Configuring a windows file server for user data
Home > VMWare platform > VMWare Horizon > Configuring a windows file server for user data
In case of Horizon setup, once users log into their VDI machines, ideally they should not keep any data locally. Hence it is possible to map some shared storage to them via DEM or manually. In either case a Windows based file server is required.
Building a Windows file sharing server in Windows 2019
To build Windows 2019 based file sharing server refer below steps:
- Create a new VM from Windows 2019 template or install Windows 2019 on a new machine (Physical / Virtual)
- Configure static IP on the machine
- Add this machine to be configured as file server to AD Domain
- Validate Timezone is correct using "Server Manager" -> "Local Server" -> Time zone setting
- Open the Server Manager. Click Manage on top right side. Choose "Add Roles and Features Wizard"
- On Before you begin page, click Next
- Select "Role-based or feature-based installation", click Next
- Choose "Select a server from the server pool", click Next
- Expand "File and Storage Services"
- Expand "File and iSCSI services"
- Select "File Server" and "File Server Resource Manager"
- Choose "Add Features"
- Then select Next
- Click Next on select features page
- Select "Restart the destination server automatically if required"
- Click Install
- Check the installation status
To share a folder perhaps from different drive then C: with considerable storage space use:
- Open the Server Manager
- Check "File and Storage Services" option on the left side.
- Click on "File and Storage Services"
- Click Shares. Shared paths can be find here
- Add Quick share with path and share name.
- Hide folders that users don't have access to (Enumerate option)
Configure Quota
To ensure a single user / group does not uses the space unfairly, we can configure quota on a folder using:
- Go To Server Manager -> Local server -> Tools -> File Server Resource Manager.
- Go to Quota Management and Quotas.
- We can set quota for any particular path as per requirement.
- Use 10G template to configure intial settings
- Then again edit the created quota properties to change hard/soft limit as per requirement.
- This assumes that folder where quota is being set is only having write access for corresponding user/group. Note that quota is not set at user level like done in Linux, it is being set at folder level. So we need to ensure via Windows file permissions that only specific users have access to write to this quota enabled folder.
Restrict certain file types
If it is desired to block certain file types say audio/video from being stored on file server, use:
- Go To Server Manager -> Local server -> Tools -> File Server Resource Manager
- Go to File Screen Management. Right click and choose 'Create File Screen'
- Choose the folder where the screen (block) should be configured and select option "Block Audio and Video Files"
- Also choose option to "Block executables"
- After creating a new screen, right click it and go to "Edit File Screen properties". Here we can configure lot of other options such as email alerts, edit the extensions which are part of given category, etc.
Refer:
Sometimes the shared folders might have write permission by others. In that case we should not execute any file that is written in these folders by others on local machine / server. To do that use:
- At AD group policy level block execution of files in shared folder path by:
- Open Group Policy
- Go to Computer Configuration -> Windows settings -> Software restrictions
- Right click and choose option to create new software restrictions
- After that go to Additional Rule subfolder
- Create a new rule with Path. Given path of the shared folder and set security level as "Disallowed"
- Do the same at Local Group Policy Editor at invidual server level
- Open Local policy editor
- Go to Computer Configuration -> Windows settings -> Software restrictions
- Right click and choose option to create new software restrictions
- After that go to Additional Rule subfolder
- Create a new rule with Path. Given path of the shared folder and set security level as "Disallowed"
- Optionally copy a executable file to given shared folder (if not blocked by previously configured file system resource manager block executable rule). Try to run this file as local administrator or domain admin.
Refer:
- https://www.techtarget.com/searchsecurity/tip/Using-Windows-software-restriction-policies-to-stop-executable-code
- https://www.ryadel.com/en/windows-10-server-block-infected-exe-executables-software-restriction-group-policy-gpedit/
We can ensure that only specific people have read/write/full access on the shared folder using:
- If we create parent folder say C:\data then it can be shared via Quick share option as suggested before.
- Inside data if we create a folder user1 where only user1 should have access then do following:
- Right click "user1" folder and go to properties
- Go to Security Tab
- Click on Advanced at bottom right
- Disable inheritance by copying the inherited permissions onto current object
- Remove all permissions which allow access to all users of the system (Likely 2 such permissions by default).
- Add permissions for user1 with full control. Do not enable this for sub-containers at user dialog. We should enble it for sub-folders and files at the parent advanced security dialog (where we removed access for all users of system/domain).
- Click Apply and click ok.
If folder permissions are required at sub-sub folder level then use following example.
Assume parent folder finance with two sub-folders gst, tds. Hence finance folder is sub-folder of main shared folder eg C:\data in above example.
There are five users
- user1
- user2
- user3
- user4
- user5
Requirements are as follows:
- user1, user2 should access gst
- user3, user4 should access tds
- user5 can create new sub-folders other than gst, tds
- user1 can write to gst
- user2 can only read gst
- user3 can write tds
- user4 can only read tds
- user1, user2 cannot access tds
- user3, user4 cannot gst
To achieve above:
- On parent folder finance
- disable inheritance
- We will give read access (not write/full control) to user1, user2, user3, user4 to "This folder" only
- We will give user5 full control to "This folder" only
- Do not copy this permission to sub-folder files
- On gst we will:
- disable inheritance
- Give full control to user1
- Give read access to user2
- Copy these on sub-folders and files.
- Similarly on TDS we will:
- Disable inheritancce
- Give full control to user3
- Give read access to user4
- Copy these on sub-folders and files.
Home > VMWare platform > VMWare Horizon > Configuring a windows file server for user data