Configuring Files, NTFS, and Backups
Sample Company does not have any network security guidelines. (For information about Sample Company see the Critical Thinking assignment for Week 3.) Your job is to create new network security guidelines that are secure but will not hinder workers from doing their jobs. It is important to be mindful of remote users and the various kinds of users in the workplace. Size of the organization should not matter, but you want your guidelines to be enforceable.
Use the Internet to find the security policies and standards of an organization, company, or entity. (State and federal sites are good sources should you have trouble finding this information.) Include in your paper a comparison of these policies and standards to the guidelines you’ve created. If you prefer, you can use the security policies and standards from your current employer for this comparison.
Sample Company Info:
I. Network Access
A network location profile categorizes the class of connection type by assigning a classification. This feature is supported in Windows Server 2008. Once a connection type is determined, you can automatically assign the required services and set firewall and security restrictions. Windows controls the assignment of profile types, but you can manually override these settings (not always recommended) and customize the connection profile you want to use in Group Policy. If you do overrule the Windows default settings, make certain your security options are configured to match the environment you are connected to.
There are three types of network location profiles used by Windows Server to assign connection types.
They include the following:
- Domain – When a client connects using Active Directory authentication and a domain is detected, the domain settings are automatically applied. Group Policy is then enforced to manage security and other settings.
- Public – If a client connects to a public network, that network is not trusted by default, so your network discovery is disabled. You will need to enable it if you wish to share files or have others know you are on the network. Your computer should always be up to date and running the latest antivirus software available. You should ensure that your firewall is also enabled and that the settings match the desired level of protection you wish to have while connected to public networks. An example of a public network is the coffee shop that offers free Internet access or the airport while you are waiting for your flight.
- Private – A private network is the opposite of a public network in that is it trusted. You are familiar with the network as either your own home network or your place of employment. You can share files with others and view network resources freely. Your antivirus software should still be running and up to date even on a trusted network.
Wireless LAN Connections
A wireless local area network (LAN) connection enables users to connect to your network without having to plug into a wired LAN connection. This can be useful for traveling users who have laptops or for any scenario where the client needs mobility while staying connected to the LAN. There are two ways to configure a wireless LAN connection.
The first way is to set up wireless access points in an existing network infrastructure. Wireless access points are small devices that function the same as a hub and can be placed anywhere in a building. The only requirement is they must be located within reach of a wired wall connection back to the LAN. These devices are plugged in and logged on to the network. They have security settings that will need to be customized and then enabled to suit your environment. Once configuration is complete, they offer a wireless connection to your network. For some network administrators this may sound a bit scary. It can be if the security is not configured correctly, and that is why your security settings on the wireless access point must be configured sufficiently with the latest wireless security protocols enabled.
LabSim offers a few things to consider when choosing a wireless access point for your infrastructure:
- The network uses a physical star topology
- You can easily add hosts without increasing administrative efforts (scalable)
- The AP can be easily connected to a wired network, allowing clients to access both wired and wireless hosts
- The placement and configuration of APs require planning to implement effectively
- You should implement an infrastructure network for all but the smallest of wireless networks
The second way to employ a wireless LAN is through an Ad Hoc network. An Ad Hoc network does not use wireless access points. It works using a peer-to-peer mode of communication where the network interface cards in all networked machines talk directly to each other.
LabSim suggests several things you will want to consider before implementing an Ad Hoc network:
- Uses a physical mesh topology
- Is cheap and easy to set up
- Cannot handle more than four hosts
- Requires special modifications to reach wired networks
II. Data Security
A firewall is actually what it sounds like: a wall of protection surrounding your network. That wall of protection will only work as well as it is configured to. Many people choose to turn their firewall off or dumb it down a bit. You will have to choose the settings that work best for you and your environment. There are two types of firewalls: the basic firewall and the Windows Firewall with Advanced features. The following descriptions from LabSim provide you with more information.
The Basic Firewall:
- Block all incoming traffic, while allowing responses to outgoing traffic
- Add exceptions to allow inbound traffic from specific protocols, applications, or ports
- Filter traffic by scope (this allows you to restrict exceptions to specific IP addresses)
- Create custom application exceptions by specifying the program executables that can traverse the firewall
Windows Advanced Firewall:
- The advanced firewall provides all the features of the basic firewall
- Manage the firewall from a GUI interface inside an MMC snap-in
- Filter both outbound and inbound traffic
- Configure advanced firewall rules (exceptions) for Active Directory user and computer accounts, source and destination IP addresses, protocols, ports, ICMP packets, and IPv6 traffic (among other components for which you can configure exceptions)
- Use a single interface to configure firewall rules and IPsec encryption configurations
I. File Services
With Windows 2008 Server you have the ability to add file services to your server. This will enable you to better administer your file sharing over the network. The file services role allows you to choose the following roles:
- File Server – Create folders that are accessed by user over your network, allow synchronization of files and folders offline, and create disk partitions and volumes
- Distributed File System – This option allows you to save multiple copies of shared folders on different servers
- File Server Resource Manager – This is an assortment of tools that enable you to better control your files and folders on the network
- Windows Search Services – This enables quicker searching for files on the server
There are many more roles that you can assign when you use the file services service. These roles are covered in greater detail during the LabSim lesson 8.1.
You can share a folder across the network, allowing users to access the contents of the folder. By sharing a folder they can also easily map a drive to that folder. Only an administrator or power user can share a folder and assign permissions. If you share a folder on a client machine, be aware that only ten users will be able to access the folder at once. If more than this number is required, then you will want to share the folder out on a server. You must be using the NTFS file system in order to share folders. This is loaded by default in Windows Server 2008.
There are several levels of permissions you may assign a shared folder. The LabSim table below describes them.
Note: The Owner is typically the author or user most responsible for the document or folder resources. This is not the same as the NTFS file owner.
II. NTFS and Backing Up Data
New Technology File System (NTFS) offers your network much greater control over file access and data protection than the older FAT files system ever could. NTFS is now up to version 3.1, which comes with Windows 2008 Server.
Some of the features NTFS offers over the FAT file system include:
- File Level Encryption –Files can now be encrypted, something that was not possible with FAT
- Disk usage Quotas –You can now place a size limit on how much disk space can be used per user
- Sparse File Support—This controls larger files so they do not consume disk space
- USN Journal –This feature logs changes made to any file on the network
Remember when working with NTFS, it is easier to create groups and assign NTFS permissions to the group rather than individuals. You can then add users to the group you created that has the permission levels you want those users to have.
Windows Server 2008 allows you to work on a file while you are offline and not connected to the network. When you choose a file with which to work offline, a copy of that file is placed on your hard drive so that you may access it even when you are not connected. When you are able to connect again, the file is synchronized with the same file stored on the network. In order to use shared files, you will need to have at least the change permission on that file.
Working with Quotas
File Service Resource Manager (FSRM) is a new feature that comes loaded with Windows Server 2008. In order to use FSRM, you must load the file server role on your Windows 2008 server. FSRM permits you to impose quotas on your disk volumes and specific folders. There are two different quotas you can set:
- Hard Quota – With a hard quota, you can set a limit either on a folder or a volume. Once the limit has been reached, no more files can be saved to either the folder or the volume. You can set notifications that warn users when a volume or folder is approaching its limit.
- Soft Quota – A soft quota monitors dish usage so you can see if the folder or volume goes over the limit, but it does not stop files from being saved, even after the limit has been reached. As with hard quotas, you can also send messages warning users of the violation.
Data Availability on your Network
Windows Server 2008 comes with a new utility to replace NT backup called Windows Server Backup. Having your data backed up and available for quick restore is the cornerstone of any good administrator’s disaster plan. Windows Server helps you manage these tasks with its new backup program using VSS (also known as Volume Shadow Copy Service or Volume Snapshot Service). A full backup of your data will take a lot less time now than it did in previous versions of Windows Server. You can no longer back up individual files or folders using Windows Server Backup. Windows now gives you the option to select one of the following to complete your backup jobs:
- Full Server – Backs up the full server. This is the default option to choose because it allows you to recover the complete server in case of failure, including the operating system and system state.
- Critical Volumes – Backs up the operating system only. From this type of backup, you can restore either the operating system or the system state.
- Non-Critical Volumes – This backup does not copy the operating system or system state, but it does copy applications and data.