A share is a file server entry point, like \\winserverhelp\advertising, that allows users to access a specific directory on a file server. Older file systems like HPFS, FAT, and FAT32 didn’t include file-level security, therefore the security was instead set on the share level. Although share-level security can still be set on files, NTFS-level security is preferable since share-level security cannot secure the contents of subdirectories easily.
Auditing File Access
Best practice for file-level security is to setup auditing on a particular server, directory, or file. Auditing on NTFS volumes enables admins to be notified of the users who are accessing, or trying to access, a particular directory. As an example, it may be prudent to audit access to critical network shares, such as a finance folder with sensitive information, to determine whether anyone is trying to access restricted information.
Note that audit entries are an example of security settings which can be automatically set using the Windows Server 2008 R2 security templates. Security templates should be considered for effectively control audit settings.
The below steps show how to setup simple auditing for a file or folder in Windows Server 2008 R2:
- Right-click the file or folder to which the auditing will be applied, and select Properties.
- Click the Security tab .
- Click Advanced.
- Click the Auditing tab.
- Click Edit.
- Click Add and enter all the users and groups to be audited. To audit all users, enter the Everyone group.
- On the Auditing page, select the types of access to be audited. To audit all success and failure attempts, select all the options.
- Click OK.
- Click OK twice more to save the settings and complete the process.
A useful method for detecting “snoops” is to create important looking shares on a network, such as Financial Projections, Customer Info, etc and then audit the access to those folders.
Encrypting Files with the Encrypting File System
Windows Server 2008 R2 continues to support for EFS (Encrypting File System), which is a method of scrambling the data of files to render them unintelligible to unauthorized users. EFS has proven to be valuable for enterprises to secure proprietary data, especially data stored on laptops. BitLocker Drive Encryption is comprehensive approach to client encryption that encrypts all the files on an entire hard drive, with the exception of a few files required for the system boot.