However, basic fi le and folder attributes can affect access, so let’s look at these attributes fi rst and then at the fi le and folder permissions you can apply to NTFS volumes.. However,
Trang 1Managing File and Folder Permissions
You can think of fi le and folder permissions as the base-level permissions—the sions that are applied no matter what For NTFS volumes, you use fi le and folder per-missions and ownership to further constrain actions within the share as well as share permissions For FAT volumes, share permissions provide the only access controls The reason for this is that FAT volumes have no fi le and folder permission capabilities
permis-File and folder permissions are much more complex than share permissions, and to really understand how they can be used and applied, you must understand ownership and inheritance as well as the permissions that are available
As administrators, we often forget about the basic fi le and folder attributes that can
be assigned However, basic fi le and folder attributes can affect access, so let’s look at these attributes fi rst and then at the fi le and folder permissions you can apply to NTFS volumes All fi les and folders have basic attributes regardless of whether you are work- ing with FAT or NTFS These attributes can be examined in Windows Explorer by right- clicking the fi le or folder icon and then selecting Properties Folder and fi le attributes include Hidden and Read-Only Hidden determines whether the fi le is displayed in fi le listings You can override this by telling Windows Explorer to display hidden fi les On NTFS, the Read-Only attribute for folders is initially shown as unavailable Here, this means the attribute is in a mixed state regardless of the current state of fi les in the folder
If you override the mixed state by selecting the Read-Only check box for a folder, all fi les
in the folder will be read-only If you override the mixed state and clear the Read-Only check box for a folder, all fi les in the folder will be writable
File and Folder Ownership
Before working with fi le and folder permissions, you should understand the concept of ownership as it applies to fi les and folders In Windows Server 2008, the fi le or folder owner isn’t necessarily the fi le or folder’s creator Instead, the fi le or folder owner is the person who has direct control over the fi le or folder File or folder owners can grant access permissions and give other users permission to take ownership of a fi le or folder
The way ownership is assigned initially depends on where the fi le or folder is being created By default, the user who created the fi le or folder is listed as the current owner
Ownership can be taken or transferred in several ways Any administrator can take ownership Any user or group with the Take Ownership permission can take owner-ship Any user who has the right to Restore Files And Directories, such as a member of the Backup Operators group, can take ownership as well Any current owner can trans-fer ownership to another user as well
SIDE OUT Changes to basic fi le and folder attributes are
sometimes necessary
As administrators, we often forget about the basic fi le and folder attributes that can
be assigned However, basic fi le and folder attributes can affect access, so let’s look at these attributes fi rst and then at the fi le and folder permissions you can apply to NTFS volumes All fi les and folders have basic attributes regardless of whether you are work- ing with FAT or NTFS These attributes can be examined in Windows Explorer by right- clicking the fi le or folder icon and then selecting Properties Folder and fi le attributes include Hidden and Read-Only Hidden determines whether the fi le is displayed in fi le listings You can override this by telling Windows Explorer to display hidden fi les On NTFS, the Read-Only attribute for folders is initially shown as unavailable Here, this means the attribute is in a mixed state regardless of the current state of fi les in the folder
If you override the mixed state by selecting the Read-Only check box for a folder, all fi les
in the folder will be read-only If you override the mixed state and clear the Read-Only check box for a folder, all fi les in the folder will be writable.
Managing File and Folder Permissions 567
Trang 2Taking Ownership of a File or Folder
You can take ownership using a fi le or folder’s Properties dialog box Right-click the fi le
or folder, and then select Properties On the Security tab of the Properties dialog box, display the Advanced Security Settings dialog box by clicking Advanced Next, on the Owner tab, click Edit to display an editable version of the Owner tab, as shown in Fig-ure 17-17 In the Change Owner To list box, select the new owner If you’re taking own-ership of a folder, you can take ownership of all subfolders and fi les within the folder by selecting the Replace Owner On Subcontainers And Objects check box Click OK twice when you are fi nished
Figure 17-17 Taking ownership is done by using the Owner tab
Transferring Ownership
If you are an administrator or a current owner of a fi le or folder, you can transfer ership to another user by using a fi le or folder’s Properties dialog box In Windows Explorer, right-click the fi le or folder, and then select Properties On the Security tab of the Properties dialog box, display the Advanced Security Settings dialog box by click-ing the Advanced button Next, on the Owner tab, click Edit to display an editable ver-sion of the Owner tab, as shown in Figure 17-17
Click Other Users Or Groups to display the Select User, Computer, Or Group dialog box Type the name of a user or group, and click Check Names If multiple names match the value you entered, you’ll see a list of names and will be able to choose the one you want to use Otherwise, the name will be fi lled in for you, and you can click OK to close the Select User, Computer, Or Group dialog box Under Change Owner To on the Owner tab of the Advanced Security Settings dialog box, the user you added is listed and selected When you click OK, ownership is transferred to this user
Trang 3Permission Inheritance for Files and Folders
By default, when you add a folder or fi le to an existing folder, the folder or fi le inherits the permissions of the existing folder For example, if the Domain Users group has access to a folder and you add a fi le to this folder, members of the Domain Users group will be able to access the fi le Inherited permissions are automatically assigned when
fi les and folders are created
When you assign new permissions to a folder, the permissions propagate down and are inherited by all subfolders and fi les in the folder and supplement or replace exist-ing permissions If you add permissions on a folder to allow a new group to access a folder, these permissions are applied to all subfolders and fi les in the folder, meaning the additional group is granted access On the other hand, if you were to change the permissions on the folder so that, for instance, only members of the Engineering group could access the folder, these permissions would be applied to all subfolders and fi les
in the folder, meaning only members of the Engineering group would have access to the folder, its subfolders, and its fi les
Inheritance is automatic If you do not want the permissions of subfolders and fi les within folders to supplement or replace existing permissions, you must override inheri-tance starting with the top-level folder from which the permissions are inherited A
top-level folder is referred to as a parent folder Files and folders below the parent folder are referred to as child fi les and folders This is identical to the parent/child structure of
objects in Active Directory
Changing Shaded Permissions and Stopping Inheritance
If a permission you want to change is shaded, the fi le or folder is inheriting the sion from a parent folder To change the permission, you must do one of the following:
Access the parent folder and make the desired changes These changes will then
be inherited by child folders and fi les
Select the opposite permission to override the inherited permission if possible In most cases, Deny overrides Allow, so if you explicitly deny permission to a user
or group for a child folder or fi le, this permission should be denied to that user or group of users
Stop inheriting permissions from the parent folder and then copy or remove ing permissions as appropriate
To stop inheriting permissions from a parent folder, right-click the fi le or folder in Windows Explorer and then select Properties On the Security tab of the Properties dialog box, click Advanced to display the Advanced Security Settings dialog box On the Permissions tab, click Edit to display an editable version of the Permissions tab, as shown in Figure 17-18
Managing File and Folder Permissions 569
Trang 4Figure 17-18 Change inheritance as necessary
Clear the Include Inheritable Permissions From This Object’s Parent check box As shown in Figure 17-19, you now have the opportunity to copy over the permissions that were previously applied or remove the inherited permissions and apply only the permissions that you explicitly set on the folder or fi le Click Copy or Remove as appropriate
Figure 17-19 Copy over or remove the inherited permissions
Resetting and Replacing Permissions
Another way to manage permissions is to reset the permissions of subfolders and fi les within a folder, replacing their permissions with the current permissions assigned
to the folder you are working with In this way, subfolders and fi les get all inheritable permissions from the parent folder and all other explicitly defi ned permissions on the individual subfolders and fi les are removed
To reset permissions for subfolders and fi les of a folder, right-click the fi le or folder in Windows Explorer, and then select Properties On the Security tab of the Properties dialog box, click Advanced to display the Advanced Security Settings dialog box On the Permissions tab, click Edit to display an editable version of the Permissions tab
Trang 5Select Replace All Existing Inheritable Permissions…, and then click OK As shown in Figure 17-20, you will see a prompt explaining that this action will remove all explicitly defi ned permissions and enable propagation of inheritable permissions Click Yes.
Figure 17-20 Confirm that you want to replace the existing permissions on subfolders and files
Confi guring File and Folder Permissions
On NTFS volumes, you can assign access permissions to fi les and folders These missions grant or deny access to users and groups
per-Basic Permissions
In Windows Explorer you can view basic permissions by right-clicking the fi le or folder you want to work with, selecting Properties on the shortcut menu, and then in the Properties dialog box selecting the Security tab, as shown in Figure 17-21 The Group
Or User Names list shows groups and users with assigned permissions If you select a group or user in this list, the applicable permissions are shown in the Permissions For list If permissions are unavailable, it means the permissions are inherited from a par-ent folder as discussed previously
Figure 17-21 The Security tab shows the basic permissions assigned to each user or group
Managing File and Folder Permissions 571
Trang 6The basic permissions you can assign to folders and fi les are shown in Table 17-1 and Table 17-2 These permissions are made up of multiple special permissions
Table 17-1 Basic Folder Permissions
Full Control This permission permits reading, writing, changing, and deleting
fi les and subfolders If a user has Full Control over a folder, she can delete fi les in the folder regardless of the permission on the
fi les
Modify This permission permits reading and writing to fi les and
subfolders; allows deletion of the folder
List Folder Contents This permission permits viewing and listing fi les and subfolders
as well as executing fi les; inherited by folders only
Read & Execute This permission permits viewing and listing fi les and subfolders
as well as executing fi les; inherited by fi les and folders
Write This permission permits adding fi les and subfolders
Read This permission permits viewing and listing fi les and subfolders
Table 17-2 Basic File Permissions
Full Control This permission permits reading, writing, changing, and deleting
the fi le
Modify This permission permits reading and writing of the fi le; allows
deletion of the fi le
Read & Execute This permission permits viewing and accessing the fi le’s contents
as well as executing the fi le
Write This permission permits writing to a fi le Giving a user permission
to write to a fi le but not to delete it doesn’t prevent the user from deleting the fi le’s contents
Read This permission permits viewing or accessing the fi le’s contents
Read is the only permission needed to run scripts Read access is required to access a shortcut and its target
You can set basic permissions for fi les and folders by following these steps:
1 In Windows Explorer, right-click the fi le or folder you want to work with, and
select Properties In the Properties dialog box, select the Security tab, shown previously in Figure 17-21
2 Click Edit to display an editable version of the Security tab Users or groups that
already have access to the fi le or folder are listed in the Name list box You can change permissions for these users and groups by selecting the user or group you want to change and then using the Permissions list box to grant or deny access permissions
Trang 73 To set access permissions for additional users, computers, or groups, click Add
This displays the Select Users, Computers, Or Groups dialog box
4 The Locations button allows you to access account names from other domains
Click Locations to see a list of the current domain, trusted domains, and other resources that you can access Because of the transitive trusts in Windows Server
2008, you can usually access all the domains in the domain tree or forest
5 Type the name of a user or group account in the selected or default domain, and
then click Check Names The options available depend on the number of matches found as follows:
When a single match is found, the dialog box is automatically updated as appropriate and the entry is underlined
When no matches are found, you’ve either entered an incorrect name part
or you’re working with an incorrect location Modify the name and try again, or click Locations to select a new location
If multiple matches are found, select the name(s) you want to use, and then click OK
6 To add additional users or groups, type a semicolon (;), and then repeat this
process
7 When you click OK, the users and groups are added to the Name list for the
fi le or folder Confi gure access permissions for each user and group added by selecting an account name and then allowing or denying access permissions If
a user or group should be granted access permissions, select the check box for the permission in the Allow column If a user or group should be denied access permissions, select the check box for the permission in the Deny column
8 When you’re fi nished, click OK
Special Permissions
In Windows Explorer you can view special permissions by right-clicking the fi le or folder you want to work with and selecting Properties on the shortcut menu In the Properties dialog box, select the Security tab, and then click Advanced to display the Advanced Security Settings dialog box, as shown in Figure 17-22
The special permissions available are as follows:
if you don’t have explicit access to read the data it contains Execute File lets you run an executable fi le
lets you view the contents of a fi le
attri-butes include Read-Only, Hidden, System, and Archive
Managing File and Folder Permissions 573
Trang 8Figure 17-22 The Advanced Security Settings dialog box can be used to access the special
permissions assigned to each user or group
streams) associated with a fi le As discussed in Chapter 16, “Managing Windows Server 2008 File Systems,” these include Summary fi elds, such as Title, Subject, and Author, as well as other types of data
allows you to overwrite existing data in a fi le (but not add new data to an existing
fi le because this is covered by Append Data)
folders Append Data allows you to add data to the end of an existing fi le (but not
to overwrite existing data because this is covered by Write Data)
attributes include Read-Only, Hidden, System, and Archive
streams) associated with a fi le As discussed in Chapter 16, these include mary fi elds, such as Title, Subject, and Author, as well as other types of data
this permission, you can delete the subfolders and fi les in a folder even if you don’t specifi cally have Delete permission on the subfolder or fi le
Delete permission for one of its fi les or subfolders, you won’t be able to delete it You can do this only if you have the Delete Subfolders And Files permission
Trang 9Read Permissions Lets you read all basic and special permissions assigned to a
fi le or folder
fi le or folder
admin-istrators can always take ownership of a fi le or folder and can also grant this permission to others
Tables 17-3 and 17-4 show how special permissions are combined to make the basic permissions for fi les and folders Because special permissions are combined to make
the basic permissions, they are also referred to as atomic permissions
Table 17-3 Special Permissions for Folders
List Folder
Managing File and Folder Permissions 575
Trang 10Table 17-4 Special Permissions for Files
Group dialog box Type the name of a user or group, and click Check Names If multiple names match the value you entered, you’ll see a list of names and will be able to choose the one you want to use Otherwise, the name will be fi lled in for you When you click OK, the Permission Entry For dialog box shown in Figure 17-23 is displayed
Trang 11Figure 17-23 Use the Permission Entry For dialog box to set special permissions
permis-sions you want to modify, and then click Edit The Permission Entry For dialog box shown in Figure 17-23 is displayed
permissions you want to remove, and then click Remove
If you are adding or editing entries for users or groups, you use the Permission Entry For dialog box to grant or deny special permissions Select Allow or Deny for each permission as appropriate When fi nished, use the Apply Onto options shown in Table 17-5 to determine how and where these permissions are applied If you want to prevent subfolders and fi les from inheriting these permissions, select Apply These Permissions
To Objects And/Or Containers Within This Container Only When you do this, all the related entries in Table 17-5 are No This means the settings no longer apply onto subse-quent subfolders or to fi les in subsequent subfolders
Managing File and Folder Permissions 577
Trang 12Table 17-5 Special Permissions Apply Onto Options
Apply Onto
Applies to Current Folder
Applies to Subfolders
in the Current Folder
Applies to File in the Current Folder
Applies to Subsequent Subfolders
Applies
to Files in Subsequent Subfolders
This folder, subfolders, and
This folder and
This folder and
Subfolders and
Note
When Apply These Permissions To Objects And/Or Containers Within This Container Only
is selected, all the values under Applies To Subsequent Subfolders and Applies To Files In Subsequent Subfolders are No The settings no longer apply onto subsequent subfolders
or to fi les in subsequent subfolders
Determining Effective Permissions
Navigating the complex maze of permissions can be daunting even for the best istrators Sometimes it won’t be clear how a particular permission set will be applied
admin-to a particular user or group If you ever want admin-to know exactly how the current sions will be applied to a particular user or group, you can use a handy tool called Effec-tive Permissions
Effective Permissions applies only to fi le and folder permissions—not share sions—and is an option of the Advanced Security Settings dialog box To get to it from Windows Explorer, right-click the fi le or folder you want to work with and select Prop-erties In the Properties dialog box, select the Security tab, and then click Advanced To see how permissions will be applied to a user or group, click the Effective Permissions tab, click Select, type the name of the user or group, and then click OK The Effective Permissions for the selected user or group are displayed as shown in Figure 17-24
permis-Note
When Apply These Permissions To Objects And/Or Containers Within This Container Only
is selected, all the values under Applies To Subsequent Subfolders and Applies To Files In Subsequent Subfolders are No The settings no longer apply onto subsequent subfolders
or to fi les in subsequent subfolders.
Trang 13Figure 17-24 Use Effective Permissions to help you determine how permissions will be applied to a
specific user or group
Effective Permissions does have the following limitations:
You need the proper access permissions to view the effective permissions of a user or group That goes without saying, pretty much But it is important to point out
You cannot determine permissions for global or universal security groups that are nested in domain local groups For example, by default Users has access to most folders, and one of its members is Domain Users, which is a global security group
If you try to determine the effective permissions for Domain Users, no sions are displayed
You cannot determine the effective permissions for implicit groups or special identities, such as Everyone, Interactive, Domain Controllers, Local Service, or Network Service
Managing File Shares After Confi guration
Confi guring shares can be a time-consuming process especially if you are trying to troubleshoot why a particular user doesn’t have access or set up a new server with the same fi le shares as a server you are decommissioning Fortunately, there are some techniques you can use to help you better manage fi le shares and the way they are implemented
Net Share is a handy command-line tool for helping you track fi le share and print share permissions You can use it to display a list of shares and who has access If you redirect the output of Net Share, you can save the share confi guration and access information to
a fi le, and this fi le can become a log that helps you track share changes over time
Managing File Shares After Configuration 579
Trang 14To view a list of confi gured shares, type net share at the command prompt The output
of Net Share shows you the name of each share on the server, the location of the actual folder being shared, and any descriptions you’ve added Here is an example:
Share name Resource Remark
-ADMIN$ C:\Windows Remote Admin C$ C:\ Default share F$ F:\ Default share IPC$ Remote IPC CorpData C:\CorpData
CorpTech F:\CorpTech
DevData F:\DevData
EngData C:\EngData
HRData F:\HRData
Public C:\Users\Public
UserData C:\UserData
The command completed successfully. The list of shares shown includes the fi le shares CorpData, CorpTech, EngData, Public, and others, and administrative shares created and managed by Windows, including ADMIN$, IPC$, and any drive shares If you want to redirect the output to a fi le, you can do this by typing net share > File-Name.txt, where FileName.txt is the name of the fi le to create and to which you want to write, such as net share > C:\logs\fi leshares.txt If you follow the Net Share command with the name of a confi gured share, you’ll see the complete confi guration details for the share as shown in the following example: Share name EngData Path C:\EngData Remark
Maximum users No limit Users Caching Manual caching of documents Permission CPANDL\Domain Admins, FULL CPANDL\Domain Users, READ CPANDL\EngineeringUsers, READ The command completed successfully.
You can append the share confi guration details to the previously created log fi le by using the append symbol (>>) instead of the standard redirect symbol (>), as shown in the following example:
net share corpdata >> C:\logs\fi leshares.txt
Trang 15Listing 17-1 shows the source of a command-line script that you could use to create a confi guration log for the key shares on the computer Although the path in the example
is set to c:\logs\fi leshares.txt, you can set any log path you want
Listing 17-1 A sample share logging script
net share > C:\logs\fi leshares.txt net share c$ >> C:\logs\fi leshares.txt net share f$ >> C:\logs\fi leshares.txt net share corpdata >> C:\logs\fi leshares.txt net share corptech >> C:\logs\fi leshares.txt net share devdata >> C:\logs\fi leshares.txt net share engdata >> C:\logs\fi leshares.txt net share hrdata >> C:\logs\fi leshares.txt net share public >> C:\logs\fi leshares.txt net share userdata >> C:\logs\fi leshares.txt
Auditing File and Folder Access
Access permissions will only help protect data; they won’t tell you who deleted tant data or who was trying to access fi les and folders inappropriately To track who accessed fi les and folders and what they did, you must confi gure auditing for fi le and folder access Every comprehensive security strategy should include auditing
To track fi le and folder access, you must:
Enable auditing Specify which fi les and folders to audit Monitor the security logs
Enabling Auditing for Files and Folders
You confi gure auditing policies by using Group Policy or local security policy Group Policy is used when you want to set auditing policies for an entire site, domain, or orga-nizational unit, and is used as discussed in Part 5 of this book, “Managing Active Direc-tory and Security.” Local security policy settings apply to an individual workstation or server and can be overridden by Group Policy
To enable auditing of fi les and folders for a specifi c computer, start the Local Security Policy tool by clicking Start, All Programs, Administrative Tools, and Local Security Policy Expand Local Policies, and then select Audit Policy, as shown in Figure 17-25
Auditing File and Folder Access 581
Trang 16Figure 17-25 Access the local auditing policy settings
Next, double-click Audit Object Access This displays the Audit Object Access ties dialog box shown in Figure 17-26 Under Audit These Attempts, select the Success check box to log successful access attempts, the Failure check box to log failed access attempts, or both check boxes, and then click OK This enables auditing but it doesn’t specify which fi les and folders should be audited
Proper-Figure 17-26 Configure auditing for object access
Specifying Files and Folders to Audit
After you have enabled Audit Object Access, you can set the level of auditing for ual folders and fi les This allows you to control whether and how folder and fi le usage
individ-is tracked Keep in mind that auditing individ-is available only on NTFS volumes In addition, everything discussed about inheritance applies to fi les and folders as well—and this is a good thing This allows you, for example, to audit access to every fi le or folder on a vol-ume simply by specifying that you want to audit the root folder of the volume
Trang 17You specify fi les and folders to audit using Windows Explorer In Windows Explorer, right-click the fi le or folder to be audited, and then, from the shortcut menu, select Prop-erties In the Properties dialog box, click the Security tab, and then click Advanced In the Advanced Security Settings dialog box, click Edit on the Auditing tab You can now view and manage auditing settings using the options shown in Figure 17-27
Figure 17-27 Specify to which users and groups auditing should apply
You have the same two inheritance options discussed earlier in the chapter:
If you want to inherit auditing settings from a parent object, ensure that the Include Inheritable Permissions From This Object’s Parent check box is selected
If you want child objects of the current object to inherit the settings you are ting on the current folder, select the Replace All Existing Inheritable Auditing Entries check box
Now use the Auditing Entries list box to select the users, groups, or computers whose actions you want to audit To add specifi c accounts, click Add, and then use the Select User, Computer, Or Group dialog box to select an account name to add If you want to audit actions for all users, use the special group Everyone Otherwise, select the specifi c user groups or users, or both, that you want to audit When you click OK, you’ll see the Auditing Entry For dialog box, as shown in Figure 17-28
Auditing File and Folder Access 583
Trang 18Figure 17-28 Determine the actions to audit for the designated user, group, or computer
The Apply Onto drop-down list box allows you to specify which actions should be audited Select the Successful or Failed check boxes, or both, for the events you want
to audit The events you can audit are the same as the special permissions listed in Tables 17-3 and 17-4, except you can’t audit the synchronizing of offl ine fi les and fold-ers Click OK when you’re fi nished Repeat this process to audit other users, groups, or computers
Note
Often you’ll want to track only failed actions This way, you know if someone was ing to perform an action and failed Keep in mind a failed attempt doesn’t always mean someone is trying to break into a fi le or folder A user simply might have double-clicked
try-a folder or fi le to which he or she didn’t htry-ave try-access In try-addition, some types of try-actions can cause multiple failed attempts to be logged even when the user performed the action only once Regardless, as an administrator, you should always check multiple failed attempts because of the possibility that someone is attempting to breach your system’s defenses
Note
Often you’ll want to track only failed actions This way, you know if someone was ing to perform an action and failed Keep in mind a failed attempt doesn’t always mean someone is trying to break into a fi le or folder A user simply might have double-clicked
try-a folder or fi le to which he or she didn’t htry-ave try-access In try-addition, some types of try-actions can cause multiple failed attempts to be logged even when the user performed the action only once Regardless, as an administrator, you should always check multiple failed attempts because of the possibility that someone is attempting to breach your system’s defenses.
Trang 19Monitoring the Security Logs
Any time fi les and folders that you’ve confi gured for auditing are accessed, the action is written to the system’s Security log, where it’s stored for your review The Security log
is accessible from Event Viewer Successful actions can cause successful events, such
as successful fi le reads, to be recorded Failed actions can cause failed events, such as failed fi le deletions, to be recorded
Auditing File and Folder Access 585
Trang 21Volume Shadow Copy Service is a feature of Windows Server 2008 It offers two important features:
that shadow copies of fi les in shared folders are created automatically at specifi c intervals during the day This allows you to go back and look at earlier versions
of fi les stored in shared folders You can use these earlier versions to recover deleted, incorrectly modifi ed, or overwritten fi les You can also compare versions
of fi les to see what changes were made over time Up to 64 versions of fi les are maintained
programs, such as Windows Backup, to back up fi les that are open or locked This means you can back up when applications are using the fi les and do not have
to worry about backups failing because fi les are in use Backup programs must implement the Volume Shadow Copy Service (VSS) application programming interface (API)
Both features are independent of each other You do not need to enable shadow copying
of a volume to be able to back up open or locked fi les on a volume This chapter marily focuses on shadow copying of fi les in shared folders Chapter 41, “Backup and Recovery,” examines backups
pri-Shadow Copy Essentials
Shadow copying of fi les in shared folders is a feature administrators can use to create backup copies of fi les on designated volumes automatically You can think of these backup copies as point-in-time snapshots that can be used to recover previous ver-sions of fi les Normally, when a user deletes a fi le from a shared folder, it is immediately deleted and doesn’t go to the local Recycle Bin This means the only way to recover it is from backup The reason for this is that when you delete fi les over the network, the fi les are permanently deleted on the remote server and never make it to the Recycle Bin This changes with shadow copying If a user deletes a fi le from a network share, she can go back to a previous version and recover it—and she can do this without needing assis-
Shadow Copy Essentials 587
Managing Shadow Copies in Computer
Management 592
Configuring Shadow Copies at the
Command Line 599 Using Shadow Copies on Clients 603
CHAPTER 18Using Volume Shadow Copy
Trang 22Using Shadow Copies of Shared Folders
Shadow copies of shared folders are designed to help recover fi les that were tally deleted, corrupted, or inappropriately edited After you confi gure shadow copies
acciden-on a server, the server creates and maintains previous versiacciden-ons of all fi les and folders created on the volumes you’ve specifi ed It does this by creating snapshots of shared folders at predetermined intervals and storing these images in shadow copy storage in such a way that users and administrators can easily access the data to recover previous versions of fi les and folders Windows Server 2008 includes a feature enhancement that allows you to revert an entire volume to a previous shadow copy state
Ideally, after you implement shadow copies throughout the organization and show users how to use the feature, users will be able to recover fi les and folders without needing assistance This allows users to manage their own fi les, resolve problems, and
fi x mistakes It also saves time and money because previous versions can be recovered quickly and easily and resources that would have been used to recover fi les and per-form related tasks can be used elsewhere
When planning to deploy shadow copies in your organization, look at the shared ers that are in use When you identify the ones that would benefi t from this feature, note the volumes on which those shares are located Those are the volumes for which you will need to confi gure shadow copying You might also want to consider changing the way users’ personal data is stored Windows Server 2008 enables you to centrally manage user data folders through fi le shares, and then if you confi gure shadow copies
fold-on these fi le shares, users will have access to previous versifold-ons of all their data fi les and folders The folders you can centrally manage are the following:
Application Data Desktop
Start Menu Documents Pictures Music Videos Favorites Contacts Downloads Links Searches Saved Games
Trang 23You confi gure central management of these folders through Group Policy When you do this, you want to redirect the root path for these folders to a fi le share
How Shadow Copies Works
Shadow Copies for Shared Folders is made possible through the Shadow Copy API The shadow copy driver (Volsnap.sys) and the Volume Shadow Copy Service executable (Vssvc.exe) are key components used by this API When you enable shadow copies on
a server, the server is confi gured to be a client-accessible shadow copy service provider
The default provider is the Microsoft Software Shadow Copy Provider, and it is sible for providing the necessary interface between clients that want to access shadow copies and clients that write shadow copies or information pertaining to shadow cop-ies, called Volume Shadow Copy service writers
A number of shadow copy service writers are installed by default and other writers can
be installed when you install other programs, such as third-party backup software The default writers installed depend on the system confi guration and include the following:
Background Intelligent Transfer Service (BITS)
internal database so that in-use fi les can be backed up
so that in-use fi les can be backed up, primarily on domain controllers
the Dynamic Host Confi guration Protocol (DHCP)
in-use fi les can be backed up, primarily on domain controllers
Inter-net Information Services (IIS) confi guration fi les
use by the Microsoft Search Service
of fi les in use by NTDS
changes
shadow copies
Shadow Copy Essentials 589
Trang 24You can list available shadow copy providers by typing vssadmin list providers at the
command line To list shadow copy writers, type vssadmin list writers
To create copies of previous versions of fi les, Shadow Copies for Shared Folders uses a differential copy procedure With this technique, only copies of fi les that have changed since the last copy are marked for copying During the copy procedure, Shadow Copies for Shared Folders creates the previous version data in one of two ways:
If the application used to change a fi le stored details of the changes, Shadow ies for Shared Folders performs a block-level copy of any changes that have been made to fi les since the last save Thus, only changes are copied, not the entire fi le
If the application used to change a fi le rewrote the entire fi le to disk, Shadow ies for Shared Folders saves the entire fi le as it exists at that point in time
If you’re wondering exactly how this works, I was, too, at fi rst Then I started menting An example of an application that can save changes or full copies is Microsoft Word If you enable Fast Saves in Word, only changes to a fi le are written to disk If you clear the Allow Fast Saves check box, Word writes a complete copy of the fi le when you save it
As mentioned previously, Shadow Copies for Shared Folders runs at predefi ned vals These predefi ned intervals are set as the run schedule when you confi gure shadow copying of a volume As with other processes that have a run schedule, a scheduled task
inter-is created that inter-is used to trigger shadow copying at the specifi ed times Because of thinter-is, Shadow Copies for Shared Folders is dependent on the Task Scheduler service If this service is stopped or improperly confi gured, shadow copying will not work
Implementing Shadow Copies for Shared Folders
Implementing Shadow Copies for Shared Folders isn’t something you should do hazardly You should take the time to plan out the implementation Key issues that you should consider include the following:
enough available space on existing volumes?
volumes?
Start your planning by considering for which volumes you want to confi gure shadow copies After you confi gure this feature, shadow copies will be created of fi les in the
Note
You can list available shadow copy providers by typingvssadmin list providers at the
command line To list shadow copy writers, typevssadmin list writers.
Trang 25shared folders on these volumes To implement shadow copying of fi les of shared ers, you enable shadow copying of the volume in which the shared folders are located
fold-The initial shadow copy requires at least 300 megabytes (MB) of free space to create, regardless of how much data is stored in the volume’s shared folders The disk space
used by Shadow Copies for Shared Folders is referred to as shadow storage Shadow
Cop-ies uses this space to store previous versions of fi les and as a work area when it is taking snapshots Because of this, the actual amount of space used for shadow storage is differ-ent from the amount of space allocated for shadow storage
The amount of disk space available shouldn’t be overlooked The Shadow Copy service will save up to 64 versions of each fi le in shared folders and, by default, will confi gure its maximum space usage as up to 10 percent of the volume After you set this value, the maximum size is fi xed unless you change it The service won’t, however, reexamine free space later to determine if this maximum value should be changed If a volume runs out
of space, shadow copying will fail and errors will be generated in the event logs
When you plan out your shadow copies implementation, you should think carefully about where shadow storage will be located Shadow storage can be created on the volumes for which you are creating shadow copies or on different volumes If you have busy fi le servers or you must scale this feature to serve many users or an increas-ing number of users, it might be best to use a separate volume on a separate drive for shadow storage
Use the Command-Line Tools to Examine Shadow Storage
You can determine how much space is allocated to and used by shadow storage by using the vssadmin list shadowstorage command Working with this command is discussed
in “Confi guring Shadow Copies at the Command Line” on page 598
Shadow copying is a resource-intensive process By default, when you confi gure shadow copying on a volume, copies are made at two scheduled intervals during the day: once
in the morning at 7:00 A.M and once at midday at 12:00 P.M The morning copy allows you to save the work from the previous day and is meant to occur before users come in
to work in the morning The midday copy allows you to save work up to that point in the day and is meant to occur when users are taking a break for lunch In this way, a user would lose at most, a half day’s work and the resource impact caused by creating shadow copies is minimized
When you confi gure the shadow copy schedule for your organization, you should take these same issues into consideration Start by determining the best times of the day
to create shadow copies Ideally, this is when the server’s resources are being used the least Then determine how much potential data loss is acceptable given the resources, the type of data stored, and the available disk space
Use the Command-Line Tools to Examine Shadow Storage
You can determine how much space is allocated to and used by shadow storage by using thevssadmin list shadowstorage command Working with this command is discussed
in “Confi guring Shadow Copies at the Command Line” on page 598.
Shadow Copy Essentials 591