Implementing File Screening in Windows Server 2003 R2
Administrators can use file screening to easily prevent users from saving audio and video files to their network folders to avoid having their folders fill up and exceed their quota and to deter employees from storing illegally copied media files on company servers. You can even configure file servers to send email notifications to administrators when users try to save files that are blocked by file screens, and you can create templates that can be used to simplify deployment and management of file screens across multiple shared volumes and folders. In short, file screening clearly is an administrator’s best friend! Let’s look at how to configure it in a simple networking scenario.
Before you can configure file screening on users’ folders, you first need to install File Server Resource Manager (FSRM) on your file server. The steps for performing this were outlined in my previous article on WindowsNetworking.com called Configuring Volume and Folder Quotas so I won’t repeat these steps here.
Creating File Groups
The first step in implementing file screens is to create file groups. A file group defines a set of file types that should or should not be blocked. For example, let’s say you want to block all video files from being saved on a share or volume. To do this you would start by creating a file group, for example called Video Files, and add file extensions like .wmv, .mpg, and others to the group. To do this, open FSRM and expand the File Screening Management node and then under it the File Groups node. Then right-click on File Groups and select Create File Group. In the dialog box that appears, specify a name for your file group and the file types you want to include (see Figure 1):
Figure 1: Creating a file group for video file types
Your new file group will now show up in the Results pane when the File Groups node is selected (Figure 2):
Figure 2: New file group named Video Files
Creating File Screens
Now let’s create a file screen that blocks the type of files specified by our file group. The scenario we’ll work with is this: all users in the Vancouver OU of the R2.local domain should have their My Documents folders redirected as a subfolder within the \Home share on a server named MTIT-14JCI2H1Y5 and we want to prevent these users from saving video files in their My Documents folders. To redirect My Documents for these users, we’ll create a Group Policy Object that has the policy setting shown in Figure 3 configured:
Figure 3: Folder redirection is configured for users in Vancouver using the Group Policy setting shown
When Vancouver user Mary Jones logs on to her Windows XP desktop computer for the first time (actually the second time if Windows XP logon optimization is enabled), the contents of My Documents on her local machine are copied to \\MTIT-14JCI2H1Y5\Home\mjones\My Documents. This can be verified by using Windows Explorer on the file server as shown in Figure 4 (administrators are denied access to users’ My Documents folders by default):
Figure 4: My Documents for user Mary Jones is redirected to the Home share on the file server
To prevent Mary Jones from saving video files in her My Documents folder, we create a file screen as follows. Right-click on the File Screens node under File Screening Management and select Create File Screen. On the dialog box that opens, select the mjones folder as the target folder (all subfolders such as My Documents will also automatically be screened). Now select the option to define a custom screen (Figure 5):
Figure 5: Creating a custom file screen for files saved by Mary Jones
Click the Custom Properties button and on the Settings tab specify the Video Files file group as the type of files to block (Figure 6):
Figure 6: Blocking files defined by the Video Files file group
Let’s pause and note several things at this point:
- By configuring the remaining tabs of Figure 6 above, you can specify what happens when a user tries to perform an action blocked by the file screen. These actions can include sending an email message to an administrator (or to the user trying to save the file), logging a Warning event in the Application event log, generating a report for auditing purposes (and optionally emailing it to an administrator), or running a command or program you specify. For example, you could write a script that sends a popup message to the user that says “Warning! Saving video files on company servers is a violation of company policy!” or whatever you like and have the script executed when the user tries to save a video file in My Documents.
- By selecting Passive Screening, the notifications you specified above still happen but the user is not blocked from saving the file.
- By clicking the Create or Edit buttons you can create new file groups on the fly or edit existing ones as needed.
- Finally, by clicking Copy you can use an existing file screen template to create your new file screen (we’ll talk about file screen templates in a moment).
Once you’ve defined the custom properties of your file screen, click OK to return to Figure 5 and then click Create to create the new screen. When prompted whether to save the file screen as a template, choose the second option “Create the custom file screen without creating a template” and click OK. The new screen should now be displayed in the Results pane with further details shown below it in the Description area (Figure 7):
Figure 7: The new file screen is displayed in the Results pane
Now when Mary tries to download a video from the Internet and save it in her My Documents folder, she gets an error message (Figure 8):
Figure 8: Video files are being blocked
When Mary tries to save other types of files to My Documents however, her actions are successful.
Using File Screens with Roaming Profiles
Be careful configuring file screens when you have roaming profiles enabled on your network as you can get yourself into a bind. For example, say user Bob Smith has a roaming profile that is saved in a folder named %username% (that is, bsmith) in a share named Profiles on file server MTIT-14JCI2H1Y5. In other words, the network path to Bob’s profile is \\MTIT-14JCI2H1Y5\Profiles\bsmith. And let’s say you’ve configured a file screen on the Profiles folder to block roaming users from saving video files. Now let’s say Bob downloads dancing pigs.mpg from the Internet and saves the file to his desktop. Unfortunately, when Bob tries to log off his computer, he gets the error message displayed in Figure 9:
Figure 9: Don’t configure file screens on roaming profile folders
What’s happening here is that Bob’s computer can’t save dancing pigs.mpg since his roaming profile is a subfolder of the Profiles share on the file server. Because of this, the whole operation of updating Bob’s roaming profile to the Profiles share also fails, so any changes Bob has made to his desktop during his user session are lost.
Using File Screen Templates
Just as creating quota templates can greatly simplify the process of deploying volume and folder quotas on your network, creating file screen templates can do the same for easily implementing file screens on multiple volumes and shares. In fact, you may not even have to create your own custom file screen templates since R2 comes with a number of useful templates predefined (Figure 10):
Figure 10: Predefined file screen templates
Creating a new file screen template is easy—just right-click on the File Screen Templates node and select Create File Screen Template and a dialog box similar to Figure 6 above. Specify the settings for your template the way you do a file screen, and click OK to create your new template. You can then apply your new template (or a predefined template) to any volume or folder on your file server as follows: right-click on the File Screens node and select Create File Screen, specify the path to the volume or folder you want to screen, select the “Derive properties from this file screen template (recommended)” option and choose a template to base your new file screen on from the drop-down list (Figure 11):
Figure 11: Creating a new file screen from a predefined template
File screens are powerful tools but they’re not all powerful. They wouldn’t prevent an advanced user for example from downloading video files from the Internet, changing their file extensions to .txt files, and saving them in his My Documents on your file server. Your first line of defense against undesirable actions like this is your corporate security policy, and you must be sure to communicate this policy clearly to users and enforce it fairly but rigorously. Technology doesn’t solve everything—users are too smart for that to work! But a good security policy can act as a deterrent to undesirable actions and provide your company with legal recourse should an employee utilize network resources in a way that violates policy.