Enforcing NTFS Permissions on A File Share

One of the most important functionalities in Microsoft Windows Server is access control over files and folders. That important function is controlled by File and Folder security permissions framework.

NTFS (New Technology File System) permissions are usable to drives formatted with NTFS. NTFS permissions affect local users as well as network users and they are based on the permission granted to each user at system login, no matter where the user is connecting.

NTFS Structure

NTFS File System is a hierarchical structure, with disk volume on top and folders as branches. Each folder can contain numerous files or folders, as leaves in that node. Folders are referred as containers or objects that contain other objects.

In that hierarchy, of course, there is need to define access rights and permission per user or group. For that, permissions are used.

Managing Permissions

Each permission that exists can be assigned in two ways: explicitly or by inheritance.

Permissions set by default when the object is created, or by user action are called. Explicit permissions and permissions that are given to an object because it is a child of a parent object is called inherited permissions.

Permissions are best managed for containers of objects. Objects within the containers inherit all the access permissions in that container. The first thing to specify when establishing permissions is granting access to the resource (Allow) or not (not Allow).

After setting up permission, resource assets are controlled by the Local Security Authority (LSASS), and it checks the security of user that tries to access it. If SID (security identifier) is valid, LSASS allows usage of an object and all inherited objects in the structure.

Permission Rules

Due to many different permission settings per user in a bigger structure, there is a possibility of conflicting permission settings. So here are some rules that were made to resolve possible issues:

  • Deny permissions are superior to allow
  • Permissions applied directly to an object (explicit permissions) are superior to permissions inherited from a parent (for example from a group).
  • Permissions inherited from near relatives are superior to permissions inherited from distant predecessors. So, permissions inherited from the object’s parent folder are superior to permissions inherited from the object’s “grandparent” folder, and so on.
  • Permissions from different user groups that are at the same level are cumulative. So, if a user is a member of two groups – one of which has an “allow” permission of “Read” and other has an “allow” or “Write”, the user will have both read and write permission depending on the other rules above.

Permission Hierarchy

File permissions are superior to folder permissions unless the Full Control permission has been granted to the folder.

Deny permissions generally are superior to allow permissions, it is not always the matter. An explicit “allow” permission can take precedence over an inherited “deny” permission. The hierarchy of precedence for the permissions can be set as follows, starting from higher to lower:

  1. Explicit Deny
  2. Explicit Allow
  3. Inherited Deny
  4. Inherited Allow

NTFS Permissions and Shared Folder Permissions

When NTFS permissions are used alongside Share permission, there could be a conflict in the configuration. In those cases, an option that is applied is one that is most restrictive.

It is possible to combine both permission sets to access the resources on an NTFS volume. First, it is needed to share folders with the default shared folder permission and then assigns NTFS permission to a shared folder and to secure files that way.

This way, an effect is the usage of NTFS permissions to control access to shared folders, and it is more secure and flexible than usage of shared folders permission only. Plus, NTFS permissions are enforced, regardless if the resource is accessed locally or via the network.

NTFS permissions can be applied to files and subfolders in a shared folder, and different permissions can be applied to each file and subfolder inside shared folder. That means that NTFS functionality is added to a shared folder.

So, in the hypothetical situation of moving or copying files or folders from NTFS permissions to a shared folder. The question is, is it possible to force files and folders to inherit permissions from the parent, regardless of how they get in a shared folder (copied or moved)?

The short answer is yes.

When files are copied or moved, all permissions are inherited from the destination. This makes things much easier to administer and gives users less chance to accidentally create file/folder structures with incorrect permissions without knowing.

File Server Resource Manager (FSRM) Overview

File Server Resource Manager (FSRM) is a Microsoft Windows Server role created for managing and classifying data stored on file servers. It includes some interesting features which can be configured by using the File Server Resource Manager snap-in or by using Windows PowerShell.

Here’s an overview of the features included in the FSRM.

File Classification Infrastructure

This offers automatic classification process based on custom properties with the purpose of an easier and a more effective way of managing files.

It classifies files and applies policies based on that classification. Once files are classified, a management task can be either public or private. As an example, we can take public or private file classification. Once the files have set class, a management task can be created to perform some actions on a file (RMS encryption for example).

It can be instructed to perform encryption on files classified as private but exclude files classified as public.

File Management Task

Enables applying of conditional policy or action to files based on classification. Conditions of the policies can include file location, classification properties, file creation date, file modification date, or date of last access to file.

The tasks that can be managed are ability to expire files, encrypt files, or run some custom command.

Quota Management

This allows a limitation of allowed space for a volume or folder. Quotas are automatically applied to new folders that are created on a volume. It is possible to define quota templates which can be applied to new volumes or folders.

File Screening Management

This provides control over the type of files that can be stored on a server. For example, the user can create file screen which does not allow storing JPEG files in the personal shared folder on a file server.

Storage Reports

Storage reports are used to help identify trends in disk usage and classification of user data. It can monitor selected groups of users and restrict attempts to save unauthorized files.

Important thing to notice is that File Server Resource Manager supports only NTFS File System format and does not support the Resilient File System (ReFS).

Practical Applications

Some practical applications for File Server Resource Manager include:

  • If File Classification Infrastructure is used with the Dynamic Access Control, a policy that grants access to files and folders based on the way files are classified on the file server.
  • The user can create File Classification rule which tags any file that contains at least 10 Social Security numbers as personal pieces of the information file.
  • Any file that has not been modified in the last 10 years can be set as expired.
  • Quotas (i.e. 200 MB) can be created per user. A notification to the admin user can also be set when the quota is at 80% (i.e. 180 MB of 200).
  • It is possible to schedule a report which runs at the specific time weekly with a purpose of generating a list of most recently accessed files from a previously selected period. This can help the admin user determine the weekend storage activity and plan server downtime accordingly.

Storage on Windows Server 2016: An Overview

Windows Server 2016 Data Center brought interesting new and improved features in the field of virtual workload data centers (SDDC). 

SDDC stands for Software-Defined Data Center, which is defined as data centers with a virtualized infrastructure delivered as a service. Microsoft finds SDDC as a more flexible, cost-effective data center platform based on Hyper-V. It offers the possibility of moving entire operation models away from a physical data center. 

Software-Defined Storage

For virtualized workloads technology in Windows Server 2016 consist of 4 new and improved features: 

  • Storage spaces direct – A new Windows Server 2016 features an extended existing Windows Server SDS (Software-defined Storage). This enables the building of highly-available (HA) storage systems with local storage. HA storage systems are highly scalable and much cheaper than traditional SAN or NAS arrays. It simplifies procurator and deployment and offers higher efficiency and performance. 
  • Storage replica – This provides block-level replication between servers or clusters and is intended primarily for disaster prevention, such as the ability to restore service to an alternate data center with minimal downtime or data loss, or even to shift services to an alternate site. It supports two types of replication: synchronous (primarily used for high-end transactional applications that need instant failover if the primary node fails) and asynchronous (commits data to be replicated to memory or a disk-based journal which then copies the data in real-time or at scheduled intervals to replication targets). 
  • Storage Quality of Service (QoS) – A feature that provides central monitoring and managing of storage performance for virtual machines using Hyper-V and the Scale-Out File Server roles. In Windows Server 2016, QoS can be used to prevent all storage resources consumption of single VM. This also monitors performance details of all running virtual machines and the configuration of the Scale-Out File Server cluster from one place. Plus, it defines performance minimums and maximums for virtual machines and ensures that they are met. 
  • Data Deduplication – A feature that helps in reducing the impact of redundant data on storage costs. Data Deduplication optimizes free space on a volume by examining the data on the volume for duplication. Once identified, duplicated portions of the volume’s dataset are stored once and are (optionally) compressed for additional savings. 

 General Purpose File Servers

  • Work folders, which were first presented in Windows Server 2012 R2, allows users to synchronize folder across multiple devices. It can be compared to existing solutions such as Dropbox, but with a difference of using your file server as the repository and that it doesn’t rely on a service provider. This way of synchronization is convenient for companies because of its own infrastructure used as a server, and for users who can work on files with no limits to corporate PC or being online.  
  • Offline Files and Folder Redirection are features that when used together, redirect the path of local folders (such as the Documents folder) to a network location while caching the contents locally for increased speed and availability.  
  • Separate Folder Redirection enables users and admins to redirect the local folder to other (network) locations. It makes files available from any computer on the network. Offline files allow access to files, even when online, or in case of slow network. When working offline, files are retrieved from the Offline Files folder at local access speeds. 
  • Roaming Users Profiles redirects user profiles to a file share so that users receive the same operating system and application settings on multiple computers. 
  • DFS Namespaces enables a user access to group-shared folders from different servers to one logically structured namespace. It makes handling shared folders on multiple locations easier from one place. 
  • File Server Resource Manager (FSRM) is a feature set in the File and Storage Services server role which helps classify and manage stored data on file servers. It uses features to provide insight into your data by automating classification processes, to apply a conditional policy or action to files based on their classification, limit the space that is allowed for a volume or folder, control the types of files that user can store on a file server and provides reports on disk usage. 
  • iSCSI Target Server is a role service which automizes management tasks. This is useful in a network or diskless boots as it creates block and heterogeneous storages. It’s also useful for testing applications before deployment in storage area networks. 

File Systems and Protocols

  • NTFS and ReFS – A primarily new and a more resilient file system, which maximizes data availability, scaling, and integrity of large data sets across different workloads. 
  • SMB (Server Message Block) –  Provides access to files or other resources at a remote server. This allows applications to read, create, and update files on the remote server. It can also communicate with any server program that is set up to receive an SMB client request.  
  • Storage Class Memory – Provides performance similar to computer memory, but with the data persistence of normal storage drives. 
  • BitLocker – Protects data and system against offline attacks and stores data on volumes in an encrypted format. Even if the computer is tampered with or when the operating system is not running, this still provides protection. 
  • NFS (Network File System) – Provides a file sharing solution for enterprises that have heterogeneous environments that consist of both Windows and non-Windows computers. 

SDDC represents a diversity of traditional data centers where infrastructure is defined by hardware and devices. Components are based on network, storage, and server virtualization. 

ReFS vs NTFS

ReFS vs NTFS

When discussing backup solutions for data on Windows fileservers, most of the discussion would go around exceeding 3-2-1 backup rule, or backup (all in one) appliance solutions.

Not so much attention is given to local storage formatting and file systems used in the process, of course, in case you prefer local storage over file based share.

An interesting topic was shared lately on Novosco’s Technical Architect Craig Rodgers, under the title “ReFs vs. NTFS, Calm Seas vs. Stormy Waters” regarding exactly the point.

As a part of his role in Novosco (technical validation of projects and solutions), Mr. Rodgers tested the ReFS and NTFS capabilities and differences in 8 week period, with daily copy of 8 virtual servers to 8 different repositories.

Test goal was a direct comparison between the various block sizes, file systems, compression and deduplication settings, which are often used in backup copy jobs

His team created 2TB LUNs from SAN ( Storage Area Network) and presented it to the server as drives.

Data flow from host to repositories used BaaS node, copied varied roles and change rated VM’s data to another location via backup copy jobs, then copied from the Baas note do the test repositories outside of the normal backup window.

Testing was made with Veem backup platform configured to create backup copy jobs that targeted servers, with 7 incremental and 8 weekly backup copies configured via GFS retention policy on 8 different type of servers :

  • Application
  • Web Application
  • Database
  • Domain Controller
  • Exchange Hybrid
  • Web Server
  • Light Application
  • Network Services

8 Week period test results came very interesting. According to Mr. Rodgers;  64K ReFS formatted drives have an additional file system overhead once formatted when compared to 4K.

Veem made solid results on data reduction, especially on DB server, which structured data achieved the best reduction in space. Raw uncompressed data achieved the best levels of deduplication, with ReFS repository data included for comparison, there was no post process operation on the ReFS repositories.

Initially, the capacity savings of processed data in the NTFS uncompressed repositories is impossible to ignore, however, the additional space required to ingest the data cannot be ignored too.  If a long-term retention repository is a goal, then within the constraints of NTFS deduplication, (1TB officially, seen 4TB restored without issue in testing) uncompressed offers huge gains regarding data reduction, 20:1, with Windows.

The big flaw of ReFS is a disability for the RAID, which Microsoft is working on, so keep in mind usage of hardware virtualized RAID alternative, if you want to use ReFS in a future deployment.

ReFS, for the most part, is working well now and is probably the best bet for a primary or indeed secondary backup repository. With regards to a second copy, ReFS is great for fast transforms however you may be happy trading performance for retention, in which case backup copies can target an NTFS volume.

In conclusion, although ReFS has some major advantages over NTFS filesystem, like Automatic integrity checking, data scrubbing techniques, better protection against data degradation, built-in drive recovery, and redundancy, etc., by comparison to NTFS, it still has flaws: cannot be used with Clustered Shared Volumes, no conversion capability between NTFS and ReFS, no file-based deduplication, and no disk quotas. Regarding that flaws, and Microsoft announcement to move it just to windows workstation distribution, It doesn’t look like ReFS, in a state that is now, can threaten NTFS’ position as the main system.

 

 

Prevent Unauthorized Access to Sensitive Windows Folders!

Get your free edition of the easiest and fastest NTFS Permission Reporter now!

Quota Management in Windows Server 2016

Quota management is a valuable feature that enables you to restrict the storage capacity of shared resources in Windows Server 2016. If you create quotas, you will limit the space allocated for a volume or a folder—allowing you to practice capacity management conveniently.

Quota Management in Windows Server 2016

To set quotas in the Windows Server, you’ll need to use a tool called File Server Resource Manager (FSRM). This tool assists in managing and organising data kept on file servers.

The File Server Resource Manager tool consists of the following five features.

  • File classification infrastructure—this feature allows you to organise files and implement policies.
  • File management tasks—it enables you to implement conditional policies or tasks.
  • Quota management—it assists you to restrict the space available on shared folders.
  • File screening management—it allows you to limit the type of files that users can keep. For example, you can set a file screen to prevent users from creating MP3 files on the files server.
  • Storage reports—with this feature, you can generate reports to understand trends in disk utilisation and how data is organised, which enables you to spot unauthorised activities.

In this article, we are going to talk about the quota management feature in FSRM.

Setting up File Server Resource Manager

We need to install the File Server Resource Manager tool before using it for quota management.

A quick way to complete its setup is through the GUI server manager. Here are the steps for installing the tool.

1. Start by logging into the Windows Server 2016. Then, on the Server Manager’s dashboard, click on “Manage” and select “Add Roles and Features”.

2. On the “Before you begin” screen click “Next”.

3. Select “Role-based or feature-based installation” and click “Next”.

4. Select your destination server and click “Next”.

5. On the “Select Server roles” dashboard, expand “File and Storage Services” and “File and iSCSI Services”. Th

en, select “File Server Resource Manager”.

6. On the window that pops up, Click the “Add Features” button to incorporate the required features. Click “Next”.

7. If you do not need to add any extra features, just leave the default settings and click “Next”.

8. Confirm the installation selections and Click “Install” to start the process.

9. After the installation process is complete, click the “Close” button.

10. You can now access the File Server Resource Manager from the administrative interface and use it to create quotas.

Creating Quotas Using FSRM

As earlier mentioned, quota management enables you to set restrictions and define the extent of space available for users in the server. For example, you can limit all users to a maximum of 5GB on a shared folder. As such, the users cannot add data to the folder that exceeds 5GB.

You can also configure the File Server Resource Manager tool to be sending notifications whenever the specified usage limit is reached. For example, you can specify that an email is to be sent if 85% of the space has been consumed.

Creating quotas using the FSRM tool is a two-step process:

  • Create a template
  • Create a quota

a) Create a template

Before setting quotas, you need to either create a quota template or choose a default template already available on the File Server Resource Manager tool.

It is recommended that you create quotas solely from templates. This way, you can easily manage your quotas by making changes to the templates rather than the individual quotas. The one central location for managing quotas eases the enactment of storage policy rules.

Here are the steps for creating a quota template.

1. Under the “Quota Management” Section, right-click the “Quota Templates” button and go for “Create Quota Template”.

2. On the window that pops up, enter the Template name and the space limit. If you choose the “Hard quota” option, users will be unable to surpass the specified limit. A hard quota is good for controlling the amount of data allowed on a folder or a disk.

On the other hand, if you select the “Soft quota” option, users will be able to exceed the allocated limit. A soft quota is mostly used for monitoring space usage and producing notifications.

3. Lastly, to set notification thresholds, press the “Add” button. On the window that pops up, input your notification specifications.

You can specify that an email is to be sent, an entry is to be made to the event log, a command is to be run, or a report is to be generated. For example, you can state the whenever usage reaches 85%, send an email message to the administrator.

Thereafter, click “OK” to complete creating the quota template.

b) Create a quota

After setting up the quota template or using a default quota template, you need to create the quota.

Here are the steps for creating a quota.

1. On the File Server Resource Manager’s dashboard, right-click on “Quotas” and go for “Create Quota”.

2. On the “Create Quota” window, in the “Quota path” section, browse the path to the volume or folder that the storage capacity restriction will be applied.

Then, choose either the “Create quota on path” or the “Auto apply template and create quota…” option.

If you select the first option, quota will only be applied to the primary folder. For example, if you limit the parent folder to only 5GB, then the other subfolders will share the space specified in the main folder.

On the other hand, if you choose the second option, then the quota will also be applied to the subfolders. For example, if you restrict the main folder to 5GB, then the subfolders will also have individual quotas of 5GB each.

Subsequently, on the “Derive properties from this quota template” option, choose the template you created previously.

If satisfied with the quota properties, click “Create”.

After you’ve created the quota, you can see it on the File Server Resource Manager’s dashboard. Thereafter, you’ll be able to limit the amount of space allowed on your shared resources.

 

I hope these clear things up.

Want to learn about NTFS Permissions, Share Permissions, and how to use them, get your free course HERE!

 

 

Prevent Unauthorized Access to Sensitive Windows Folders!

Get your free edition of the easiest and fastest NTFS Permission Reporter now!

 

Optimizing File Server Performance in Windows Server 2016

If you have a file server system in your company, you may want to tune some parameters and settings to enhance its performance. For example, you may want the highest possible throughput on your server to meet the growing workload needs.

This article gives a set of guidelines that you can implement to optimize the file server settings in Windows Server 2016 and benefit from optimized performance.

How to Optimize File Server Performance?

1. Choose a Proper Hardware

Foremost, you should go for a good hardware that will sufficiently support your performance incremental efforts. If the hardware cannot meet the expected file server load, the software adjustments may not yield significant fruits.

Here are some important hardware parameters you should optimise.

  • Response times
  • Growth expectations
  • Loading factors—such as average load and peak load
  • Capacity level

2. Optimise SMB Parameters

The Server Message Block (SMB) protocol is included into the Windows server to enhance the sharing of files and other resources across the network. The latest version available on Windows Server 2016 is 3.1.1, and it comes with several helpful features you can optimise to get the most of it.

Here are some tips on how to optimise the various SMB parameters.

a) Practice “least privilege” principle

You can practice the principle of least privilege by limiting access to some services or features. If a file server or a file client do not need any feature, just disable it. Period.

Some of the features you can disable include:

  • SMB signing
  • SMB encryption
  • NTFS encryption
  • File system filters
  • Client-side caching
  • Scheduled tasks
  • IPSEC

Btw, check out our FolderSecurityViewer to analyze and report NTFS permissions. Download the Free Edition now!

b) Configure power management mode

A constant high workload will reduce the speed and performance of your server. Therefore, for a comfortable working experience, you should make sure that the configurations for any BIOS as well as operating system power management is done correctly.

For example, this may consist of High Performance mode or even modified C-State. To avoid any bottlenecks, remember to install the most up-to-date, robust, and quickest storage and networking device drivers.

c) Follow file copying best practices

Users usually copy files from one location to the other on file servers. There are some best practices you can follow to enhance the speed of transferring files.

Windows has numerous utilities you can run on the command prompt and conveniently transfer files. And, the recommended ones are Robocopy and Xcopy.

If using Robocopy, it’s advisable to include the /mt option to quickly copy and transfer several small files. It is also advisable to use the /log option to lessen console output by enabling redirection to NUL device or to a file.

If using Xcopy, you can significantly increase performance by including the /q option (which lowers CPU overhead) and /k option (which lowers network traffic) to your present parameters.

d) Practice SMB performance tuning

It is important to note that the performance of a file server will largely depend on the parameters set on the SMB protocol. If the parameters are well tuned, the file server performance can greatly improve.

Here is table giving some of the registry settings that can influence the operation of the SMB file servers, together with some recommended practices.

Parameter Registry Settings Recommendations
Smb2CreditsMin

and

Smb2CreditsMax

HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\Smb2CreditsMin

HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\Smb2CreditsMax

The defaults are 512 and 8192 correspondingly.

Check SMB Client Shares\Credit Stalls /Sec to observe any problems with credits.

AdditionalCriticalWorkerThreads HKLM\System\CurrentControlSet\Control\Session Manager\Executive\AdditionalCriticalWorkerThreads The default is 0. You could raise the value if the quantity of cache manager dirty data is consuming a larger percentage of memory.
MaxThreadsPerQueue HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\MaxThreadsPerQueue The default is 20. In case the SMB2 work queues are increasing significantly, raise the value.
AsynchronousCredits HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\MaxThreadsPerQueue The default is 512. In case a big quantity of concurrent asynchronous SMB commands is needed, raise the value.

Here is an example of how the settings can be applied to achieve optimum file server performance on Windows server 2016. Note that the settings are not suited for all computing situations, and you should assess the effect of every individual settings before using them.

Parameter Value Default
AdditionalCriticalWorkerThreads 64 0
MaxThreadsPerQueue 64 20

3. Optimise NFS Parameters

The Network File System (NFS) model available in Windows server 2016 is important for enabling client-server communications in mixed Windows and UNIX conditions.

Here is table giving some of the registry settings that can influence the operation of the NFS file servers, together with some recommended practices.

Parameter Registry Settings Recommendations
OptimalReads HKLM\System\CurrentControlSet\Services\NfsServer\Parameters\OptimalReads The default is 0. Before making any changes to the setting, evaluate its effect on system file cache grow.
RdWrNfsHandleLifeTime HKLM\System\CurrentControlSet\Services\NfsServer\Parameters\RdWrNfsHandleLifeTime The default is 5. Appropriately set it to ensure optimal control of the lifetime of NFS cache.
CacheAddFromCreateAndMkDir HKLM\System\CurrentControlSet\Services\NfsServer\Parameters\CacheAddFromCreateAndMkDir The default is 1. Adjust the value to 0 to deactivate the inclusion of entries to the cache in CREATE and MKDIR directories.
MaxConcurrentConnectionsPerIp HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rpcxdr\Parameters\MaxConcurrentConnectionsPerIp The default is 16. Raise it to the highest value of 8192 to increase the number of connections for every IP address.

4. Uninstall Unused and Redundant Features

Windows server 2016 has dozens of logging, monitoring, and debugging tools, most of which you may not find useful.

The amount of space available on the server is critical and allowing unused and redundant tools to just sit there is not doing any justice to your server.

On a regular basis, you should visit the “Service Control Manager” section and remove services and features that do not add value to your file server.

You should uninstall any utility or application that you find not useful, and your file server performance will greatly improve.

For example, you should always deactivate the DOS 8.3 short file names. For backward compatibility, your Windows server 2016 may contain the DOS 8.3 file names, especially if you upgraded your server from an older version of Windows.

These days, the 8.3 short file name is unnecessary, and they do not add any value to the operation of the file servers. Therefore, disabling this feature will provide some additional speed to your Windows server 2016.

References

Microsoft. (2017). Performance tuning for SMB file servers. Retrieved from https://docs.microsoft.com/en-us/windows-server/administration/performance-tuning/role/file-server/smb-file-server

Apachelounge. (2017). Performance tuning guidelines for Windows Server 2016. Retrieved from https://www.apachelounge.com/download/contr/Perf-tun-srv-2016.pdf

 

 

 

Prevent Unauthorized Access to Sensitive Windows Folders!

Get your free edition of the easiest and fastest NTFS Permission Reporter now!