Managing Data Storage

18_648913x.qxd 10/24/06 1:14 PM Page 547

CHAPTER13 THIRTEEN Managing Data Storage

Objectives This chapter covers the following Microsoft-specified objectives for the “Monitor File and Print Servers” section of the Managing and Maintaining a Microsoft Windows Server 2003 Environment exam: Monitor file and print servers. Tools might include Task Manager, Event Viewer, and System Monitor. . Monitor disk quotas. . The purpose of this objective is to teach you how to implement and monitor disk quotas, using the various tools available in Windows Server 2003, with an emphasis on the new tools available in the R2 release. 18_648913x.qxd 10/24/06 1:14 PM Page 548

Outline

File Compression in Windows Server Generating Storage Reports with FSRM 584 2003 550 Configuring NTFS File and Folder Encrypting File System (EFS) 589 Compression 550 Sharing Encrypted Files 592 Copying or Moving Compressed EFS Recovery Agents 594 Files or Folders 555 Creating a Domain DRA 594 Identifying Compressed Objects 556 Recovering an Encrypted File Managing Compression from the or Folder 596 Command Line 557 Encryption Using the Cipher Compressed (Zipped) Folders 557 Command 597 Best Practices for Compressed Files and Folders 559 Chapter Summary 598

File Server Resource Manager 559 Key Terms 598

Apply Your Knowledge 599 Implementing and Monitoring Disk Quotas 564 NTFS Quotas 564 Implementing NTFS Disk Quotas 565 Managing NTFS Disk Quotas 567 File Server Resource Manager Quotas 568

File Screening with the FSRM 576 File Groups 576 File Screen Templates 578 File Screen Exceptions 581 18_648913x.qxd 10/24/06 1:14 PM Page 549

Study Strategies . Although there currently are not any listings on the exam guidelines that mention file compression or file encryption, they will make an appearance on the exam nonetheless. You will need to know how to implement file and folder compression, what the advan- tages and limitations are, and when it cannot be used. Make sure that you set up and configure the compression scenarios in this chapter and observe the operation closely. . With the current emphasis on security, it is essential to become familiar with the Windows Server 2003 version of file and folder encryption, especially the features added with the R2 release. . One of the centerpieces in the R2 release of Windows Server 2003 is the File Server Resource Manager. Make sure you are familiar with its operation, what differences it provides in quotas versus using straight New Technology File System (NTFS) quotas, and how to run the reports. In addition, get some hands-on experience setting up templates and using file screening. . The disk quota questions will probably be related to how quotas are applied to users and what happens when a file is moved or copied. Make sure you understand the limitations of the Microsoft version of disk quotas and how to monitor and configure them. . Test your encryption skills using the provided exercises, make sure that you are comfort- able with creating keys, recovering keys, and know what happens when an encrypted file is moved to another volume, or the owner’s user account is deleted. . To get the full benefit of the exercises in this chapter, create folders on your test servers, add files to them, and assign the files to different owners. This will allow you to experience the compression, file quotas, encryption, and reports sections in a more realistic manner. 18_648913x.qxd 10/24/06 1:14 PM Page 550

550 Chapter 13: Managing Data Storage File Compression in Windows Server 2003 Windows Server 2003 includes two types of file and folder compression: NTFS-based file system compression and the compressed folders feature, which is equivalent to the various Zip file utilities that have been available from sources other than Microsoft. Compression allows you to store more files on a volume because a compressed file takes up less space. Typically, files such as text files, documents, spreadsheets, and bitmaps will gain the most benefit from compression, because they generally contain a lot of blank space and redun- dant data. Other files such as compressed graphics files (JPEG, PNG), video files, or Zip files provide the least benefit because they already use their own form of compression. Using either method to compress files and folders gives you the same result: decreasing the amount of space that a file, folder, or program uses on your hard drive or removable media. Configuring NTFS File and Folder Compression NTFS compression allows you to compress a single file or even the entire volume. Because compression is built in to the file system, working with compressed files and folders is invisi- ble to the end user. When you open a file, Windows Server 2003 automatically decompresses the file, and when you close the file, it is recompressed. Because NTFS compression is a property of a file, folder, or volume, you can have uncompressed files on a compressed volume or a compressed file in an uncompressed folder. Native file and folder compression is one of the many benefits of using NTFS; native compression is not available on the File Allocation Table (FAT) file system. Unfortunately, this capability comes at a price—NTFS compression and Encrypted File System (EFS) encryption are mutually exclusive. That is, you cannot both compress and encrypt a file or folder at the same time.

You can manage compression from the command line by running the compact command or from the Windows GUI in the applicable folder or file Properties dialog box. Step by Step 13.1 outlines how to enable NTFS compression on a folder.

STEP BY STEP 13.1 Compressing a folder on an NTFS volume 1. Open either My Computer or Windows Explorer. Right-click the folder that you want to compress and select Properties from the pop-up menu. 2. From the folder’s Properties page, click the Advanced button, as shown in Figure 13.1. 18_648913x.qxd 10/24/06 1:14 PM Page 551

551 File Compression in Windows Server 2003

FIGURE 13.1 Compression is an attribute of a folder.

3. In the Advanced Attributes dialog box, shown in Figure 13.2, select the Compress Contents to Save Disk Space check box. Click OK to save.

FIGURE 13.2 To compress a folder, select the Compress Contents to Save Disk Space check box. Notice that you can check either Compress Contents or Encrypt Contents, but not both.

4. Click OK on the folder’s Properties page. 5. If the Confirm Attribute Changes dialog box appears, as shown in Figure 13.3, choose whether you want to apply the changes to only the selected folder or to the folder and all its subfolders and files. Click OK. 18_648913x.qxd 10/24/06 1:14 PM Page 552

552 Chapter 13: Managing Data Storage

FIGURE 13.3 Select what you want compressed.

As mentioned earlier, you can choose to compress a single file, or a group of files, without compressing the folder or the volume that the file resides in. To compress a single file or group of files, consult Step by Step 13.2.

STEP BY STEP 13.2 Compressing a file on an NTFS volume 1. Open either My Computer or Windows Explorer. Right-click the file that you want to compress and select Properties from the pop-up menu. 2. From the file’s Properties page, click the Advanced button. 3. In the Advanced Attributes dialog box, select the Compress Contents to Save Disk Space check box. Click OK to save.

4. Click OK on the file’s Properties page.

If you need to conserve a lot of space, you can choose to compress an entire NTFS volume. However, remember that it takes a certain amount of system overhead to work with compressed files, so you probably won’t want to compress a volume that contains files that are frequently accessed, such as your boot drive. Also, there will always be certain files in use that cannot be compressed, such as ntoskrnl and pagefile.sys. To compress an NTFS volume, follow the procedure outlined in Step by Step 13.3. 18_648913x.qxd 10/24/06 1:14 PM Page 553

553 File Compression in Windows Server 2003

STEP BY STEP 13.3 Compressing an NTFS volume 1. Open either My Computer or Windows Explorer. Right-click the drive that you want to compress and select Properties from the pop-up menu. 2. From the local disk’s Properties page shown in Figure 13.4, click the Compress Drive to Save Disk Space check box.

FIGURE 13.4 Compressing a volume.

3. From the Confirm Attribute Changes dialog box, choose whether you want to turn compression on for the volume or compress all its subfolders and files. Click OK.

4. Click OK on the local disk’s Properties page.

By looking at the Properties page for the file or folder, you can determine how much physical space was saved by comparing the entries for Size and Size on Disk, as shown in Figure 13.5. 18_648913x.qxd 10/24/06 1:14 PM Page 554

554 Chapter 13: Managing Data Storage

FIGURE 13.5 Comparing compressed and uncompressed sizes.

It’s important to note that if you compress a volume or folder, you can choose to not compress the files and subfolders. However, any new files or folders created on a compressed volume or in a compressed folder will be compressed. New objects automatically inherit the compression attribute of the container in which they are created.

Challenge You are the administrator of a network for a manufacturing company that includes multiple Windows Server 2003 servers used for file and print services. Your company is currently having financial problems, so the hardware budget for this fiscal year is limited. The legal department is required to have all its documents available for at least 10 years because of a pending wrongful-death lawsuit. Unfortunately, you are running out of drive space and the voluminous amount of data consumed by these documents isn’t going away anytime soon. You must find a way to provide more free space for your users while keeping the documents for the legal department readily available—all without funding for new hardware! What is the best way to solve this issue in Windows Server 2003? On your own, try to develop a solution that would involve the least amount of downtime and expense. If you would like to see a possible solution, follow the procedure outlined here. This is a fairly straightforward decision, mainly because without a budget, you can’t use features such as remote storage and offline backups, which require additional hardware. Your only option is to compress

(continues) 18_648913x.qxd 10/24/06 1:14 PM Page 555

555 File Compression in Windows Server 2003

(continued) the old documents using the file and folder compression feature in Windows Server 2003. Fortunately, document files usually have a high compression ratio, so you should be able to gain a large amount of free space. Here are the steps to follow: 1. Using either Windows Explorer or My Computer, navigate to the folder on the volume you want to compress. 2. Right-click the folder and select Properties. From the Properties dialog box, write down the Size and the Size on Disk entries. 3. Click the Advanced box. From the Advanced Attributes dialog box, select Compress Contents to Save Space, and then click OK. 4. Click OK again to close the dialog box. 5. When you are presented with the dialog box asking whether you want to apply the changes to the selected folder or to the folder, subfolder, and all files, select the check box to apply the changes to the folder, subfolder, and all files. Click OK to save. 6. After the compression completes, right-click the folder, select Properties, and compare the Size on Disk entry with the numbers you recorded earlier.

The nice thing about the Windows Server 2003 implementation of compression is that it allows you to apply compression at the volume, folder, or file level. This allows you to selec- tively compress older files that are not frequently used, yet you do not disrupt the files that are always in use.

Copying or Moving Compressed Files or Folders Several rules apply when you move or copy compressed files and folders. The possible out- comes of moving or copying NTFS compressed files or folders are as follows: . Moving an uncompressed file or folder to another folder on the same NTFS volume results in the file or folder remaining uncompressed, regardless of the compression state of the target folder. . Moving an uncompressed file or folder to another folder on a different NTFS volume results in the file or folder inheriting the compression state of the target folder. . Moving a compressed file or folder to another folder on the same NTFS volume results in the file or folder remaining compressed after the move, regardless of the compression state of the target folder. . Moving a compressed file or folder to another folder on a different NTFS volume results in the file or folder inheriting the compression state of the target folder. 18_648913x.qxd 10/24/06 1:14 PM Page 556

556 Chapter 13: Managing Data Storage

. Copying a file to a folder causes the file to take on the compression state of the target folder, whether on the same or a different volume. . Overwriting a file of the same name causes the copied file to take on the compression state of the target file, regardless of the compression state of the target folder. . Copying a file from a FAT folder to an NTFS folder results in the file taking on the compression state of the target folder. . Copying a file from an NTFS folder to a FAT folder results in all NTFS permissions being lost.

Identifying Compressed Objects So that you can easily identify files and folders that have been compressed, you can turn on a view property in Windows Explorer or My Computer. When this property is turned on, files and folders that are compressed are displayed in blue text. To enable this option, use the instructions in Step by Step 13.4.

STEP BY STEP 13.4 Changing the view property to identify compressed objects 1. Open either My Computer or Windows Explorer. From the system menu, click Tools, Folder Options. 2. In the Folder Options dialog box, click the View tab. 3. In the Advanced Settings window of the Folder Options dialog box, shown in Figure 13.6, select the Show Encrypted or Compressed NTFS Files in Color check box. Click OK to save.

FIGURE 13.6 Turn on the view property for compressed objects. 18_648913x.qxd 10/24/06 1:14 PM Page 557

557 File Compression in Windows Server 2003

Managing Compression from the Command Line In addition to the GUI method of compressing files, Windows Server 2003 also has a command-line utility, COMPACT.EXE. The command-line utility is handy for use with scripting, or it can be used in those situations where you want to compress only certain types of files. For example, if you wanted to compress only the document files on your volume, you could use wildcards to specify that only those types of files should be compressed.

The compact command has the following syntax: compact [{/c|/u}] [/s[:dir]] [/a] [/i] [/f] [/q] [FileName[...]]

Table 13.1 presents the available options for use with the compact command.

TABLE 13.1 The Options for the compact Command Switch Description /c Specifies that the directory or file is to be compressed. /u Specifies that the directory or file is to be decompressed. /s Specifies that the compression action is to be performed on all subdirectories of the specified directory. /a Specifies the display of hidden or system files. /I Specifies that errors are to be ignored during the compression process. /f Specifies that the compression operation is to be forced on the specified directory or file. This is useful in cases in which a directory is only partly compressed. /q Specifies that only the most essential information is to be reported. FileName Specifies the file or directory. You can use multiple filenames and wildcard characters (* and ?).

EXAM ALERT Expect a compact Question Expect at least one exam question that deals with compressing files and folders from the command line.

Compressed (Zipped) Folders The second form of compression available in Windows Server 2003 is compressed folders. As stated earlier, the compressed folders feature uses the industry-standard Zip format to compress files into a folder. Unlike NTFS compression, compressed folders can be copied or moved to other computers, and they retain their compressed format. 18_648913x.qxd 10/24/06 1:14 PM Page 558

558 Chapter 13: Managing Data Storage

Compressed folders can be created in My Computer or Windows Explorer using the procedure outlined in Step by Step 13.5.

STEP BY STEP 13.5 Creating a compressed folder 1. Open either My Computer or Windows Explorer. Highlight the drive or folder that you want to create the compressed folder in. Then, from the system menu, select File, New, Compressed (Zipped) Folder, as shown in Figure 13.7.

FIGURE 13.7 Creating a compressed folder.

2. Key in a name for the new folder, and then press Enter to save.

After you have created the compressed folder, shown in Figure 13.8, you can add and remove files and folders to and from it by dragging and dropping, just like any other folder in Windows Server 2003. In addition, you can run most programs and open and edit files in the compressed folder. For extra security, you can password protect the compressed folders. Because compressed folders are essentially just common Zip files, they can also be manipulat- ed by most third-party Zip utilities. 18_648913x.qxd 10/24/06 1:14 PM Page 559

559 File Server Resource Manager

FIGURE 13.8 Compressed folders are identified by the zipper icon.

Best Practices for Compressed Files and Folders File compression isn’t a panacea for file storage problems—it’s just another tool that should be used in association with the other tools in this chapter. However, used properly, it can help you to manage your storage efficiently. There are certain points to remember: . Compress only file types that will benefit from compression—This includes text files, documents, spreadsheets, and bitmaps. . Don’t use compression for compressed files—This includes files such as compressed graphics files (JPEG, PNG), video files, or other files that already use some form of compression. . Don’t compress live data—This includes databases that host a lot of write activity and other files that are constantly changing.

File Server Resource Manager No matter how much storage you have on your file servers, users always manage to fill it up. Even if you restrict Internet access so that they can’t download their favorite games and pic- tures, they still pack your servers with various documents and other assorted business-related and “other” files that they just can’t live without. Is it really necessary to retain WordPerfect 5.0–formatted documents from 1993? 18_648913x.qxd 10/24/06 1:14 PM Page 560

560 Chapter 13: Managing Data Storage

In most environments, the administrator must have a mechanism to monitor and control the amount of space that users are allocated. Although there have always been third-party utilities available to control disk usage, Microsoft finally included the Disk Quota feature in its operating systems starting with Windows 2000. Previous to the R2 release of Windows Server 2003, the Disk Quota feature in Windows Server 2003 was largely unchanged since the initial version. The File Server Resource Manager (FSRM) is a new MMC snap-in available in Windows Server 2003, starting with the R2 release. FSRM provides a variety of tools that can be used to monitor and control the amount of space used and control what files are stored on your servers. In addition, it also provides storage reports, so that you have a record of who’s storing what and where.

EXAM ALERT R2 Only Although the domain can still be Windows 2000 or Windows Server 2003 without R2, the server the FSRM is installed on and all the servers that will be managed via the FSRM must be at R2 or later.

To install the File Server Resource Manager on a Windows Server 2003 R2 server, follow the procedure in Step by Step 13.6.

STEP BY STEP 13.6 Installing the File Server Resource Manager 1. From the Start menu, click Start, Control Panel, Add or Remove Programs. 2. In the Add or Remove Programs window, as shown in Figure 13.9, click Add/Remove windows. 3. This starts the Windows Components Wizard. From the Windows Components dialog box, select the check box for Management and Monitoring tools, and then click the Details button. 4. In the Management and Monitoring Tools dialog box, select the File Server Resource Manager subcomponent, as shown in Figure 13.10. Click OK to return to the wizard. 18_648913x.qxd 10/24/06 1:14 PM Page 561

561 File Server Resource Manager

FIGURE 13.9 Installing Windows components.

FIGURE 13.10 Select the File Server Resource Manager subcomponent.

5. On the Windows Components dialog box, click the Next button to continue. 6. When prompted, insert the requested Windows Server 2003 R2 CDs. (You might need both CD1 and CD2.) 7. The necessary files are loaded. When completed, click the Finish button.

8. When prompted, restart the server.

After the FSRM is installed, it can be opened by selecting the File Server Resource Manager icon in the Administrative Tools folder. 18_648913x.qxd 10/24/06 1:14 PM Page 562

562 Chapter 13: Managing Data Storage

The FSRM MMC, as shown in Figure 13.11, takes advantage of the new functionality in MMC version 3.0 by displaying the additional Actions pane on the far right.

FIGURE 13.11 The File Server Resource Manager MMC.

As you can see in Figure 13.11, there are three major nodes in the FSRM MMC: . Quota Management—Used to create and manage quotas on volumes and folders. . File Screening Management—Used to create file screens that prevent users from saving blocked file types in managed volumes and folders. . Storage Reports Management—Used to create and schedule storage reports.

Before we can use the FSRM MMC, we need to set up a few configuration options. To access the configuration, right-click the File Resource Manager entry in the left pane, and select Configure Options from the pop-up menu. This opens up the options dialog box, shown in Figure 13.12. On the Email Notifications tab, enter the SMTP server, the email address of the administrators that you want notifications sent to, and the From e-mail address. Click the Test E-mail button to test your configuration. On the File Screen Audit tab, shown in Figure 13.13, you have the option to record all file screening activity in an auditing database. This database is used to create the File Screen Audit Report. 18_648913x.qxd 10/24/06 1:14 PM Page 563

563 File Server Resource Manager

FIGURE 13.12 You can set the FSRM notification configuration from the Email Notifications tab.

FIGURE 13.13 File Screen auditing is enabled by selecting the check box. 18_648913x.qxd 10/24/06 1:14 PM Page 564

564 Chapter 13: Managing Data Storage

NOTE Performance Hit Enabling file screen auditing adds a certain amount of overhead to the file screening process. Make sure that you actually need this functionality before turning it on.

Now that we have the initial configuration of the File Server Resource Manager completed, let’s take an in-depth look at what we can accomplish with it. Implementing and Monitoring Disk Quotas

Objective: Monitor file and print servers. Tools might include Task Manager, Event Viewer, and System Monitor. . Monitor disk quotas. Disk quotas are a method of controlling the amount of space a user has access to on a file server. You can also use the Disk Quota feature to monitor the space in use by your users. As we mentioned earlier, both the Windows 2000 and Windows Server 2003 operating systems sup- port disk quotas, which are used to track and control disk usage per user on NTFS volumes. Quotas can be configured in one of two ways: as a monitoring tool so that the administrator can track disk usage by user or as a tool to prevent the user from saving files to the disk when a specified limit is reached. There are two types of disk quotas in Windows Server 2003 starting with the release of version R2: . NTFS Quotas—These are the old-style quotas that have been used since Windows 2000. . FSRM Quotas—These are the new-style quotas that were introduced in R2.

NTFS Quotas NTFS quotas are set on a per-volume basis and are assigned to each user, but unfortunately they cannot be assigned by folder or by group. Similar to encryption and compression, quotas can be used only on NTFS-formatted partitions and volumes. When you enable disk quotas for a volume, volume usage is automatically tracked for all users from that point on. NTFS quotas have the following features and limitations: . Disk quotas do not apply to members of the local Administrators account. 18_648913x.qxd 10/24/06 1:14 PM Page 565

565 Implementing and Monitoring Disk Quotas

. The files contained on a volume converted from FAT to NTFS do not count against user quotas, because they are initially owned by the local administrator. Files created or moved to the volume after the conversion has been completed are owned by the user. . Disk quotas cannot be applied on a per-folder basis. They can only be applied per volume. . If a physical disk has multiple volumes, a quota can be applied separately to each volume. . Even if a volume consists of multiple physical disks, the quota for the volume applies to the entire volume. . Disk usage is based on all files that the user creates, copies, or takes ownership of. . File compression cannot be used to prevent users from exceeding their quota. Disk quotas are based on the actual file size, not the compressed file size. . Disk quotas affect the free size that an installed application sees during the installation process. . Disk quotas can be enabled on local or network volumes and removable drives formatted with NTFS. . Disk quotas are not available on any volume or partition formatted using a version of Windows prior to Windows 2000. Disk quotas are available only on NTFS volumes or partitions formatted by Windows 2000 or later. . When quotas are exceeded, notification is via an entry in the event logs.

Implementing NTFS Disk Quotas

EXAM ALERT Which Disk Quotas? We are presenting material on the older NTFS Quotas because questions per- taining to them might appear on the exam, and your environment might include pre-R2 versions of Windows Server 2003. However, if you are using a Windows Server 2003 R2 server, you should use the new style quotas implemented via the FSRM.

NTFS Quotas are applied at the volume level from the Volume Properties dialog box of the NTFS volume. In addition to turning quotas on or off, the following options are available on the Quota Properties tab: . Deny Disk Space to Users Exceeding Quota Limit—This option causes users who have exceeded their limit to receive an “insufficient disk space” message when they try to save a file. They will be unable to add any more data to the volume until they free up space by moving or deleting some existing files. 18_648913x.qxd 10/24/06 1:14 PM Page 566

566 Chapter 13: Managing Data Storage

. Limit Disk Space To—This setting is used to configure the amount of space to which new users are limited. . Log Event When a User Exceeds Their Quota Limit—When a user exceeds his or her quota, an event is written to the System log. These events are queued and written hourly. . Log Event When a User Exceeds Their Warning Level—When a user exceeds his or her warning level, an event is written to the System log. These events are queued and written hourly.

The default in Windows Server 2003 is for quotas to be turned off. To set NTFS quota limits on a volume, perform the procedure outlined in Step by Step 13.7.

STEP BY STEP 13.7 Setting NTFS Quota Limits on a volume 1. From My Computer or Windows Explorer, right-click the volume you want to enable quotas on and select Properties from the pop-up menu. 2. On the Disk Properties dialog box, select the Quota tab. 3. On the Quota tab, select the Enable Quota Management check box, as shown in Figure 13.14.

FIGURE 13.14 You can configure quotas from the Quota tab. 18_648913x.qxd 10/24/06 1:14 PM Page 567

567 Implementing and Monitoring Disk Quotas

4. In the Disk Properties dialog box shown in Figure 13.14, select the Limit Disk Space To option button and add limit and warning levels. 5. Click OK. 6. When you receive the warning dialog box shown in Figure 13.15, read it, and then click OK.

FIGURE 13.15 This warning dialog box tells you that the drive will be scanned so that the file ownership can be inventoried and the disk usage can be credited to each user.

After you turn on disk quotas, the volume is scanned and the file space is calculated, depend- ing on the Creator Owner of each file. Although all users are assigned, by default, the quota limit you just configured (see Figure 13.16), you can change the quota configuration of an existing user.

FIGURE 13.16 The Quota Entries window from a drive that just had quotas enabled. Note that there is no limit on the administrators account.

Managing NTFS Disk Quotas After disk quotas have been implemented on your server, most of the work required in managing them involves monitoring the disk space that the users have allocated and making adjust- ments when a user has a good reason to receive more disk space. 18_648913x.qxd 10/24/06 1:14 PM Page 568

568 Chapter 13: Managing Data Storage

A lot of this monitoring can be performed from Event Viewer if you selected the option to write an entry in the event logs when a user crosses the warning threshold or exceeds the hard limit. The applicable entries in the event logs can be found by performing a search or filtering for the event IDs 36 (for warning threshold) and 37 (for over the limit), with a source entry of NTFS. Quotas can be configured so that when users reach a preset warning level, an event is recorded in the event log. The users can continue to save files to the volume until they reach their quota limit. At that time, they will be unable to save any more files to the volume, and they will receive an “insufficient disk space” message. This will also record an event in the event log. The second major task associated with disk quotas involves monitoring the space each user has available. This can be accomplished by opening the Quota Entries window and sorting the space entries to find out which users have exceeded their limits and which users are near their limits, as shown previously in Figure 13.16. This is made easier by referring to the icons to the left of the entries. The following icons are used so that you can see the status at a glance: . Green—This means the user is below the warning threshold. . Yellow triangle with exclamation point—This means the user is over the warning threshold but under the limit. . Red circle with exclamation point—The user has exceeded the limit.

File Server Resource Manager Quotas Although NTFS Quotas are still available in Windows Server 2003 R2, it’s much better to implement your quotas using the File Server Resource Manager (FSRM). The differences are as follows: . Quotas can be set at both the folder and volume level. . Quotas are calculated using the actual disk space used, so compressed files are now calculated using the actual size on disk, not the uncompressed size. . Quotas can be implemented on multiple servers by copying a template between servers. . Quotas can be automatically created for subfolders as they are added. . Notifications have been enhanced to include not only Event Logging, but also the capability to send an email, run a file or script, or generate a storage report. 18_648913x.qxd 10/24/06 1:14 PM Page 569

569 Implementing and Monitoring Disk Quotas

To implement a quota using the File Server Resource Manager, follow the procedure in Step by Step 13.8.

STEP BY STEP 13.8 Implementing a quota using the File Server Resource Manager 1. From the Start menu, click Start, Control Panel, Administrative Tools, File Server Resource Manager. 2. In the File Server Resource Manager MMC, right-click Create Quota in the Actions pane. 3. This opens the Create Quota dialog box, as shown in Figure 13.17. Either enter the desired path in the Quota Path field, or click the Browse button to locate it.

FIGURE 13.17 You can either accept the defaults or create custom properties.

4. Click the Custom Properties button. 5. This opens the Quota Properties dialog box, as shown in Figure 13.18. Enter the desired Space Limits, and then click the OK button. 18_648913x.qxd 10/24/06 1:14 PM Page 570

570 Chapter 13: Managing Data Storage

FIGURE 13.18 The properties dialog box allows you to configure space limits and notifications.

6. On the Create Quota dialog box, click the Create button to save your quota. 7. When the Save Custom Properties as a Template dialog box appears, as shown in Figure 13.19, select the Save the Custom Quota Without Creating a Template option button, and then click the OK button.

FIGURE 13.19 You have the option of saving your settings as a template that can be reused and copied to other servers. 18_648913x.qxd 10/24/06 1:14 PM Page 571

571 Implementing and Monitoring Disk Quotas

8. The quota is displayed in the FSRM MMC, as shown in Figure 13.20.

FIGURE 13.20 The completed quota will apply to all users who save files in the folder.

That was a quick example of how to set up a simple quota. However, if you have an environment with tens, hundreds, or even thousands of volumes and folders to set quotas on, that process would become tedious very quickly. Fortunately, Microsoft has included the Quota Templates feature with the FSRM. A quota template can contain the following information: . Space—The allowed disk space can be defined in any increment from kilobytes to terabytes. Quotas can be applied to either new or existing volumes or folders. . Limits—Quotas can be set to either Hard or Soft. A hard quota will prevent the user from saving any more files. Unlike some third-party software, there is no grace period; when the limit is reached, the user is effectively blocked from using any more space. A soft quota will warn users, but will let them continue to save files. The soft quotas are typically used for space monitoring purposes. . Notifications—You can configure notifications to let the user and/or administrator know when the users’ space nears or reaches their quota limit. These notifications can be saved to the event log, emailed, or can cause a program or script to be run. 18_648913x.qxd 10/24/06 1:14 PM Page 572

572 Chapter 13: Managing Data Storage

You can either use the quota templates as is, or you can use them as a basis for your own custom template. In Step by Step 13.9, we will copy an existing template and configure it for our needs.

STEP BY STEP 13.9 Implementing a quota using a quota template 1. From the Start menu, click Start, Control Panel, Administrative Tools, File Server Resource Manager. 2. In the File Server Resource Manager MMC, click the Quota Templates entry in the left pane. 3. This displays a list of the predefined Quota templates, as shown in Figure 13.21. Right-click the 200 MB Limit Reports to User template and select Create Quota from Template from the pop-up menu.

FIGURE 13.21 The FSRM comes supplied with a selection of predefined templates that you can use as the basis for your own custom templates.

4. This opens the Create Quota dialog box. Enter the desired path into the Quota Path field or click the Browse button to locate it. Notice in the bottom part of the dialog box that the predefined quota properties are shown (see Figure 13.22). 18_648913x.qxd 10/24/06 1:14 PM Page 573

573 Implementing and Monitoring Disk Quotas

FIGURE 13.22 The predefined properties are listed for the selected quota template.

5. Select the Define Custom Quota Properties option button, and then click the Custom Properties button. This opens the Quota Properties dialog box, as shown in Figure 13.23. In the Copy Properties field, select the 200MB Limit template from the drop-down list, and then click the Copy button. This copies the settings from the existing template. Enter a label as shown.

FIGURE 13.23 You can copy the existing settings to your custom template. 18_648913x.qxd 10/24/06 1:14 PM Page 574

574 Chapter 13: Managing Data Storage

6. Change the Space Limit to 300MB, and then click the Add button to add another warning email notification at 90%. 7. Click the OK button. When you return to the Create Quota dialog box, notice that the quota properties reflect your changes. 8. Click the Create button to save your quota. 9. When the Save Custom Properties as a Template dialog box appears, enter a suitable name, and then click the OK button. 10. The quota is displayed in the FSRM MMC, as shown in Figure 13.24.

FIGURE 13.24 The completed quota will apply to all users who save files in the folder.

Templates are handy for a couple of reasons. First, you can reuse them for other volumes or folders, without having to go to the trouble of defining a new configuration. Second, if you have a change that needs to be made to all templates, you can specify to automatically make the change to all templates that were derived from the original templates. For example, suppose we want to add an email notification at 65% to the users that we just assigned the previous template to. Follow the procedure in Step by Step 13.10 to update all the quotas derived from the original 200MB limit quota. 18_648913x.qxd 10/24/06 1:14 PM Page 575

575 Implementing and Monitoring Disk Quotas

STEP BY STEP 13.10 Updating a quota derived from a quota template 1. From the Start menu, click Start, Control Panel, Administrative Tools, File Server Resource Manager. 2. In the File Server Resource Manager MMC, click the Quota Templates entry in the left pane. 3. This displays a list of the predefined quota templates. Double-click the 200 MB Limit Reports to User template. 4. This opens the Quota Template Properties dialog box. Click the Add button and add the 65% Threshold. Click OK to save. 5. The Update Quotas Derived from Template dialog box opens, as shown in Figure 13.25. Select the Apply Template to All Derived Quotas option, and then click the OK button.

FIGURE 13.25 You can apply your changes to all the templates derived from this one.

6. Double-click the template that we created in the previous Step by Step and observe that the new notification has been added.

Referring to Figure 13.25, the three settings are . Apply Template Only to Derived Quotas That Match the Original Template—This option will push your changes to any derived quotas, but only if you haven’t manually cus- tomized them since they were derived. . Apply Template to All Derived Quotas—This option pushes your changes to your derived templates, whether or not they have been manually edited since they were derived. . Do Not Apply Template to Derived Quotas—This option does exactly what it says. It saves the changes you made to the template, and then exits. 18_648913x.qxd 10/24/06 1:14 PM Page 576

576 Chapter 13: Managing Data Storage

EXAM ALERT Expect a Question Related to Copying/Moving Files and Disk Quotas Expect at least one exam question that deals with how quotas are affected when a file is copied or moved between folders or volumes. Remember that moving files on the same volume retains ownership, whereas copying does not.

File Screening with the FSRM The second major feature that the File Server Resource Manager brings to the table is file screening. As we discussed earlier, file screening allows you to prevent users from saving blocked file types to your servers. Just like with quotas, file screens can be built from scratch, or you can use and modify the supplied templates. You have the ability to apply file screens to a volume or folder while configuring exceptions so that certain users can save some of the blocked file types. Similar to quotas, you can configure file screening to block users from saving certain types of files, let them save them and notify you that they were saved, or both. File Groups File screens are configured through the use of File Groups. A File Group defines the files that should or should not be blocked. In addition, a File Group can be configured for specific exceptions that will override the blocking rule. Windows Server 2003 includes the following prebuilt file groups: . Audio and Video Files . Backup Files . Compressed Files . E-Mail Files . Executable Files . Image Files . Office Files . System Files . Temporary Files . Text Files . Web Page Files 18_648913x.qxd 10/24/06 1:14 PM Page 577

577 File Screening with the FSRM

Let’s create a File Group specifically for those nonbusiness files that users like to store on servers, such as .mpg, .wma, and .mp3. Follow the procedure in Step by Step 13.11 to accomplish this.

STEP BY STEP 13.11 Creating a File Group 1. From the Start menu, click Start, Control Panel, Administrative Tools, File Server Resource Manager. 2. In the File Server Resource Manager MMC, click to expand File Screening Management, and then click the File Groups entry. 3. Click Create File Groups in the Actions pane as shown in Figure 13.26.

FIGURE 13.26 The FSRM showing the preconfigured file groups and the included file extensions.

4. This displays the Create File Group Properties dialog box shown in Figure 13.27. 18_648913x.qxd 10/24/06 1:14 PM Page 578

578 Chapter 13: Managing Data Storage

FIGURE 13.27 Enter the extensions of the files to block.

5. Enter a name for the File group, and then enter the extensions of the files to block, using the format *.mp3. Click the Add button to add the file to the list. 6. When you’re finished, click OK to save. The new file group will be displayed in the FSRM MMC with the preconfigured file groups.

File Screen Templates The File Groups are used as the basis for the following default file screen templates that are included with Windows Server 2003 R2: . Block Audio and Video Files . Block E-Mail Files . Block Executable Files . Block Image Files . Monitor Executable and System Files

You probably noticed that all the templates were titled “Block,” except for the last one. Similar to the functionality of quotas, we have the ability to just monitor file save activity and notify the administrator when a specified file type is saved to the volume or folder. 18_648913x.qxd 10/24/06 1:14 PM Page 579

579 File Screening with the FSRM

Although we have the ability to create a simple file screen to apply to a single folder or volume, the best method is either to use one of the supplied templates, or use these templates as the basis for a custom template. Follow the procedure in Step by Step 13.12 to create a custom file screen template.

STEP BY STEP 13.12 Creating a file screen template 1. From the Start menu, click Start, Control Panel, Administrative Tools, File Server Resource Manager. 2. In the File Server Resource Manager MMC, click to expand File Screening Management, and then click the File Screen Template entry. 3. Click the Create File Screen Template entry in the Actions pane. This displays the Create File Screen Template dialog box shown in Figure 13.28.

FIGURE 13.28 Select the file group to use, or click the Create button to make a new one.

4. Enter the name of the template, and then select the file group we created in Step by Step 13.11. Make sure that the Active Screening option button is selected. 18_648913x.qxd 10/24/06 1:14 PM Page 580

580 Chapter 13: Managing Data Storage

5. Click the E-Mail Message tab. Select the options to send an email to both the administrators and the user, as shown in Figure 13.29.

FIGURE 13.29 Select the options to send a notification message.

6. When you’re finished, click the OK button to save the template.

The template we just created will block the saving of the files that we specified in the file group and will send the user and the administrator an e-mail when the user attempts to save one of the file types. Now that we have created a template, we need to apply it to a volume or folder. In Step by Step 13.13, we will set up a file screen on the root of the user’s home folders to block the saving of any unauthorized files in their home folders.

STEP BY STEP 13.13 Applying a file screen

1. From the Start menu, click Start, Control Panel, Administrative Tools, File Server Resource Manager.

2. In the File Server Resource Manager MMC, click to expand File Screening Management, and then click the File Screen entry. 18_648913x.qxd 10/24/06 1:14 PM Page 581

581 File Screening with the FSRM

3. Click the Create File Screen entry in the Actions pane; this displays the Create File Screen template dialog box shown in Figure 13.30.

Figure 13.30 Select the file screen path, and then select the template to use.

4. Enter the file path, and then select the file screen template we created in the previous step by step. Click OK to save.

5. When you’re finished, click the Create button to save.

File Screen Exceptions Like everything else, the one-size-fits-all analogy doesn’t always work for file screening. For example, what if the marketing department has a specific need to store video files, possibly out- takes for a commercial they are producing? Because you’ve already blocked *.mpg files, how are they going to be able to store their files on the servers? When there is a need to allow files that other file screens are blocking, you need to create a file screen exception. A file screen exception is a file screen that is used to override the screening for a folder and its subfolders. This is done by attaching a file group to the screen, just as we have done with regular file screens.

NOTE No Exceptions You cannot apply a file screen exception on a folder that you have already applied a file screen to. The exception must either be assigned to a subfolder or the original file screen must be changed. 18_648913x.qxd 10/24/06 1:14 PM Page 582

582 Chapter 13: Managing Data Storage

In Step by Step 13.14, we will set up a file screen exception on the root of the user’s home folders to allow the saving of *.mpg files in the Marketing folder.

STEP BY STEP 13.14 Creating a file screen exception 1. From the Start menu, click Start, Control Panel, Administrative Tools, File Server Resource Manager. 2. In the File Server Resource Manager MMC, click to expand File Screening Management. Then, right- click the File Screen entry and select Create File Screen Exception from the pop-up menu. 3. This displays the Create File Screen Exception dialog box shown in Figure 13.31. Enter the exception path as shown.

FIGURE 13.31 Enter the exception path, and then click the Create button.

4. Because there is not a predefined file group that contains only the *.mpg file type, click the Create button to open the Create File Group Properties dialog box, as shown in Figure 13.32. 18_648913x.qxd 10/24/06 1:14 PM Page 583

583 File Screening with the FSRM

FIGURE 13.32 Enter the desired extension.

5. Click OK to save. This returns you to the Create File Screen Exception dialog box. Select the check box for the File Group that you just created, and then click OK to save. The File Screen and its associated exception is shown in Figure 13.33.

FIGURE 13.33 FSRM MMC showing a File Screen and its associated File Screen Exception. 18_648913x.qxd 10/24/06 1:14 PM Page 584

584 Chapter 13: Managing Data Storage Generating Storage Reports with FSRM To monitor the success—or failure—of quotas and file screen activity, the FSRM is able to generate a series of reports. The available reports are the following: . Duplicate files . File screening audit . Files by file group . Files by owner . Large files . Least recently accessed files . Most recently accessed files . Quota usage

These reports can either be generated on a scheduled basis or on demand. They can be quite helpful because they are not only designed to give the system administrator a view of how the quotas and file screening are performing, but they point out other file server management issues, such as identifying large files, duplicate files, or files that aren’t currently being used. This assists the system administrator in making decisions as to what files need to be deleted or moved to offline storage. Report tasks are used to schedule reports that are generated on a regular schedule. A report task consists of the following information: . What reports are to be generated . The report parameters . The volumes and folders to report on . The schedule to generate the reports . The output format of the reports

In Step by Step 13.15, we will create a report task that will run a couple of reports at 11:25 every evening. 18_648913x.qxd 10/24/06 1:14 PM Page 585

585 Generating Storage Reports with FSRM

STEP BY STEP 13.15 Creating a report task 1. From the Start menu, click Start, Control Panel, Administrative Tools, File Server Resource Manager. 2. In the File Server Resource Manager MMC, right-click the Storage Reports Management entry and select Schedule a New Report Task from the pop-up menu. 3. This displays the Storage Reports Task Properties dialog box shown in Figure 13.34.

FIGURE 13.34 The Storage Report Tasks Properties dialog box allows you to specify the desired reports and the volumes and folders to report on.

4. Enter the volumes and folders that you want to report on. Next, select the reports that you want to see. You can review the report parameters by highlighting a report and selecting the Review Selected Reports button. Also, select the desired report format. 5. Click the Delivery tab. If desired, enter an email address that you want the reports to be mailed to. The default is to save them in the %systemdrive%\StorageReports\Scheduled folder. 6. Click the Schedule tab. Click the Create Schedule button. 7. This opens the Schedule dialog box shown in Figure 13.35. Click the New button and fill out the desired start time for the reports you selected. Note that you can select multiple schedules for the reports. Click OK when finished. 18_648913x.qxd 10/24/06 1:14 PM Page 586

586 Chapter 13: Managing Data Storage

FIGURE 13.35 Enter the desired schedule.

8. This returns you to the Schedule tab. Verify that the correct schedule is displayed, and then click the OK button to save your schedule.

As you can see in Figure 13.36, the scheduled report task is listed by the name of the reports, what is to be reported on, and the report schedule.

FIGURE 13.36 The FSRM listing the Report Task. 18_648913x.qxd 10/24/06 1:14 PM Page 587

587 Generating Storage Reports with FSRM

There will be times when you want a snapshot of what is happening with your disk storage. The FSRM allows you to generate an on-demand report that gathers current data to display. In Step by Step 13.16, we will create an on-demand report and view it in a browser.

STEP BY STEP 13.16 Creating an on-demand report 1. From the Start menu, click Start, Control Panel, Administrative Tools, File Server Resource Manager. 2. In the File Server Resource Manager MMC, right-click the Storage Reports Management entry and select Generate a New Report Now from the pop-up menu. 3. This displays the Storage Reports Task Properties dialog box. 4. Enter the volumes and folders that you want to report on. Next, select the reports that you want to see. You can review the report parameters by highlighting a report and selecting the Review Selected Reports button. Also, select the DHTML report format. 5. Click the OK button. You will be prompted as to whether you want the reports to be generated immediately or to be run as a background process. Select the option to run them immediately. 6. The report output will be displayed in a browser window, as shown in Figure 13.37.

FIGURE 13.37 A sample report showing the amount of space consumed by the selected file groups. 18_648913x.qxd 10/24/06 1:14 PM Page 588

588 Chapter 13: Managing Data Storage

As you have seen in the preceding sections, the File Server Resource Manager can be extreme- ly helpful in managing your file servers. In summary, FSRM provides the following benefits: . Quotas—FSRM allows the system administrator to limit the space used by volume or folder and can notify the user when the limits are approached or exceeded. Quotas can be applied to either new or existing volumes or folders. . File Screening—File screens can be created to prevent users from saving unapproved file types, and notifications can be sent when users attempt to save blocked files. . Templates—Quota and file-screening templates can be created to apply to new volumes or folders added to the organization. . Reporting—Reports of storage usage can either be generated on a scheduled basis or on demand.

Challenge You are a lead system administrator who is responsible for monitoring the storage space on all the file servers in your enterprise. You’ve given one of your junior administrators the task of reducing the storage space used by at least 15%. Because he is fairly new to storage administration, you suggest that he run a report to identify the files that each user owns. How would he accomplish this? Try to complete this exercise on your own, listing your conclusions on a sheet of paper. After you have completed the exercise, compare your results to those given here. 1. From the Start menu, click Start, Control Panel, Administrative Tools, File Server Resource Manager. 2. In the File Server Resource Manager MMC, right-click the Storage Reports Management entry, and then select Generate a New Report Now from the pop-up menu. 3. This displays the Storage Reports Task Properties dialog box. 4. Enter the volumes and folders that you want to report on. 5. Next select the files by owner report. 6. Select the DHTML report format. 7. Click the OK button. You will be prompted as to whether you want the reports to be generated immediately or to be run as a background process. Select the option to run them immediately. 8. The report output will be displayed in a browser window. 18_648913x.qxd 10/24/06 1:14 PM Page 589

589 Encrypting File System (EFS) Encrypting File System (EFS) One of the hot items in the news lately has been data theft. There have been far too many cases of thieves either accessing sensitive data over the Internet or stealing laptop computers that contain thousands of names, Social Security numbers, bank account numbers, and the like. Too many people assume that as long as an asset is password protected that their data is safe. This is far from the case. Any amateur with a password-cracking program can gain access to a computer, and accessing data from a stolen computer is as simple as installing a new operating system on the hard drive, or just adding the hard drive to another computer. After files are accessed, they can be read or copied. The Encrypting File System (EFS), first introduced in Windows 2000, has been updated for Windows Server 2003. EFS is an extension to NTFS and provides file-level encryption. EFS uses public/private key technology, which makes it difficult, but not necessarily impossible, to crack. As is typical with this key technology, the public key is used to encrypt the data, and a private key is used for decryption. The public key is just that—public. It can be passed around and is used to encrypt a file or an email message. Public keys are good for information exchange, such as secure mail. A user can publish her public key, and people can use this key to encrypt any mail they are sending to her. They can be assured that no one else can read the message, because it can be decrypted and read only by using the private key, which is kept secure by the receiver.

EXAM ALERT Public/Private Key Technology This technology is covered at length on the 70-298 Designing Security for a Microsoft Windows Server 2003 Network exam. More information about this technology can be found at http://windowssdk.msdn.microsoft.com/en-us/library/ms732314.aspx.

Encryption in EFS works by using a public/private key pair with a per file encryption key. When a user encrypts a file, EFS generates a file encryption key (FEK) and uses the public key to encrypt it. When the user wants to read or decrypt the file, the FEK is decrypted using the private key. The FEF is used to decrypt the file.

NOTE The file encryption and compression attributes are mutually exclusive. You can apply one or the other to a file, but not both. 18_648913x.qxd 10/24/06 1:14 PM Page 590

590 Chapter 13: Managing Data Storage

Although you can mark a folder as encrypted, the folder itself is not actually encrypted. EFS provides only file-level encryption. By marking a folder as encrypted, any files that are created or moved into the folder are automatically encrypted. Any existing files in the folder at the time that you set the encryption attribute are not automatically encrypted unless you select the option to apply changes to the folder, subfolder, and files on the Confirm Attribute Changes dialog. The first time a user selects the encryption attribute from the properties dialog box of a file or folder, EFS will automatically generate a public key pair; then the private key is certified by a Certificate Authority (CA). If a CA is not available, the public key is self signed. All this is transparent to the user. In Step by Step 13.17, we will use EFS to encrypt a folder, create a file in that folder, and then copy a file to that folder to see the effects of the encryption process.

STEP BY STEP 13.17 Encrypting a file or folder

1. In Windows Explorer, create a folder and name it Secure. Create a file in this folder and name it Test1.txt. 2. In Windows Explorer, right-click the folder you just created and select Properties from the pop-up menu. 3. This displays the Advanced Attributes dialog box shown in Figure 13.38.

FIGURE 13.38 The Advanced Attributes dialog box allows you to turn on either compression or encryption.

4. Click the OK button twice to save the changes and close the Properties dialog box.

5. Create a text file in the root directory and name it Secure1.txt. Move the file to the Secure folder.

6. Create a text file in the Secure folder and name it Secure2.txt. 18_648913x.qxd 10/24/06 1:14 PM Page 591

591 Encrypting File System (EFS)

7. Observe in Windows Explorer that both new files in the Secure folder (Secure*.txt) are displayed in green and that the original file is unchanged, as shown in Figure 13.39. This indicates that they are encrypted.

FIGURE 13.39 Encrypted files and folders will be displayed in green.

8. Log off the server, and then log back on again using a domain user (not administrator account). Try to open the secure files in the secure folder. You should receive the message Access is denied.

As you saw in the exercise, turning on encryption for a file or folder is pretty simple. In addition, after encryption is turned on for a folder, every file that is created or moved into that folder is automatically encrypted, without any user intervention. Any existing files are not affected. The following conditions apply when moving or copying encrypted files: . When a folder is encrypted, all files and subfolders added to that folder are automatically encrypted. . If an encrypted file or folder is moved or copied to another folder on an NTFS formatted volume, it remains encrypted. . If an encrypted file or folder is moved or copied to a FAT or FAT32 formatted volume, it is decrypted. . If an encrypted file or folder is moved or copied to a floppy, it is decrypted. . If a user other than the one who encrypted the file or folder attempts to copy it, he will receive the message Access is denied. 18_648913x.qxd 10/24/06 1:14 PM Page 592

592 Chapter 13: Managing Data Storage

. If a user other than the one who encrypted the file attempts to move it to a folder that was encrypted by the original user, she will be successful. . If a user other than the one who encrypted the file or folder attempts to move or copy it to another volume (NTFS, FAT, or FAT32), he will receive the message Access is denied.

After encryption is configured, the encrypt/decrypt process is transparent to the user and to applications. When a user opens a file, it is automatically decrypted and will be reencrypted when the user saves it. Because encryption is a file-level process, the application is unaware that it is working with an encrypted file. However, you must be careful to set the encryption attribute on for the folder that the file is stored in, because some applications, such as Microsoft Word, will create temporary files, and they will not be encrypted unless they are in an encrypted folder. Sharing Encrypted Files In some situations, the data in a file will need to be shared with other users, or possibly a group of users. However, it will still be important to keep the contents secure. In this situation, you can specifically share the encrypted file with other users. However, keep the following points in mind: . After the user is given permission to the file, he or she can also grant others permission to use the file. . Encrypted files can be shared, but not encrypted folders. Note that this refers only to EFS sharing, and an encrypted folder can always be an NTFS file share. . Any user who is being granted access must have an EFS certificate. This certificate can reside in Active Directory, in the user’s roaming profile, or in the user’s profile on the server where the shared file is located.

NOTE Certificate Required As we mentioned earlier, all users that are being granted access must have a certificate. The easiest way to get a certificate is to encrypt a file or folder, which will automatically generate an EFS certificate for that user.

To share an encrypted file, follow the procedure in Step by Step 13.18. 18_648913x.qxd 10/24/06 1:14 PM Page 593

593 Encrypting File System (EFS)

STEP BY STEP 13.18 Sharing an encrypted file 1. Open Windows Explorer and navigate to the Secure folder.

2. In Windows Explorer, right-click the Secure2.txt file and select Properties from the pop-up menu. 3. This displays the Advanced Attributes dialog box. 4. Click the Details button; this opens the Encryption Details dialog box, as shown in Figure 13.40.

FIGURE 13.40 The Encryption Details dialog box allows you to authorize users and recovery agents for an encrypted file.

5. Click the Add button and use the Select User dialog box (see Figure 13.41) to add a user to the encrypted file. Click OK three times to return to Windows Explorer.

FIGURE 13.41 The Select User dialog box lists the users who have certificates installed on the local machine. 18_648913x.qxd 10/24/06 1:14 PM Page 594

594 Chapter 13: Managing Data Storage

6. Log off the server, and then log back on again using the user that you shared the file with. Try to open the files in the secure folder. The file should open without any problems.

EFS Recovery Agents So how can encrypted data be recovered if users lose their private key or leave the company? On standalone Windows servers and workstations (not members of a domain), the Data Recovery Agent (DRA) role must be manually assigned—it is not created automatically. In a domain, the domain administrator’s account will automatically be granted this role. Because this account is designated as the DRA, a recovery key is generated and saved in the local administrators’ certificate store that can be used by the local administrator to recover the encrypted data. This recovery key can be used only to recover the data. The user’s private key is never revealed. If the DRA role is removed by a configuration error, the system assumes that no data recovery policy is in place and will refuse to encrypt any files or folders.

NOTE The user account with recovery agent rights will be able to copy the file to his/her computer to perform recovery operations.

Any user can be a recovery agent; no other rights are required. Creating a Domain DRA After a user has encrypted a file, an EFS certificate is automatically created for them. This certificate is needed before the user can be designated as a recovery agent. In the following Step by Step, we will perform the two steps needed to create a DRA: First, publish the certificate to the user account, and then add the user account as an EFS Recovery Agent.

STEP BY STEP 13.19 Adding an EFS Recovery Agent 1. Open the Active Directory Users and Computers MMC. From the View menu, select Advanced Features. 2. Locate the user you want to add, right-click the entry, and select Properties. 18_648913x.qxd 10/24/06 1:14 PM Page 595

595 Encrypting File System (EFS)

3. On the User Properties dialog box, select the Published Certificates tab. 4. Click the Add from Store button; this displays the Select Certificate dialog box shown in Figure 13.42.

FIGURE 13.42 Select the entry for the desired user that lists the EFS certificate.

5. Select the entry for the user that lists the EFS certificate, and then click the OK button. 6. This returns you to the User Properties dialog box. The certificated should be shown under the list of certificates published for the account, as shown in Figure 13.43. Click OK to close.

FIGURE 13.43 The certificate is published to the user account.

7. In Active Directory Users and Computers, right-click the domain entry and select Properties from the pop-up menu. On the Properties dialog box, click the Group Policy tab. 18_648913x.qxd 10/24/06 1:14 PM Page 596

596 Chapter 13: Managing Data Storage

8. On the Group Policy tab, highlight the Default Domain Policy entry, and then click the Edit button. This opens the Group Policy Editor. 9. In the Group Policy Editor, expand Computer Configuration, Windows Settings, Security Settings, Public Key Policies, and then highlight the entry for Encrypting File System (see Figure 13.44).

FIGURE 13.44 The administrator’s certificate is published by default.

10. Right-click the Encrypting File system entry, and then select Add Recovery Agent from the pop-up menu. This starts the Add Recovery Agent Wizard. Click Next to continue. 11. On the Select Recovery Agents dialog box, click the Browse Directory button. From the Select Users dialog box, enter the name of the user account you want to add, and then click OK.

12. Click Next, and then click Finish.

Recovering an Encrypted File or Folder To recover an encrypted file or folder, the recovery agent must copy the file to his computer, if in a domain, or log on to the computer with the local administrator account on a standalone computer. To recover a file or folder, follow these steps: 1. Log on to the test server as a local administrator. 2. Right-click the file or folder and select Properties. 18_648913x.qxd 10/24/06 1:14 PM Page 597

597 Encrypting File System (EFS)

3. Click the Advanced button. 4. From the Advanced Attributes dialog box, deselect the Encrypt Contests to Secure Data check box. 5. Click OK twice to save.

If the computer is a member of a domain, move the file back to the user’s computer. Encryption Using the Cipher Command The cipher command-line utility is supplied so that you can work with encrypted files and folders from the command line. This is handy when you are encrypting or decrypting a large number of files or folders, because you can use wildcards or run the utility from a script. The cipher command options are listed in Table 13.2.

TABLE 13.2 Cipher Command-Line Options Option Meaning No parameters Displays the encryption state of the files in the current folder /e Encrypts the specified folder(s) /d Decrypts the specified folder(s) /s:dir Performs the operation on the current folder and all subfolders /a Encrypts/decrypts the files in all the folders that were specified /i Continues when an error occurs /f Forces all specified files to be encrypted /q Nonverbose reporting /h Displays hidden or system files /k Creates a new key; all other options are ignored

EXAM ALERT You might encounter EFS questions on the exam. You should know how to encrypt and decrypt files and folders using both the GUI and the cipher utility. In addition, you should be familiar with the key recovery process.