One of the least mentioned areas of security, but one of the most important, is configuring a file server correctly. In many cases that I’ve seen, people just set up shares with default permissions and assume that that’s all there is to file server security. Then later they find out that things didn’t work out the way they expected, and files are lost, stolen, copied and deleted by people that shouldn’t even have access to those files.
There’s a lot of planning that goes into putting together a secure and robust file server solution. Things to consider when planning a secure file server include:
- Ensuring the physical security of each file server
- Plan for baseline security on the server operating system and system services
- Plan virus and malware protection for the file servers
- Plan access to shared files and folders, including shares permissions
- Plan for using the Encrypting File System (EFS)
- Plan for Distributed File System (DFS) and File Replication Service (FRS) security
- Plan for cluster security
- Plan for file system auditing
Physical security is something that is often ignored at the branch office. Make sure that your file servers aren’t sitting under the secretary’s desk.
Baseline security can be implemented using the Security Configuration Wizard together with the Windows Server 2003 and Windows Server 2008 security guides at http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&DisplayLang=en and http://www.microsoft.com/downloads/details.aspx?FamilyID=fb8b981f-227c-4af6-a44b-b115696a80ac&DisplayLang=en
Malware protection can be implemented using standalone product, or better, an enterprise ready anti-malware solution such as Microsoft Forefront Client Security (http://www.microsoft.com/forefront/clientsecurity/default.mspx)
Share and NTFS permissions are the most important configuration tasks on a file server. They are probably the most complex. Most organizations will set the top level share permissions for full control, and use NTFS permissions for granular control of file and folder access. If you’re not well versed in NTFS permissions, it’s easy to make a mistake. Take some time to learn about them.
Auditing is critical on file servers. You want to know who accessed what document at what time, and you want to know what they did with the document when they accessed it. Auditing can provide you this information.
EFS encrypts files while on disk, so that users who don’t own the document, or who haven’t been given permissions to use the document, can’t access it.
DFS and FRS security is important so that documents can’t be intercepted and altered when being replicated between servers.
For more information on planning and implementing file server security, check out?
HTH,
Tom
Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP – Microsoft Firewalls (ISA)