to the server for centralized storage and
backup and recoverability.
For CSC to function properly,
both the workstation and the server must be configured to support it.
CSC from the workstation and server side is more commonly referred to as
Offline Files. Depending on the workstation operating system version,
different synchronization options are available. A common usage of
offline files is to couple offline files with a Group Policy setting
called Folder Redirection.
Folder Redirection can be used
to redirect the end user’s My Documents or Documents folder to a server
share. When an end user’s My Documents or Documents folder is
redirected to a server share with offline files enabled, enforced or
not, the folder is automatically configured to synchronize with the
server. This functionality ensures that any file an end user saves to
their default documents folder will be copied up to the server during
synchronization. The default offline file
synchronization settings for Windows 7 and Windows Server 2008 R2 will
synchronize with the server at logon, logoff, and when a file is opened
or saved. Additionally, synchronization can be configured to run when a
computer has been idle or when a user locks or unlocks a workstation.
Offline files can be
configured on a per-share basis using the shared folder’s share property
page. By default, all shares allow end users to configure offline file
synchronization as they desire. Certain folders—for example, the My
Documents or Documents folders—when redirected to a Windows Server 2003,
Windows Server 2008, or Windows Server 2008 R2 system, will
automatically enable and configure the folder to be synchronized. To
synchronize additional shares, perform the following steps on the server
and the workstation:
1. | Log on to the Windows Server 2008 R2 system with an account with administrator privileges.
|
2. | Click Start, click All Programs, click Administrative Tools, and select Server Manager.
|
3. | Double-click on Roles, and then double-click on File Services.
|
4. | Select Share and Storage Management.
|
5. | In the tasks pane, right-click the share that needs to be available offline, and select Properties.
|
6. | On the Sharing tab, click the Advanced button.
|
7. | Select the Caching tab, and verify that one of the following option buttons is selected:
|
8. | Close the Share Properties dialog box and the Share and Storage Management console.
|
9. | Log on to the Windows 7 workstation with an account with administrator privileges.
|
10. | Click the Windows flag, or Start button, and select Control Panel.
|
11. | Near
the upper-right corner of the Control Panel window, pull down the View
By menu and choose to view the window by Small Icons instead of
Categories.
|
12. | Scroll down in the window as necessary to locate Sync Center and click on the link.
|
13. | When the Sync Center window opens, click on the Manage Offline Files link in the left pane of the window.
|
14. | When
the Offline Files window opens, verify that the top button on the
General tab is labeled Disable Offline Files, which means that offline
file functionality is enabled. If the button is labeled Enable Offline
Files, click the button and click OK to save the settings and reboot the
workstation.
|
BranchCache
BranchCache is a new
feature for Windows Server 2008 R2 and Windows 7. BranchCache allows a
branch office that has no server to allow local workstations to locate
and locally store copies of files and folders hosted on remote Windows
Server 2008 R2 BranchCache file servers. When BranchCache is installed
on a Windows Server 2008 R2 file server, and BranchCache is enabled on a
particular file share, when a remote branch office user on a Windows 7
workstation requests the file from the file server, it broadcasts the
request on the local network. If no copy exists, it will pull a copy to
the local machine. The updates to that file will be sent across the
network as changes are made. When the next Windows 7 workstation
attempts to access this same file from across the network, the broadcast
for that file will be sent on the local network, and in this particular
example, the file will be referenced from the original workstation that
copied the file over during the initial request, thus improving access
performance to the file and reducing network traffic. To enable BranchCache on a Windows Server 2008 R2 system, perform the
steps in the following sections.
Install the BranchCache Service
Before BranchCache can be
utilized, the service must be installed on a Windows Server 2008 R2
system. To install the BranchCache service, perform the following steps:
1. | Log on to the Windows Server 2008 R2 system with the File Services Role installed with an account with administrator privileges.
|
2. | Click Start, click All Programs, click Administrative Tools, and select Server Manager.
|
3. | Double-click
on Roles in the tree pane to expand the role services. In the tasks
pane on the right, scroll down to Role Services until you reach the File
Services Role section. Under the File Service Role section, check to
see whether the BranchCache for network files is installed.
|
4. | If
the service is not installed, click on Add Role Services and follow the
steps to check and install the BranchCache for network files service.
|
Enable BranchCache on a File Share
Once the BranchCache for
network files service is installed on the Windows Server 2008 R2 system,
the service can be enabled on a share-by-share basis. To enable
BranchCache functionality on a particular server share, perform the
following steps:
1. | Log on to the Windows Server 2008 R2 system with an account with administrator privileges.
|
2. | Click Start, click All Programs, click Administrative Tools, and select Server Manager.
|
3. | Double-click on Roles, and then double-click on File Services.
|
4. | Select Share and Storage Management.
|
5. | In the tasks pane, right-click the share that needs to have BranchCache functionality enabled and select Properties.
|
6. | On the Sharing tab, click the Advanced button.
|
7. | Select
the Caching tab, and verify that the Only the Files and Programs That
Users Specify Are Available Offline option button is selected. Check the
Enable BranchCache check box, and click OK to close the Advanced
window.
|
8. | Click OK again to save the settings to the share and close the Server Manager window.
|
Before
BranchCache functionality is enabled, network administrators need to
understand the service in greater detail, especially because it is
currently only supported on Windows 7 workstations and Windows Server
2008 R2, and any lower-level client will not be able to make use of this
feature. In cases where Windows Vista or older clients still exist on
remote or branch office networks, administrators should continue to
deploy remote file servers with replicated DFS file shares when access
to large or numerous files is required.
