Windows Server 2003 R2 is probably the most controversial operating system that Microsoft has ever produced. Some people believe that it is the greatest thing since sliced bread, while others claim that R2 is nothing more than a glorified service pack. Whatever your feelings are about R2 though, there is no denying that it contains quite a few security enhancements.
Since most R2-related security articles I have seen focus around Active Directory federation and single sign-on, I thought I would take a different approach. In this article, I'll talk about how you can use enhancements in R2's file server management capabilities to bolster your server's security.
One of my favorite new features in R2 isn't technically a security feature, but it can definitely be used to help increase a server's security. This new feature is called file screening. The basic idea behind file screening is that you can now control the types of content that are allowed to be placed in various folders.
This feature was originally designed as a way of conserving hard disk space. Even though file screening technology is designed to save space, you can use it to prevent potentially malicious files from being placed on your server. For example, in most environments, there is absolutely no legitimate reason why a user should be allowed to store executable code on a file server. It's the administrator's job to decide which applications to authorize and to distribute
File screening can also act as a safeguard against viruses, Trojans and other forms of malware. Imagine for a moment that tomorrow a user opens an e-mail message and it contains a new e-mail virus for which there is not yet an antivirus signature. What is stopping that virus from infiltrating your file servers? If the virus contains the right logic, then any network resources that the user who opened the virus has access to could potentially be at risk of infection.
Since viruses can take many different forms, I think it makes sense to be proactive and block file types for which your users have no legitimate business use. For example, if you know that the only application they use is Microsoft Office, then obviously, the users need to be able to save Office documents in the file system. However, since Office is the only application they are authorized to use, then why allow them to store MP3 files, ZIP files or system files on the file server?
In R2, file screening is exposed through the new File Server Management console. The File Screening section is divided into three different containers. The File Groups section, shown in Figure A, contains a predefined list of file types. R2 already has a Backup Files group defined, which includes BAC, BCK, BKF and OLD files. It's worth noting that most of the file groups contain more file types than what is shown in the figure.
Figure A: Windows pre-defines some file types.
The next portion of the interface I want to show you is the File Screens container, shown in Figure B. File Screens is where you actually implement file screening (by clicking the Create File Screen link). As you can see in the figure, Windows allows you to screen specific folders rather than applying a file screen to an entire volume. Figure B shows a sample screen I created that prevents audio and video files from being stored in the C:\TEST folder.
Figure B: The File Screens container allows you to define the level of screening you want to apply to various folders.
The last screen I want to show you is the File Screen Templates container shown in Figure C. This container holds pre-defined templates that you can use to quickly screen specific types of files.
Figure C: Windows offers templates that you can use to make screening files easier.
One last thing: File screening does not require you to use the pre-defined templates or the pre-defined file types. The predefined templates and file types are only there for your convenience. You are free to define your own file types and create custom screens to fit your needs. One thing to keep in mind as you create file screens, though, is that the file screening technology works by monitoring file extensions, not by looking at the actual contents of each file. As such, you can circumvent a file screen by renaming a file. For example, while researching this article, I created a filter that blocked MP3 files. I then bypassed the filter by renaming an MP3 file to use the .TXT extension.
As you can see, R2's file screening technology isn't perfect. However, it is still an extremely valuable technology that you can use to help save space on your file servers, prevent malware infections and help prevent software license compliance issues.
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit his personal Web site at www.brienposey.com.
This was first published in April 2006