2.1.1 Create and configure shares
Add File Server(FS-FileServer) feature role
For advanced features, install FSRM
For NFS shares, install Server for NFS
In Explorer
Right click folder, share with. Right click, properties, sharing to manage. Use Advanced Sharing for caching options, or to setup a second share name for the same folder
In Server Manager
Share "Template" profiles
SMB Share - Quick = standard share
SMB Share - Advanced (requires FSRM installed)= advanced settings
SMB Share - Applications = SMB share with application permissions for server apps.
NFS share - Quick(requires Server for NFS feature) = Basic NFS share for unix compatibility. can set advanced options later
NFS share - Advanced (requires Server for NFS feature and FSRM)=
SMB Share-Quick: Point to share location, then give it a name.Setup settings include:
Access-based Enumeration, Caching(and Branchcache), Encrypt data access
SMB Share - Advanced(FSRM) adds settings:
Management properties - folder usage value
Quota - setup FSRM quota from template
NFS options add
Specify Authentication Methods
Specify share permissions
Create:
Right click Volumes/Volumes Tile or Shares/shares tile and select New Share.
Manage:
From Volumes tab, right click share tile and properties on a share.
From Shares tab, right click share and properties.
Powershell commands:
get-smbshare, new-smbshare, set-smbshare, remove-smbshare,
There are similar commands for NFS shares.
2.1.2 Configure share permissions
Share permissions: (Full Control, Change, Read:) Allow or deny.
Configure through explorer, or server manager on property sheet
Share permissions combined with NTFS permissions : most restrictive is applied.
Powershell:
get-smbshareaccess, grant-smbshareaccess, revoke-smbshareacces, block-smbshareaccess, unblock-smbshareaccess.
2.1.3 Configure offline files
Enable "allow caching of share"
Enable Branchcache if needed
powershell:
get-smbshare -name sharename | format-table name, path, cachingmode
set-smbshare -name sharename -cachingmode None or Manual or Documents or Programs or Branchcache or Unknown
2.1.4 Configure NTFS permissions
Change NTFS permissions on Security tab of folder/file/drive properties
In Server Manager, you can only edit NTFS permissions on a shared folder
Allow permissions combine from different sources
Deny permission override Allow permissions, regardless of source
Explicit permissions that are set will override inherited permissions.
To view the effective access for a user, group, or device, click ADvanced on the NTFS permissions security tab, then Effective Access
Disable Inheritance on Advanced on the security tab.
Six Basic permissions that are made up of various advanced permissions
Full Control: all advanced permissions
Modify: all permissions except "Delete subfolders and files","Change permissions", "take ownership"
Read & Execute: "Traverse folder/Execute file", "list folder/Read data", "Read attributes", "Read extended
attributes", "Read permissions", "Synchronize"
List Folder contents(only seen on Folder permissions): same as Read & execute but applies to folders only
Read: Read & Execute permission without the "Traverse folder/Execute file" permissions
Write: "Create files/Write data", "Create folders/append data", "Write attributes", "Write extended
attributes", "Read permissions", "Synchronize"
Fourteen advanced permissions:
Traverse Folders/Execute File: Traverse folder lets you directly access files in a folder even if you don't
have explicit permission to view its data. Execute file runs an executable file.
List Folder/Read Data: list folder contents, read contents of file.
Read Attributes: view basic attributes of file or folder: Read-Only, Hidden, System, Archive
Read Extended Attributes: View extended attributes/named data streams.
Create Files/Write Data: Create new files in a folder. Write allows overwriting data in a file.
Create Folders/Append Data: Allows creating subfolders. Append data lets you add data to end of file.
Write Attributes: change Read-Only, Hidden, System, Archive attributes
Write Extended Attributes: changed advanced attributes/named data stream
Delete subfolders and files(folder permissions): Lets you delete the contents of a folder. Overrides
specific "Delete" permissions in that folder
Delete: delete a file or subfolder
Read Permissions: Read basic and special permissions assigned to file or folder
Change Permissions: Change the permissions on file or folder
Take Ownership: You can change yourself to owner of a file or folder if you have this permission.
Administrators can always take ownership regardless of permissions.
Powershell:
get-acl, set-acl
2.1.5 Configure access-based enumeration (ABE)
Configured in Server Manager
Powershell:
get-smbshare -name sharename | format-table name, path, folderenumerationmode
set-smbshare -name sharename -folderenumerationmode AccessBased or Unrestricted
2.1.6 Configure Volume Shadow Copy Service (VSS)
VSS is a feature specific to NTFS that keeps "shadow" copies of files and is configured per volume. Files are copied to a "shadow store" during a specific time set by a schedule. Used with shared folders to restore files.
Two independent features of VSS:
1. Allows you to enable VSS on volume so that users can revert to earlier versions of files.
2. This feature also allows backup programs open or locked files. You do not have to enable VSS on a volume for this 2nd feature to be in effect, as long as the backup programs support VSS API.
Right click a volume, and select properties and Shadow copies. Enable a volume here. In settings, you can set the shadow store for this volume on another volume, and configure size.
2.1.7 Configure NTFS quotas
Set storage limits for users on a volume. For more specific quotas, you should use the File Server Resource Manager tool(FSRM). However, this objective only refers to NTFS quotas. This is a feature of the NTFS file system directly. Administrators are unaffected by quotas but you can still setup warnings for them.
In file explorer, right click a volume and properties. Select "Quota" tab.
Enable Quota Management: Allows for NTFS quotas
Deny disk space: Will stop users from exceeding their set levels(if unchecked, you can still setup warnings)
Limit disk space/Set Warning Level
Log Event when exceeding quota limit
Log Even when exceeding warning threshold
Quota entries(also accessible in Disk management): Show individual users that have data on the volume, or
you can add new entires for a user
No comments:
Post a Comment