Building a secure file server with Win Server 2003

Enabling and Configuring File Services

One of the features in Windows Server 2003 management tools is called "Manage your server". After launching the tool, you can see all the services enabled on the current server. These services can be managed. Clicking the "Add or Remove Roles" link on the interface will launch a wizard to configure the server. Click “Next> Enter the "Server Role" step, select the file server in the Windows Server 2003 supported role list and click "Next" to start the process of enabling and configuring the file service.

According to the system prompts for quota setting, the disk quota function can limit the user's use of disk space and facilitate disk space management. Set the disk space limit to 300MB, set the warning to 260MB, and check the option to deny disk space to users who exceed the quota limit. In this case, the user will not be able to use more than 300MB of hard disk space, and record a system event when the user's space reaches the set 260MB warning line, as shown in Figure 1.

After completing the quota setting, click “Next” to enter the index service settings interface, the default option is to not enable the indexing service. Although the indexing service can speed up the retrieval of files, since it consumes a lot of server resources, it is recommended to keep the default settings if you do not need to retrieve files frequently.

After confirming the above settings, the installation wizard will pop up a wizard for creating a shared folder. First you need to select the path to the shared folder, such as C:\\Inetpub\\home. Then enter the maintenance share name and the interface about the share description, usually keep the default settings. Click Next to begin setting permissions for the share. Basic permissions include full access and read and write permissions.

Select “Use custom share and folder permissions", click the custom button and pop up the custom permission settings interface. Here you can set different permissions for different users as needed. For example, you can set full control over the Administrators user group to give all administrators full management rights to the shared folder, and set read permissions for the Guest user so that anonymous users can download. Files in this folder, while deleting the original Everyone this, block all other user permissions.

This completes the basic sharing settings. If there are other folders that need to be set to share, you can check the option to "Run the wizard again after closing" before closing the wizard. Continue to the next one. Shared settings. After finishing all the wizards, you can see that there is more file server content in the “Manage your server” interface. Click the “Manage this file server” link to open the file server management interface. Management of a file service.

In addition, when you enter the property entry of the right-click menu, you can also manage sharing and permissions, but you can apply the quota function only when the object you click is a disk partition, because the quota function is for the disk volume. Executed, and the volume must be in NTFS format.

Backup and Restore of Files

Since the security and availability of data is also very important for the file server, after setting the permissions and quotas of the file server, you need to Files are backed up and restored. The backup feature of Windows Server 2003 uses a technique called Volume Shadow Copy. In the file server management interface, you can find the "Backup File Server" link. Execute the ntbackup command from the command line to get the same effect as clicking the link, that is, execute the backup wizard.

The option to "Always start in wizard mode" is checked off. You can go directly to the "Backup tool" interface when you execute the command next time. As you can see in this interface, in addition to the backup and restore functions, Windows Server 2003 includes a function called Automatic System Recovery Wizard (AMR), which is mainly used to back up the system partition. The standard backup function based on the shadow copy technology allows the user to operate according to the system instructions.

The Shadow Copy feature creates a backup of files stored in a shared folder at pre-planned intervals and restores the file to the version at any time. The recovery behavior of the shadow copy can be performed on the client, effectively improving the efficiency of data restoration, without having to trouble the administrator every time, and the user can perform the restoration operation related to his own data at any time.

To perform these operations, you need to install the shadow copy client program on the client machine. After browsing the share on the file server through this client machine, right click on the share or the file in the share. There is a “previous version" option page in the properties dialog. All versions previously saved by the file are shown here and can be restored to any version. Only shadow member copies can be set up by members of the Administrators group, and shadow copies must be implemented on NTFS formatted disk volumes. Shadow copies default to 10% of the space on the volume with this feature enabled to hold backup data (minimum 100MB), and will overwrite the previously created copy once the space limit is exceeded.

Enabling the shadow copy function is very simple. In the file server management interface, find the link to configure the shadow copy. You can also find the option page of the shadow copy in the right-click property menu of the NTFS volume. These two methods can enter the same management interface, enabling the setting, disabling, and capacity and time planning of shadow copies.

In the “Backup Tool” management interface, users can specify which files (including system registry data and boot files, etc.) need to participate in the backup plan, or specify the time to perform these backup operations. plan. These backup operations are based on the shadow copy technology, and the backup result file is slightly larger than the backup content.

It is recommended that users maintain a weekly backup operation, back up all data once, and the backed up files will be marked as “has been backed up;; at the same time maintain a daily difference Backup plans to back up files that have been modified daily. Applying this combination plan for data backup is more manageable and can effectively guarantee data recoverability.

Note that the amount of space occupied by the shadow copy backup depends not only on the size of the backup file, but also on the frequency of file modification. For partitions with many swap file operations such as system partitions, Do not perform a backup of the entire disk volume, as shown in Figure 2.

Distributed File System

Distributed File System is one of the core technologies of Windows system network storage architecture. It can connect files located in different locations on the network under the unified namespace. . To start the "Distributed File System" tool in the management tool, first create a root directory. Right-click on the "Distributed File System" on the left side of the management interface, select "New Root Directory", and follow the wizard to fill in the required information to complete the operation. Continue to right-click on the root directory you just created and select “New Link" to link the shared directory located on other computers on the network to the root directory you just created. After linking all the shared directories to be aggregated to this root directory, you can access these files by browsing the directory tree in the root directory, instead of having to access these files by accessing multiple actual network locations.

Postscript: In this article, the author introduced the configuration file service function on a Windows Server 2003 server, and focused on the operations of establishing sharing, quota management, permission setting and backup. Most of the content in this article also applies to Windows 2000 servers. Windows Server 2003 also has some more advanced file features that can be applied to file servers such as file encryption, virtual disks, and more.

Figure 1 Configuring disk quotas

Figure 2 Shadow copies that are automatically enabled after setting