Configuring a windows file server for user data

From Notes_Wiki
Revision as of 06:05, 20 June 2022 by Saurabh (talk | contribs)

Home > VMWare platform > VMWare Horizon > Configuring a windows file server for user data

In case of Horizon setup, once users log into their VDI machines, ideally they should not keep any data locally. Hence it is possible to map some shared storage to them via DEM or manually. In either case a Windows based file server is required.

Building a Windows file sharing server in Windows 2019

To build Windows 2019 based file sharing server refer below steps:

  1. Create a new VM from Windows 2019 template or install Windows 2019 on a new machine (Physical / Virtual)
  2. Configure static IP on the machine
  3. Add this machine to be configured as file server to AD Domain
  4. Validate Timezone is correct using "Server Manager" -> "Local Server" -> Time zone setting
  5. Open the Server Manager. Click Manage on top right side. Choose "Add Roles and Features Wizard"
    1. On Before you begin page, click Next
    2. Select "Role-based or feature-based installation", click Next
    3. Choose "Select a server from the server pool", click Next
    4. Expand "File and Storage Services"
    5. Expand "File and iSCSI services"
    6. Select "File Server" and "File Server Resource Manager"
    7. Choose "Add Features"
    8. Then select Next
    9. Click Next on select features page
    10. Select "Restart the destination server automatically if required"
    11. Click Install
  6. Check the installation status


Create a new shared folder

To share a folder perhaps from different drive then C: with considerable storage space use:

  1. Open the Server Manager
  2. Check "File and Storage Services" option on the left side.
  3. Click on "File and Storage Services"
  4. Click Shares. Shared paths can be find here
  5. Add Quick share with path and share name.
    1. Hide folders that users don't have access to (Enumerate option)


Folder share permissions

We can ensure that only specific people have read/write/full access on the shared folder using:

  1. If we create parent folder say C:\data then it can be shared via Quick share option as suggested before.
  2. Inside data if we create a folder user1 where only user1 should have access then do following:
    1. Right click "user1" folder and go to properties
    2. Go to Security Tab
    3. Click on Advanced at bottom right
    4. Disable inheritance by copying the inherited permissions onto current object
    5. Remove all permissions which allow access to all users of the system (Likely 2 such permissions by default).
    6. Add permissions for user1 with full control. Do not enable this for sub-containers at user dialog. We should enble it for sub-folders and files at the parent advanced security dialog (where we removed access for all users of system/domain).
  3. Click Apply and click ok.


Configure Quota

To ensure a single user / group does not uses the space unfairly, we can configure quota on a folder using:

  1. Go To Server Manager -> Local server -> Tools -> File Server Resource Manager.
  2. Go to Quota Management and Quotas.
  3. We can set quota for any particular path as per requirement.
    1. Use 10G template to configure intial settings
    2. Then again edit the created quota properties to change hard/soft limit as per requirement.
  4. This assumes that folder where quota is being set is only having write access for corresponding user/group. Note that quota is not set at user level like done in Linux, it is being set at folder level. So we need to ensure via Windows file permissions that only specific users have access to write to this quota enabled folder.


Restrict certain file types

If it is desired to block certain file types say audio/video from being stored on file server, use:

  1. Go To Server Manager -> Local server -> Tools -> File Server Resource Manager
  2. Go to File Screen Management. Right click and choose 'Create File Screen'
  3. Choose the folder where the screen (block) should be configured and select option "Block Audio and Video Files"
  4. Also choose option to "Block executables"
  5. After creating a new screen, right click it and go to "Edit File Screen properties". Here we can configure lot of other options such as email alerts, edit the extensions which are part of given category, etc.

Refer:


Ideally disallow execution of files on local machine from shared folders

Sometimes the shared folders might have write permission by others. In that case we should not execute any file that is written in these folders by others on local machine / server. To do that use:

  1. At AD group policy level block execution of files in shared folder path by:
    1. Open Group Policy
    2. Go to Computer Configuration -> Windows settings -> Software restrictions
    3. Right click and choose option to create new software restrictions
    4. After that go to Additional Rule subfolder
    5. Create a new rule with Path. Given path of the shared folder and set security level as "Disallowed"
  2. Do the same at Local Group Policy Editor at invidual server level
    1. Open Local policy editor
    2. Go to Computer Configuration -> Windows settings -> Software restrictions
    3. Right click and choose option to create new software restrictions
    4. After that go to Additional Rule subfolder
    5. Create a new rule with Path. Given path of the shared folder and set security level as "Disallowed"
  3. Optionally copy a executable file to given shared folder (if not blocked by previously configured file system resource manager block executable rule). Try to run this file as local administrator or domain admin.

Refer:


Home > VMWare platform > VMWare Horizon > Configuring a windows file server for user data