Implementing File Screening in Windows Server 2003 R2

by [Published on 6 Dec. 2005 / Last Updated on 6 Dec. 2005]

This article walks you through how to configure file screening in Windows Server 2003 R2. File screening is a new capability in Windows Server that allows administrators to restrict what kind of files users save to their home folders and other shared network folders.


Get your copy of Windows Server Hacks!

Administrators can use file screening to easily prevent users from saving audio and video files to their network folders to avoid having their folders fill up and exceed their quota and to deter employees from storing illegally copied media files on company servers. You can even configure file servers to send email notifications to administrators when users try to save files that are blocked by file screens, and you can create templates that can be used to simplify deployment and management of file screens across multiple shared volumes and folders. In short, file screening clearly is an administrator’s best friend! Let’s look at how to configure it in a simple networking scenario.

Before you can configure file screening on users’ folders, you first need to install File Server Resource Manager (FSRM) on your file server. The steps for performing this were outlined in my previous article on WindowsNetworking.com called Configuring Volume and Folder Quotas so I won’t repeat these steps here.

Creating File Groups

The first step in implementing file screens is to create file groups. A file group defines a set of file types that should or should not be blocked. For example, let’s say you want to block all video files from being saved on a share or volume. To do this you would start by creating a file group, for example called Video Files, and add file extensions like .wmv, .mpg, and others to the group. To do this, open FSRM and expand the File Screening Management node and then under it the File Groups node. Then right-click on File Groups and select Create File Group. In the dialog box that appears, specify a name for your file group and the file types you want to include (see Figure 1):


Figure 1: Creating a file group for video file types

Your new file group will now show up in the Results pane when the File Groups node is selected (Figure 2):


Figure 2: New file group named Video Files

Creating File Screens

Now let’s create a file screen that blocks the type of files specified by our file group. The scenario we’ll work with is this: all users in the Vancouver OU of the R2.local domain should have their My Documents folders redirected as a subfolder within the \Home share on a server named MTIT-14JCI2H1Y5 and we want to prevent these users from saving video files in their My Documents folders. To redirect My Documents for these users, we’ll create a Group Policy Object that has the policy setting shown in Figure 3 configured:


Figure 3: Folder redirection is configured for users in Vancouver using the Group Policy setting shown

When Vancouver user Mary Jones logs on to her Windows XP desktop computer for the first time (actually the second time if Windows XP logon optimization is enabled), the contents of My Documents on her local machine are copied to \\MTIT-14JCI2H1Y5\Home\mjones\My Documents. This can be verified by using Windows Explorer on the file server as shown in Figure 4 (administrators are denied access to users’ My Documents folders by default):


Figure 4: My Documents for user Mary Jones is redirected to the Home share on the file server

To prevent Mary Jones from saving video files in her My Documents folder, we create a file screen as follows. Right-click on the File Screens node under File Screening Management and select Create File Screen. On the dialog box that opens, select the mjones folder as the target folder (all subfolders such as My Documents will also automatically be screened). Now select the option to define a custom screen (Figure 5):


Figure 5: Creating a custom file screen for files saved by Mary Jones

Click the Custom Properties button and on the Settings tab specify the Video Files file group as the type of files to block (Figure 6):


Figure 6: Blocking files defined by the Video Files file group

Let’s pause and note several things at this point:

  • By configuring the remaining tabs of Figure 6 above, you can specify what happens when a user tries to perform an action blocked by the file screen. These actions can include sending an email message to an administrator (or to the user trying to save the file), logging a Warning event in the Application event log, generating a report for auditing purposes (and optionally emailing it to an administrator), or running a command or program you specify. For example, you could write a script that sends a popup message to the user that says “Warning! Saving video files on company servers is a violation of company policy!” or whatever you like and have the script executed when the user tries to save a video file in My Documents.
  • By selecting Passive Screening, the notifications you specified above still happen but the user is not blocked from saving the file.
  • By clicking the Create or Edit buttons you can create new file groups on the fly or edit existing ones as needed.
  • Finally, by clicking Copy you can use an existing file screen template to create your new file screen (we’ll talk about file screen templates in a moment).

Once you’ve defined the custom properties of your file screen, click OK to return to Figure 5 and then click Create to create the new screen. When prompted whether to save the file screen as a template, choose the second option “Create the custom file screen without creating a template” and click OK. The new screen should now be displayed in the Results pane with further details shown below it in the Description area (Figure 7):


Figure 7: The new file screen is displayed in the Results pane

Now when Mary tries to download a video from the Internet and save it in her My Documents folder, she gets an error message (Figure 8):


Figure 8: Video files are being blocked

When Mary tries to save other types of files to My Documents however, her actions are successful.

Using File Screens with Roaming Profiles

Be careful configuring file screens when you have roaming profiles enabled on your network as you can get yourself into a bind. For example, say user Bob Smith has a roaming profile that is saved in a folder named %username% (that is, bsmith) in a share named Profiles on file server MTIT-14JCI2H1Y5. In other words, the network path to Bob’s profile is \\MTIT-14JCI2H1Y5\Profiles\bsmith. And let’s say you’ve configured a file screen on the Profiles folder to block roaming users from saving video files. Now let’s say Bob downloads dancing pigs.mpg from the Internet and saves the file to his desktop. Unfortunately, when Bob tries to log off his computer, he gets the error message displayed in Figure 9:


Figure 9: Don’t configure file screens on roaming profile folders

What’s happening here is that Bob’s computer can’t save dancing pigs.mpg since his roaming profile is a subfolder of the Profiles share on the file server. Because of this, the whole operation of updating Bob’s roaming profile to the Profiles share also fails, so any changes Bob has made to his desktop during his user session are lost.

Using File Screen Templates

Just as creating quota templates can greatly simplify the process of deploying volume and folder quotas on your network, creating file screen templates can do the same for easily implementing file screens on multiple volumes and shares. In fact, you may not even have to create your own custom file screen templates since R2 comes with a number of useful templates predefined (Figure 10):


Figure 10: Predefined file screen templates

Creating a new file screen template is easy—just right-click on the File Screen Templates node and select Create File Screen Template and a dialog box similar to Figure 6 above. Specify the settings for your template the way you do a file screen, and click OK to create your new template. You can then apply your new template (or a predefined template) to any volume or folder on your file server as follows: right-click on the File Screens node and select Create File Screen, specify the path to the volume or folder you want to screen, select the “Derive properties from this file screen template (recommended)” option and choose a template to base your new file screen on from the drop-down list (Figure 11):


Figure 11: Creating a new file screen from a predefined template

Conclusion

File screens are powerful tools but they’re not all powerful. They wouldn’t prevent an advanced user for example from downloading video files from the Internet, changing their file extensions to .txt files, and saving them in his My Documents on your file server. Your first line of defense against undesirable actions like this is your corporate security policy, and you must be sure to communicate this policy clearly to users and enforce it fairly but rigorously. Technology doesn’t solve everything—users are too smart for that to work! But a good security policy can act as a deterrent to undesirable actions and provide your company with legal recourse should an employee utilize network resources in a way that violates policy.

The Author — Mitch Tulloch

Mitch Tulloch avatar

Mitch Tulloch is a widely recognized expert on Windows administration, networking, and security. He has been repeatedly awarded Most Valuable Professional (MVP) status by Microsoft for his outstanding contributions in supporting users who deploy and use Microsoft platforms, products and solutions.

Latest Contributions

Advertisement

Featured Links