WINDOWS FILE SHARING
Windows File Sharing Best Practices
Traditionally Windows file sharing has been limited to creating shares on local servers, setting permissions and accessing files over local area networks or VPN’s. Windows File Sharing has many benefits including speed of access, simplicity, unlimited storage capacities, integration with active directory and the ability to deploy mapped drives to 1000’s of machines instantly using login scripts or group policies. For this reason, the majority of enterprises continue to maintain significant investments in a Windows file sharing infrastructure including servers, high speed networks, Storage Area Networks and Network Storage devices. These devices provide the reliability, speed and redundancy enterprises demand for a highly efficient workforce.
Windows File Sharing
Sharing files using Windows active directory is easy. It’s important first to plan the directory structure. Companies typically create root folders which in turn become shares that can be mapped to various departments (for example: Finance, Projects, Executive, HR). In the past companies would map different drive letters to each department. This is no longer necessary since Microsoft shipped the addition of the “Access Based Enumeration” feature as noted below.
It’s also important to plan for future growth by allocating sufficient disk space for file. It is best practice to locate files on a separate drive letter from the Operating System Drives to prevent future issues with drive space or an operating system failure from corrupting files. Larger organizations typically store files on Network Attached Storage appliances with failover and backup built in and utilize DFS namespace to redirect users to redundant back end file servers.
Windows File Server shares can be created using Server Manager or by right mouse clicking on any folder and choosing “Sharing” on the sharing tab to create a share that can be mapped by PC’s. Microsoft has a great article here on how to create a file share using Server Manager here. For our purposes we will create a share using the manual process so we can have complete control on permissions, share name and share permissions.
Once you have created the folder structure, right mouse click on the folder and choose properties, then choose share to create the share and set permissions:
Typically, you would add the various groups for whom you wish to have access to your folder structure. With the simplified interface the actual share creation and permission details are set for you. Using the Advanced Share interface, we can see the actual permission applied to both the share and NTFS.
There are 2 components when sharing folders in Windows. First the actual Share name and permission on the share and the underlying NTFS permissions. In the early days of Windows file systems (fat and fat32) did not allow setting of permissions so Microsoft allowed administrators to set permissions on the share itself rather than the folder structure underneath. Fortunately, NTFS has been around for many years and it’s no longer necessary or advisable to set permissions at the fileshare level and you’ll see that when you use the easy share interface permissions at the share level are set to the special group “Everyone” and full control.
So it’s clear that we should always set the permission on the share to “Everyone” with full control when using the advanced sharing option to get around this legacy feature and only use NTFS permissions to apply security. One additional note on File Shares and Naming – to make the share hidden (not broadcast it on the network for browsing), append a $ sign to the end of the name. For example: Finance$ can be used to hide the share from appearing when users browse the network. To map a drive to it users need to know the name – for example \\server\finance$.
Next, we need to set permissions on folders using NTFS security. If we look at the security permissions for the shared folder we created in our example we will see the user groups we chose have been granted permissions on that shared folder:
From this interface we can add additional users and groups or disable inheritance so that we can apply custom permission on this folder only. This interface is also where we go to take ownership of files and folders. In the easy share wizard security results, we can see both groups we added have “Full Control” for all files and folders. While Full Control makes sense for Administrators, it’s not advisable for regular user groups. By granting regular users Full Control we have also granted them the “Take Ownership” right which will cause issues down road. Files “Owned” by one user can become unavailable to other users resulting in support requests and the need to have the administrator “Take Ownership” so these files are again available to everyone with rights to the share. In our example we will want to set the “Domain Users” group to all rights except for “Full Control” using the security tab properties on the folder. This simple step will prevent file ownership troubleshooting issues in the future.
Microsoft has a built in utility on Windows to clean-up ownership issues called “takeown”. We advise customers to cleanup existing ownership issues prior to deploying MyWorkDrive. This command will take ownership of the folder or drive, and all files and sub-folders in the folder or drive.
Open an elevated command prompt (administrator).
To grant ownership to administrators group:
takeown /F “full path of folder or drive” /A /R /D Y
Another option to cleanup ownership permissions is to use the icacls command.
To grant ownership to administrators group:
icacls “full path of folder or drive” /setowner “Administrators” /T /C
Access Based Enumeration using Windows File Sharing
Access-based enumeration (ABE) displays only the files and folders that a user has permissions to access. If a user does not have Read (or equivalent) permissions for a folder, Windows hides the folder from the user’s view. This feature is active only when viewing files and folders in a shared folder; it is not active when viewing files and folders in the local file system. By utilizing this feature and setting the proper permissions, network administrators can reduce the numbers of shares needed and use ABE to only display files and folders the user have permissions to when accessed over UNC paths.
ABE does require CPU cycles to calculate files and folders to display so it’s important to properly size servers to handle the required load based on the number of users access file shares and the number of files and folders to display.
Enable ABE on each windows file share using Microsoft’s guide: Enable access-based enumeration on a namespace. Microsoft has a complete guild article on best practices for sharing files and folders using access based enumeration here.
DFS Namespaces is a role in Windows Server that enables you to group shared folders located on different servers into one or more logically structured namespaces. This makes it possible to give users a virtual view of shared folders, where a single path leads to files located on multiple servers. The advantage of DFS is that drives can be mapped to one DFS Name space and automatically redirect to the then current live file share. This makes migrating to new file servers in the future very simple since a new file server can be redirected to at any time.
Backup and Retention
The first line of defense for any organization are effective, tested and redundant backups. In addition to scheduling backups on an hourly, daily, weekly or other intervals IT administrators can take advantage of the “Volume Shadow Copy” service built into Windows Server. By enabling hourly snapshots, file and folders can be rolled back to previous versions instantly without having to go to backup systems. Volume Copy Snapshots are not a backup strategy in of themselves but they can provide and additional level of protection.
Backup and retention is also of great concern to protect from data loss, corruption and to comply with legal requirements. Typically, most businesses must retain up to 7 years of backups that can easily be restored in the future. For this reason, businesses are reluctant to store their files in database driven file systems either locally or in the cloud including Document Management Systems (DMS) and Enterprise File Sync & Share (EFSS) systems. With traditional NTFS based Windows file sharing archive backups can be stored on backup hard disks making restoration as simple as copying over files – even several years later. With DMS or EFSS systems the restoration of archive data is significantly more complex. Restoration requires backing up and restoring entire operating systems, reinstallation of SQL databases in use at that time (which may no longer be available), restoring backups of SQL data and reintegration of servers back into active directory. Cloud based EFSS or systems require 3rd party backup subscriptions which must be maintained indefinitely to prevent loss and removal of backup file data by the cloud vendor.
Businesses of all types are turning to MyWorkDrive to support Remote Work while retaining the speed and simplicity of traditional Windows file sharing using our hybrid cloud add-on. With MyWorkDrive IT departments simply setup MyWorkDrive Windows server software, point to existing Windows file shares and in minutes Secure File Sharing remote access functionality is made available to users without VPN including:
Web File Manager browser access to file shares
Office Online document editing ( with files stored on the local file servers )
Mapped Drive from Anywhere without VPN
Mobile App File Access and Editing using Microsoft Office Mobile Apps
Public and Private file sharing
Two Factor Security (2FA)
Single Sign On
Traditional Windows File Sharing at gigabit speed continues to be available in parallel to MyWorkDrive. Users simply leverage file sharing using traditional methods on the local area network and use MyWorkDrive when cloud functionality or remote access is needed. For IT Departments, No SQL databases need to be maintained or licensed making file backup and restoration simple – NTFS based file shares remain in place.
Sharing and collaborating on files to users outside of the company is essential to a productive workforce. With MyWorkDrive internal files can be made public effortlessly with our OneDrive integration. By leveraging our OneDrive integration businesses can protect sensitive data by transferring public files as needed to OneDrive without opening up internal systems to outside parties or enabling insecure file sharing links that can expose company servers to data breaches.
With MyWorkDrive businesses of all types are able to add cloud capabilities to Windows file shares while protecting and controlling their data to future proof their file server infrastructure investments.