Network File and Print Services

Configuring and Troubleshooting File Shares 

What is a File Share?

A file share is a folder that has been configured so that it can be accessed over a network.

In Windows Server 2008, to configure a file share, install the File Service server role. The File Service server role automatically configures Windows Firewall to allow file sharing.

File Services Role

Windows Server 2008 has a new tool called Share and Storage Management that is used to create and configure file shares. To do this, you can also use the Computer Management tool that is available in previous versions of Windows Server and the command line tool, Net use.

Share and Storage Management

File Share Permissions

The advanced file sharing properties allows you to configure share permissions without affecting NTFS permissions.

• Full Control
• Change
• Read

When configuring a file share, additional options are available. You can configure multiple share names and configure caching options.

What are NTFS permissions?

NTFS permissions control which users and groups access and modify files on NTFS partitions. NTFS permissions are more flexible than share permissions because they can be assigned individually to each file and folder.

In order to modify NTFS permissions, you must be assigned Full Control NTFS permissions for a file or folder. An exception is the owner of the file or folder. Owners can modify NTFS permissions as well as Administrators.

Basic NTFS permissions:

• Full Control. Allows all permissions including the ability to modify NTFS permissions and take ownership.
• Modify. Allows file and folder modifications except NTFS permissions and taking ownership.
• Read and Execute. Allows the execution of a file and the listing of folder contents.
• List Folder Contents. Allows the contents of folders to be listed.
• Read. Allows the listing of file contents and attributes.
• Write. Allows modification of file contents and attributes, except for NTFS permissions and ownership. Deletion of a folder is not allowed. For a folder, new files in the folder can be created.

The two types of NTFS permissions are basic and advanced. Basic permissions are more commonly used as advanced permissions are complex to manage because they allow detailed control over files and folders.

Manage Permissions

Troubleshoot Network File Access Permissions

If a client computer is connected to the network properly, most network file access problems are more than likely related to permissions.

The first step in troubleshooting should be to check the effective NTFS permissions. In the majority of cases, the group permissions are correct. Make sure the user is assigned to the correct group.

Pay attention to the fact that the deny permission overrides the allow permissions. For example, if the group is denied the Modify permission and a user is denied the Modify NTFS permission, the user will be denied access.

If the effective NTFS permissions are correct, then check the Share permissions. If a group is assigned the Read Share permission and the Modify NTFS permission, then the group members will only be allowed the Read permission. Share permissions can cause a problem, even if the NTFS permissions are correct.

To get around the potential share problems, many organizations assign the Everyone group Full Control share permission. This way, file access is controlled by NTFS permissions. Some administrators use the Authenticated Users group to assign permissions instead of the Everyone group. This performs the same way, unless the Guest account is enabled, as the Guest account is in the Everyone group but not the Authenticated Users group.

What is Access-Based Enumeration?

Access-Based Enumeration, included in Windows Server 2008, and can be enabled by the using Share and Storage Management administrative tool.  This snap-in is available after a folder or volume has been shared. Share and Storage Management can be accessed in the File Services server role in Server Manager, and in Administrative Tools. You can install it manually in Server Manager by adding the File Server role to File Services.

Share and Storage Management

Access-based Enumeration

Access-Based Enumeration allows a user to see only the files and folders they have permission to access. The user has to have at least a Read or equivalent permission to see the folder. The feature is only active for viewing files and folders in shared folders. The feature is not active when viewing files and folders on the local system.

Access-Based Enumeration is enabled by default on shared folders in Windows Explorer.

Access-Based Enumeration is not enabled by default for the following types of shared folders:

• Shared folders created with Share and Storage Management, Advanced Sharing in Windows Explorer, or the net share command.
• Volumes
• Folders or Volumes shared for Administrative purposes, like C$ and Admin$.

Two ways to enable and disable access-based enumeration when using Share and Storage Management:

1. Share a volume or folder by using the Provision a Shared Folder Wizard. Select the SMB,  Server Message Block, protocol on the Share Protocols page. On the SMB page, the Advanced settings option include an option to enable access-based enumeration on the shared volume or folder. (Click Advanced on the SMB settings page of the wizard)
2. Change the properties of an existing shared folder or volume. Go to the Shares tab of Share and Storage Management. Click the shared folder or volume, then click Properties in the Action pane. Click Advanced settings to see whether access-based enumeration is enabled. Click Advanced. Select or clear the Enabled access-based enumeration check box.

Access-based Enumeration

Enable Access-Based Enumeration on a Namespace

File Access Enhancements in Windows Server 2008

SMB 2.0 was introduced in Windows Server 2008 and used in Windows Vista. SMB 2.1 was introduced in Windows 7 and Windows Server 2008 R2.

The Server Message Block (SMB) Version 2 Protocol is an extension of the original Server Message Block (SMB) Protocol. SMB is used by client computers to request file and print services from a server system over the network. Both are stateful protocols in which clients establish a connection to a server, establish an authenticated context on that connection, and then issue a variety of requests to access files, printers, and named pipes for interprocess communication.

SMB 2.0:

• Performs considerably better over slow networks due to a reduced number of packets
• Combines multiple commands into a single request
• Allows larger reads and writes to make better use of faster networks
• File and folder caching
• Transparently reconnect to the network in case of a temporary disconnection (good for wireless connections)
• Increased scalability for file sharing
• Support for symbolic links
• Improved message signing (HMAC SHA-256 replaces MD5 as hashing algorithm).

SMB 2.1: Server Message Block

• Silent oplock (opportunistic locks) leasing allows client computers to cache data and file handles, and to lock a file when possible over a wider range of scenarios, while limiting the amount of data that needs to transferred between the client and server, thus reducing network traffic.
• Results in reduced network bandwidth consumption
• Increased file server scalability
• Better response time for applications when accessing files over the network
• Large MTU (Maximum Transmission Unit) support. The MTU size has been increased from 64 KB to 1 MB that can be transferred in a single packet, thus increasing the speed of 10-gigabyte Ethernet (very high speed, low latency) networks
• Enable this option in the registry of the SMB client computers
• Improved energy efficiency for client computers
• Better support for sleep modes
• A wider range of sleep modes when data integrity is not effected. Previous to Windows Vista, an SMB client computer with files open on an SMB server would be unable to enter sleep mode.
• Previous versions of SMB supported

SMB signing provides integrity by verifying files are not modified in transit. It does not provide encryption.

note: Opportunistic locking has existed for many years in NTFS. SMB 2.1 brings significant improvements.

note: There is one registry setting and two Group Policy settings for SMB. Check the link below for the details:

What's New in SMB

Encrypting Network Files with EFS

Encrypting File System (EFS) is a tool for encrypting NTFS files and folders transparently on client computers and remote file servers. EFS uses advanced standard cryptographic algorithms and is built into the Windows file systems. EFS as introduced in Windows 2000. 

EFS was designed to protect an individual user's data.

Use EFS to protect a user's files on their local hard drive. But using EFS to protect a user's files that are stored in a shared folder is only recommended if that user will access the share.

EFS protects files from unauthorized users and malicious attacks from external sources and acts as an additional layer of security for NTFS files. Even if a user has the proper NTFS permissions to access a file, if the file is encrypted, the user will not be able to access the file unless authorized to decrypt the file.

When a file is encrypted, it can only be accessed by an authorized user.

EFS requires no configuration. EFS automatically generates a user certificate with a key pair for the user if one doesn't exist. Using a Certification Authority (CA) to issue user certificates is the preferred way to manage the certificates. If you are not using certificates from a CA and you want EFS to be used on a file share, then you must use the file server computer to be trusted for delegation. Domain controllers are trusted by default.

To disable EFS on client computers, you can use Group Policy. In the properties of the policy:

Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Encrypting Files System, select Don't allow. 

EFS uses a combination of public-key and symmetric-key encryption. A symmetric-key is used to encrypt the file and public-key encryption is used to protect the symmetric-key.

Symmetric encryption uses the same key to encrypt the file and decrypt the file. Even though this type of encryption is faster and stronger than public-key encryption, the key requires additional security because of the difficulty in securing the key during a network transfer. EFS uses public-key encryption to protect the symmetric key. Each user certificate has a public key and a private key to encrypt the symmetric key. Only the user that has the certificate with the private key can decrypt the symmetric key. This method is sometimes called an asymmetric algorithm.

In the event that keys or certificates are lost, administrators should plan for recovery:

• Backup user certificates. Export with the private key to a secure location in case of a system failure. Make the recovery key portable because it must be in the recovery agent's profile.
• Configure a recovery agent. A recovery agent is an individual that is authorized to decrypt all EFS encrypted files. Once a recovery agent is added in Group Policy, all newly encrypted files will be updated. To update the recover agent on previously encrypted files, the file must be accessed and saved.  You can also force the update by using the cipher command.

The Precision Guide to Windows Server 2008 Network Infrastructure Configuration: MCTS Exam 70-642 Study Guide

Encrypting File System

Encryption

Best practices for the Encrypting File System

Encrypting Partitions with BitLocker

BitLocker is a feature available in Windows Server 2008 and in some versions of Windows 7 that encrypts data and provides data protection transparently for hard drive partitions. 

BitLocker encrypts entire hard drives, and it is ideal for protecting data on mobile computers and servers that may be exposed to physical attack. 

BitLocker Advantages:

• Data protection for lost or stolen computers.  
• BitLocker helps to make data inaccessible. When a computer is lost or stolen, the hard drive is vulnerable to unauthorized access. When BitLocker is used the local administrator account password cannot be reset by using boot utilities.
• Computer drive decommissioning.
• Data on a BitLocker drive cannot be accessed by mounting it on another drive.
• System integrity verification. 
• BitLocker can be used with Trusted Platform Module (TPM) to make sure the drive is mounted on the original computer and offers the option of locking the normal start-up process until the user provides a PIN or removable startup device containing the startup key.
• Safe shipping on pre-configured servers.
• The same system integrity verification used, as above.

BitLocker Requirements:

• TPM version 1.2. 
• BitLocker provides the most protection when used with TPM version 1.2. TPM is a chip on a computer system board for storing encryption keys and certificates. TPM works with BitLocker to make sure a computer has not been tampered with when it is offline. If your computer does not have TPM, BitLocker requires you to have a start-up key on a removable device like a USB flash drive.
• Trusted Computing Group (TCG)-compliant BIOS for computers with TPM. 
• The BIOS establishes a chain of support for pre-operating system startup.
• Support for Mass Storage Device Class.
• The BIOS for TPM and non-TPM computers must support the USB mass storage device class. Approved Class Specification Documents
• Two partitions.
• The server must have two partitions (note: Windows Server 2008 R2 automatically creates this type of partition during installation unless the installation is unattended and requires different instructions). BitLocker must be enabled by using the BitLocker setup wizard. The BitLocker setup wizard is accessed by accessing Control Panel or right-clicking the drive in Windows Explorer.
• System (boot files) - Bitocker is not enabled on this drive. The system files are needed to load Windows after the BIOS has prepared the system hardware.
• Boot (operating system files) 

BitLocker Drive Encryption Step-by-Step Guide for Windows 7

Data Encryption Toolkit for Mobile PCs

The Precision Guide to Windows Server 2008 Network Infrastructure Configuration: MCTS Exam 70-642 Study Guide

How BitLocker Works:

Several keys are used to protect the drives BitLocker is enabled on:

• (FVEK) Full Volume Encryption Key. The key is created and used to protect the partition after the partition is installed and does not change. It would take too long to recreate it the partition. The key is stored in the metadata in the encrypted partition.
• (VMK) Volume Master Key. The FVEK is encrypted with the VMK which is required during startup to decrypt the volume so Windows can start. The VMK is encrypted by a key stored in the TPM and a copy of the VMK is stored in the System (boot files) partition. If the computer does not have a TPM, the VMK encryption key can be stored on removable media.

How to Recover BitLocker Encrypted Drives:

When you enable BitLocker, a 256-bit recovery-key and a 48-bit recovery password are generated. Either the recovery key or the recovery password can be used to decrypt the drive. After enabling BitLocker, the options are:

1. Print the recovery password key
2. Save the recovery password to a file
3. Save the recovery password key and the recovery password to a USB flash drive

BitLocker can use Active Directory to store recovery keys. Use Group Policy to enable the option. The recovery password for BitLocker is stored in the computer account properties. To retrieve the recovery password from Active Directory, use the BitLocker Recovery Password Viewer (downloadable from the Microsoft website and integrated into Users and Computers)

BitLocker encrypted drives become inaccessible if:

1. The TPM in a computer fails.
2. The computer drives are moved to a different computer.
3. The removable media containing the FVEK is lost.

To recover an encrypted operating system drive, you must use the Recovery Console. Provide the recovery key on the USB flash drive or type the recovery password using the function keys. For example, F1 is number 1.

Another option to recover BitLocker encrypted drives is the BitLocker Recovery Agent which has to be configured in the Group Policy settings for BitLocker Drive Encryption. A BitLocker Recovery Agent has a certificate to access encrypted drives. Configure the BitLocker Recovery Agent by importing the certificate of the Recovery Agent into a Group Policy object. 

BitLocker Drive Encryption

Configuring and Troubleshooting a Network Printer

Windows Server 2008 can be configured as a print server. Client computers submit jobs to the print server for delivery to a printer that is connected to the network.

Benefits of a Network Printer

• Centralized management. 
• Print drivers installed centrally on the print server and distributed to workstations.
• Simplified Troubleshooting.
• Easier to troubleshoot whether the print problem is located on the server, printer, or client computer based on where the jobs are queued.
• Lower cost.
• Initially, the print server will be more than a local printer, but the cost is spread over all the computers that connect to a printer.
• Listed in Active Directory.

• Allows users to search for printers.

Security Options in Network Printing

The default security for a network printer in Windows Server 2008 is everyone can print and manage their own print jobs.

The permissions available for shared printing:

• Print. 
• The Everyone group is assigned this permission by default.
• Manage this printer. 
• This permission allows users to manage printer settings and update drivers.  Administrators, Server Operators, and Print Operators are assigned this permission by default.
• Manage documents. 
• Allows users to modify and delete documents in the queue. This permission is assigned to CREATOR OWNER, anyone that creates the print job can manage the print job. Administrators, Server Operators, and Print Operators have this permission for all print jobs.

What is Printer Pooling?

A print pool allows one logical printer connected to multiple physical printers through multiple ports of a print server. To client computers, the printer pool appears to be a single logical printer.

A printer that is idle receives the next document sent to the logical printer. The logical printer checks for an available port.

A printer pool is configured on a server by specifying multiple ports for a printer. Each port if for a printer. Usually, the ports are an IP address on the network, instead of Line Printer Terminal (LPT) port.

The printers must use the same driver and must accept print jobs in the same format. The printers should be located close to each other. Users must check all printers in the print pool for the print document because there is no way for them to know which printer generated the document.

Printer Pooling Configuration

Deploying Printers

• Group Policy Preferences
• Deploy shared printers to Windows XP, Windows Vista, and Windows 7 clients. Associate the printer to the user or computer account, or by group. (note: for Windows XP, you must install Group Policy Preference Client Extension)
• Group Policy objects created by Print Management
• The Print Management Administrative tool can add printers to a Group Policy for distribution to client computers based on user or computer account. (note: for Windows XP, the computers must be configured to run pushprinterconnections.exe)
• Manual Installation
• Users can manually add printers by browsing the network or using the Add Printer Wizard. This is not an efficient method for installing printers because the printer is available only to the user that installed the printer. If the printer is shared with other users, each user must install the printer.

Print services is a server role that can be installed using the Add Roles Wizard in Server Manager.

There are two optional role services:

1. LDP Service. The LDP Service is designed to work with UNIX-based computers for printer sharing.
2. Internet Printing. Internet Printing creates a web site for users to manage print jobs through the browser.

After installing a printer on the server, you can access Print Manager in Administrative Tools. Use Printer Manager to manage printers and print servers:

• Configure shared printers
• Manage the print queue
• Publish the share in Active Directory to enable users to locate the nearest printer
• Install additional drivers for every platform to assist users in connecting to the printer

To configure a computer to print to a shared printer from behind a firewall that only allows web connections: http://MyServer/Printers/MyPrinter/.printer

Print Services Role

Print Management Step-by-Step Guide

Question: How to migrate an old print server to a new computer deployed as a printer server that is running Windows Server 2008 R2?

Answer:

1. Configure the old printer server to stop accepting print jobs.
2. Let all queued jobs on the old printer server complete.
3. Use Print Manager to export the original print server. This launches the Printer Migration Wizard. The Printer Migration Wizard exports the following from the old print server:
• Print queues
• Printer Settings
• Printer Ports
• Language monitors
4. Use Print Manager to import the information into the new print server and configure.
5. Shut down the old print server.

note: You could use printbrm.exe command to migrate print server configuration information.

Question: You have a network with two sites: Site1 and Site2. You have a print server running Windows Server 2008 in Site2. Some users in Site2 report they are unable to connect to some network printers in Site2. You figured out you need to configure the print server with drivers for all the network printers in Site2. How should you do this? Your administrative workstation is running Windows Vista and is located in Site1.

Answer: Use Remote Desktop to connect to the print server. Then, use Print Management to search for network printers. When you add a printer using Print Management, you can select to search for network printers. Print Management will configure the printers it finds. If the driver is not installed, you will be prompted to install the driver.

You cannot use Print Management to connect to the print server and then search for network printers because the printer server is located in Site2. You cannot connect to a computer on a different subnet using Print Management. You must first connect to the remote computer using Remote Desktop.

Question: You need to configure Windows Server 2008 R2 to send you an email when a printer on your network has a problem.

Answer: Use Print Management to create a print filter. Filters display only the printers that meet certain criteria. You could set up the filter to trigger an email if certain error conditions or met, or it the status of the print server does not equal Ready.