Windows Server File Level Security

A share is a file server entry point, like \\winserverhelp\advertising, that allows users to  access  a specific directory on a file server. Older file systems like HPFS, FAT, and FAT32 didn’t include file-level security, therefore the security was instead set on the share level. Although share-level security can still be set on files,  NTFS-level security is preferable since share-level security cannot secure the contents of subdirectories easily.

Auditing File Access

Best practice for file-level security is to setup auditing on a particular server, directory, or file. Auditing on NTFS volumes enables admins to be notified of the users who are accessing, or trying to access, a particular directory. As an example, it may be prudent to audit access to critical network shares, such as a finance folder with sensitive information, to determine whether anyone is trying to access restricted information.
Note that audit entries are an example of security settings which can be automatically set using  the Windows Server 2008 R2 security templates. Security templates should be considered for effectively control audit settings.

The below steps show how to setup simple auditing for a file or folder in Windows Server 2008 R2:

  1. Right-click the file or  folder to which the auditing will be applied, and select Properties.
  2. Click the  Security tab .
  3. Click Advanced.
  4. Click the Auditing tab.
  5. Click Edit.
  6. Click  Add and enter all the users and groups to be audited. To audit all users, enter the Everyone group.
  7. On the Auditing page, select the types of access to be audited. To audit all success and failure attempts, select all the options.
  8. Click OK.
  9. Click OK twice more to save the settings and complete the process.

A useful method for detecting “snoops”  is to create important looking shares on a network, such as Financial Projections, Customer Info, etc and then audit the access to those folders.

Encrypting Files with the Encrypting File System

Windows Server 2008 R2 continues to support for  EFS (Encrypting File System), which is a method of scrambling the data of files to render them unintelligible to unauthorized users. EFS has proven to be valuable for enterprises   to secure proprietary data, especially data stored on laptops. BitLocker Drive Encryption is  comprehensive approach to client encryption that encrypts all the files on an entire hard drive, with the exception of a few files required for the system boot.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>