130 likes | 466 Views
File Server Organization and Best Practices. IT Partners June, 02, 2010. File Server Organization and Best Practices. Security Recommendations Resource Management and Administration DFS virtual paths Group Data Organizational Methods Sharing beyond the group Quotas
E N D
File Server Organization and Best Practices IT Partners June, 02, 2010
File Server Organization and Best Practices • Security Recommendations • Resource Management and Administration • DFS virtual paths • Group Data Organizational Methods • Sharing beyond the group • Quotas • Looking Forward and Additional Technologies • Questions and Panel Discussion
Security Recommendations:Common Security policies to implement for server Group Policy Logon restrictions: Computer Configuration/Windows Settings/Security Settings/User Rights Assignment Allow logon through Terminal Services Generally restricted to the local Administrators group (Allow) Logon Locally Generally restricted to the local Administrators group but sometimes a service account may require this right depending on the application Deny Logon through Terminal services It is recommended to deny the local Administrator account logon over Terminal Services. This way, the local Administrator account can only be used when physically in front of the machine. We already deny this account access to the machine over the network, this setting is a logical extension of the same precaution. Do not use groups or known security principles without understanding their scope Authenticated Users, which includes both local and domain users, but not anonymous Local Users, which by default includes the Domain Users group Always implement the Windows Firewall and only open necessary ports to relevant subnets If possible, implement Microsoft IPSec
Resource Management and Administration Assigning File Permissions Use NTFS ACL’s, not Share permissions for more granular security Use one or two top level shares and set NTFS ACL’s on the sub-folders instead of creating many shares Avoid disabling of inheritance, as it will tend to yield unexpected results if not well documented Avoid granting Full Control (which allows users to change permissions) over resources, use the Modify right. Use local Domain level or Local Security groups on NTFS ACL’s Do not assign NTFS permissions or rights to users directly, use the group membership When a user leaves the department rights can be easily removed by removing their group membership
DFS virtual paths • WIN.MIT.EDU Departmental root: \\win.mit.edu\dfs\Departmental • If you map multiple servers to one department name use subdirectories: • Server1\share1 (example doc files): \\win.mit.edu\dfs\Departmental\MyDepartment\doc • Server1\share2 (example pdf files): \\win.mit.edu\dfs\Departmental\MyDepartment\pdf • Server2\share1 (example xls files): \\win.mit.edu\dfs\Departmental\MyDepartment\xls • The paths do not need to correspond to the actual server and share path. • When moving to a new server users drives don’t need to be remapped, we can update the virtual path to point to the new server and users can restart and get the new path. • DFS can also support writable replicas but is recommended for data which is not constantly changed
Group Data Organizational Methods • Team Structure • Divide department subfolders by teams • This folder level should still only be created by server administrators • Subfolders can be managed by the respective teams • The users should be defined by a security group • This space should be for the teams internal document storage rather than public posting of data • Identify an owner of the team space • User education is important so that expectations and responsibilities are clear • The purpose of this space is understood by both the team and the server administrator • Owners are tasked with maintaining relevant data and purging non relevant data • Workflow Structure • Divide department subfolders by major functions • This folder level should still only be created by server administrators • Subfolders can be managed by the respective groups • This space should be for those users involved in processing a particular work function, i.e. for internal document storage rather than public posting of data • The users should be defined by a security group • Identify an owner of the workspace • User education is important so that expectations and responsibilities are clear • The purpose of this space is understood by both the team and the server administrator • Owners are tasked with maintaining relevant data and purging non relevant data
Sharing beyond the group: Avoid the bit bucket • “Public” Read only posting of documents or forms • Again, Divide department subfolders by teams or by workflow • This folder level should still only be created by server administrators • Subfolders can be managed by the respective teams or groups • The users should be defined by a security group • This should be a separate space, not part of the internal team or group storage • Owners are tasked with maintaining relevant data and purging non relevant data • Writable “file drop” shares for teams or groups to receive data • Don’t create general purpose sludge directories for random use • Congratulations, you’ve just re-invented the bit bucket! • This will make such a directory the most popular destination for their data • Divide department subfolders by teams or by workflow • This folder level should still only be created by server administrators • Subfolders can be managed by the respective teams or groups • This space should be for those users involved in processing a particular work function, i.e. for internal document storage rather than public posting of data • The users should be defined by a security group • Identify an owner of the workspace • User education is important so that expectations and responsibilities are clear • The purpose of this space is understood by both the team and the server administrator • Owners are tasked with maintaining relevant data and purging non relevant data
Quotas • Folder Quotas • Windows Server 2003 R2 and above has the ability to implement folder quotas • Team or group folder can have hard quotas or soft quotas which can be used for monitoring size • The users should be defined by a security group • This space should be for the teams internal document storage rather than public posting of data • Windows Server 2003 R2 and above has the ability to implement file screening and management • Reports can be generated based on file type • Reports can be scheduled • Custom file type groups can be created • Manage file types, for example: • Block file types • Run a custom script • Write a custom message to the event log • Send the administrator an email alert • User Quotas • User quotas are applied per VOLUME • Users can have hard quotas or soft quotas which can be used for monitoring • Events can be logged to the system event log
Looking Forward and Additional Technologies • SharePoint • Web Authentication • Secure data transfer • Multiple authorization methods • Content Management • Workflow management • Version control • Retention policies • Search • Enforce compliance • Content development tools • Database integration • Collaboration • Group / Team websites • Wiki’s • Publish to external partners • Third party tools • Other solutions for document management, workflow and compliance are available.