Raul F. Go Jr.

ITM 13

1. In installing and configuring servers, you should have a sharing strategy in place by the time
you are ready to create your shares. List core information that should consist in your sharing
strategies in sharing folders?

 Start the process of sharing NTFS folders in Server Manager by launching the New Share
Wizard from the File and Storage Services details page. This new wizard integrates the
steps involved with creating a new folder, sharing the folder and setting NTFS
permissions into a single continuous work stream for local and remote servers.

A. On the File and Storage Services page, select Shares and then click Tasks –> New Share
… to begin the New Share Wizard
.

B. On the Select the profile for this share page, select SMB Share – Quick and click
the Next button. Note that in addition to creating new SMB shares for NTFS folders that
are sharing documents, we also have options for creating shared folders for applications,
such as SQL databases or Hyper-V virtual machines, as well as creating new NFS shares
for non-Windows client devices.
C. On the Select the server and path for this share page, select the server on which to
create the new share ( local or remote server ) and the volume on which to create the
new shared folder. Click the Next button to continue.

D. On the Specify share name page, type the name of your new Share name and click
the Next button to continue.

E. On the Configure share settings page, you will find advanced options for
configuring Access-Based Enumeration (ABE), Offline folder caching, and Encryption of
end-to-end SMB network traffic. Let’s select all three options and then click
the Next button.
 F. On the Specify permissions to control access page, review the default permissions for the
new NTFS folder and click the Customize permissions… button to further customize these
permissions as necessary. When finished, click the Next button to continue.

G. On the Confirm selections page, review the currently selected settings for sharing the new
folder and click the Create button to begin the process of creating the new folder, applying
NTFS permissions, and sharing the folder with the selected share settings.

2. Steps in creating a folder share by using Server Manager?

 For the purposes of this article, I’m using Windows Server 2012 R2 with the File
Server and File Server Resource Manager(FSRM) sub-roles installed on my server. This
gives me access to some of the advanced configuration options when creating a new file
share.

Log on to Windows Server with a local administrator account:

Open Server Manager using the icon on the desktop taskbar, or from the Start
screen.
In the left pane of Server Manager, click File and Storage Services.
In the column to the right, click Shares.
 To the right of Shares in the main window, click the Tasks menu and New Share.
In the New Share Wizard, select the SMB Share – Advanced profile and click Next.
On the Select the server and path for this share screen, make sure that Select by
volume is selected under Share location and then chose the volume where you want
to create the new share. Now click Next.

Create a new file share using Server Manager.

On the Specify share name screen, type a name for the new share in the Share name
box and click Next. The local and remote paths will be generated automatically.
On the Configure share settings screen, check or deselect any of the additional
options for the share as required, such as Enable access-based
enumeration and Encrypt data access. Click Next to continue.
To change the default NTFS folder or share permissions, click Customize
permissions on the Specify permissions to control access screen, set the permissions
as required in the dialog box and click OK when you’re done. Now click Next to
continue.
On the Management Properties screen, you can optionally select a folder usage
value for the share if you plan to use classification rules. Click Next to continue.
Finally, on the Apply a quota to a folder or volume screen, you can chose to apply a
quota template to the share. Click Next when you’re done.
Click Create on the Confirmation screen.
Click Close when the share has been successfully created.
3. Permissions are privileges granted to specific system entities, such as users, groups, or
computers, enabling them to perform a task or access a resource. Windows Server 2012 R2 has
several sets of permissions, which operate independently of each other. For the purpose of file
sharing, differentiate Share permissions and NTFS permissions.

 Modify NTFS permissions - This option lets you change NTFS permissions on files and
folders located locally as well as those on the network. All you have to do is select the
relevant file or folder, the desired users or groups, the permissions (full control, read,
etc.) and their type (allow/ deny). You can block or enforce inheritance, and even enforce
the permissions set on parent folders to be applied to all the sub-folders. Modifying
NTFS permissions of any file or folder is as simple as that and can be done in just a few
mouse clicks.

 While modifying NTFS permissions, you can also list existing shared folder permissions
on a specific folder. The option "copy from folder" makes modifying NTFS permissions
even more effortless by letting you copy permissions on another folder and apply them
on the desired folder. The option "preview" lists the permission changes so that you can
verify them before they are updated.

 Revoke NTFS permissions - The permissions that users have on the local files and
folders as well as the ones on the network can be easily revoked using this option easily,
in bulk, and just a few simple steps. You simply have to choose the folder, the users or
groups whose permissions need to be removed, the level of permissions and whether to
allow or deny the selected permissions. You can also select the folder level (parent
folder, sub-folder, etc.) up to which the NTFS permissions must be removed.

Delegation of file server permissions management duties

 Using the help desk delegation feature of AD Manager Plus, you can securely delegate
file permissions management to any user. Furthermore, you can track permission
 changes of shared folders and file servers with the built-in audit reports. The technician
and admin audit reports can be exported to CSV, PDF, HTML or Excel format, as needed.

When permissions are managed in a disciplined and accurate manner, there is more
accountability for actions and less room for misuse or tampering data of any kind.

4. Steps to set share permissions by using Server Manager, either while creating a share or
modifying an existing one.

 There are different ways to share a folder in Server 2012. Most efficient way is to use
the Server Manager. Here, I will configure some shared folder from domain controller
named MBG-DC1. So, let’s setup some shared folders. To do so, open Server Manager.
Click File and Storage Services on the left pane. Then click Shares from the list. You will
see the list of shared folders on this server. As you can see below there are two
folders, netlogon and sysvol shared by default. This is because the server is AD DC.
 We have a scenario. We want to share a folder named Marketing to Marketing users
group. We want only the marketing users to view and execute the contents of the folder.
We already have Marketing users group set up and assigned users into the group. So,
let’s create the shared folder. To create a new shared folder, click Tasks and click New
share in Server Manager console.

 New share wizard pops up. There are number of share profiles by default. You can
choose any of these share profiles as seen below. I will choose SMB Share – Quick and
click Next.

 Now you are asked to provide the share location of the folder that you want to share. I
will choose custom location as C:\Marketing. Then click Next.
 Type the share name and description of the shared folder. Then click Next. Click OK to
create the new directory on path doesn’t exist warning.

 Now configure other settings. Here, I will check to enable access-based enumeration.
This option makes the folder visible for users that have permission to access the folder
otherwise the folder will be hidden. Allow caching of share option makes the folder to
be accessed even when the user is offline. Click Next.
 Here, configure the folder permission. The shared folder have shared folder
permission and NTFS permission. These both permission work together to allow/deny
users to access the shared folder. Microsoft recommends to allow full control for share
permission and use NTFS permission to restrict and configure folder access. As you can
see below, Share permissions: Everyone Full Control. The permission shown here, is
the inherited NTFS permission from drive NTFS permission. To change the permission,
click Customize permission.
 Click disable inheritance. Then select convert inherited permission into explicit
permissions on this object.

 You can see the changes below. Remove both User groups from the permission. This
Users group contains all the users of the domain. We don’t want all the users of the
domain to access this shared folder so remove it. Click Add to add the marketing group.
Click Select a principaland add Marketing group. Select the basic permissions and
click OK.

 Now the overall permission for the Marketing folder looks like this. Users of marketing
group can only read the files of Marketing folder.
 Now let’s come back to the wizard. Click Next.

 Review the settings and click Create.

 The shared folder is now created. You can view the shared folder in Server
Manager console.

 In this way you can configure shared folder using Server Manager. Remember, NTFS
permissions and shared folder permissions are different. If NTFS permission and shared
folder permission are conflicting, then the most restrictive permission is applied. For
example, if you configure NTFS permission to Full Control and shared permission
to Read on a folder then the permission applied will be Read only. Best practice to
manage permissions for shared folder is, configure full control permission for
everyone and restrict the folder access using NTFS permission.

 Clients can now access the shared folder by typing the UNC (Universal Naming
Convention) path of the shared folder in windows explorer. In our case, the UNC path
is, \\MBG-DC1\Marketing.
  In this way you can access the shared folder contents.

5. Steps to set NTFS permissions using Server Manager.

Configuring NTFS Permissions

Create a file server permissions policy that clearly defines your permissions
management process.
Use Active Directory groups everywhere. Don't assign NTFS permissions to
individuals, even if you have to create hundreds of groups. It's far easier to
manage 200 groups than 2,000 one-off permissions.
Configure NTFS permissions for the assets, assign roles to those permissions, and
assign people to roles. For example, suppose you have a share
named HR on fileserver1. Do the following:

1. For this share, create the following domain local groups in your AD with the
permissions shown:

fileserver1_HR_read (Read-only)
fileserver1_HR_modify (Read and Modify)
fileserver1_HR_fullcontrol (Full Control)

2. Use these groups to set NTFS permissions to the appropriate user rights.

3. Create a global group in AD named HR for your HR people. Add this global
group to the domain local group fileserver1_HR_read, and then add user
accounts to the global group HR. What you have now done is tied an asset to
a permission, and the permissions to a role. As you expand your network and
add different assets and areas of access to the role, you'll be able to easily see
what assets a role can access.
People (user accounts) -> Role (AD global group) -> Permissions (AD domain local group) ->
Asset (file or folder on a file server)

Avoid giving users the Full Control permission. Full Control enables users to
change NTFS permissions, which average users should not need to do. Modify
rights should be all that's necessary for most users.

Assign the most restrictive permissions that still allow users to perform their jobs.
For example, if users need only to read information in a folder and not to change,
delete or create files, assign the Read permission only.

Remove the Everyone permission from every resource except the global folder
designated for file exchanges.

Create a Global Deny group so that when employees leave the company, you can
quickly remove all their file server access by making them members of that
group.

Avoid breaking permissions inheritance as much as possible. There will be a few

folders where this may be necessary, but generally avoid it. If something would
break inheritance, then it either needs to move up a level or you need to reassess
who's got what permissions on the parent folder. For example, if a you need to
give someone Read/Write permissions for all of the \Finance folder but
not \Finance\Budget, you're gonna have a bad time later.

Have users log on using domain user accounts rather than local accounts. This
approach centralizes the administration of share permissions.

All permissions changes should be audited as they occur, and the permissions
hierarchy should be audited at least once a year.

Configuring File Shares

Create a top-level folder that will serve as the root storage folder for all user-
created data (for example, C:\Data). Create sub-folders in it to segregate and
organize data according to job roles and security requirements.
Ensure that only IT can create root-level folders. Don't even let managers or
executive create folders at the top 1 or 2 levels. If you don't lock down the root-
level hierarchy, your neat folder structure will quickly be destroyed. Departments
can organize their folders how they want, but don't allow junk folders.
Organize your resources so that objects with the same security requirements are
located in the same folder. For example, if users require the Read permission for
several application folders, store those folders in the same parent folder. Then
 give Read permissions to the parent folder, rather than sharing each individual
application folder separately.
Make sure access-based enumeration is enabled. Access-based enumeration
displays only the files and folders that a user has permissions to access. If a user
does not have Read (or equivalent) permissions for a folder, Windows hides the
folder from the user’s view.
Set the Windows file share permissions pretty leniently — give Everyone,
Authenticated Users or Domain Users the Full Control or Change permissions —
and rely on NTFS for the real permissions management.
Avoid having nested shares in your file structures because they can create
conflicting behavior for the same network resources if it is accessed through
different shares. This can be asking for trouble, especially when the share
permissions are different. A nested share is a shared folder that resides in a
separate shared folder. There are, of course, the default hidden shares (C$, D$,
etc.), which make all shares nested beneath them, and they're a default. However,
if your users use two separate non-hidden shares that are nested, there can be
conflicting share permissions.
Know when to copy and when to move. Standard copy and move operations
deliver default results that can maintain your configured NTFS permissions — or
break them. Copy operations will create the permissions of the destination
container, and move operations will maintain that of the parent container. To
keep this straight, just remember CC/MM — Copies Create, Moves Maintain.

Reference:

1. https://blogs.technet.microsoft.com/keithmayer/2012/10/21/12-steps-to-ntfs-shared-
folders-in-windows-server-2012/
2. https://www.petri.com/create-file-share-windows-server-2012-r2-with-server-manager
3. https://www.techrepublic.com/blog/data-center/how-to-share-a-folder-in-windows-
server-2012/
4. http://www.upaae.com/how-to-create-a-share-folder-in-windows-server-2012-using-server-
manager/
5. https://www.manageengine.com/products/ad-manager/active-directory-ntfs-permissions-
management.html?cam=56407002&adgid=18943574922&kwd=ntfs%20security%20manageme
nt%20software&loc=1011150&gclid=CjwKCAiAjNjgBRAgEiwAGLlf2vIbNmI6xbQ4mfl6O_fquc0BY
21yNPhakc_MjeCzBLUWHzdMO1kPtxoCLXwQAvD_BwE
6. http://www.mustbegeek.com/setup-shared-folder-in-windows-server-2012/
7. https://www.netwrix.com/ntfs_permissions_management.html
8. https://www.itworld.com/article/2811509/storage/storage-quotas---hard-vs--soft---
explained.html
9.