While it might not seem obvious at first, maintaining control over the usage of drive space on your network is an important security measure. We've all heard of denial of service attacks. Well, they come in a variety of forms, including total consumption of storage space.
Whether users intend to take over an entire hard drive or it just occurs naturally or accidentally, you still need to protect your systems from it. A full hard drive can cause several problems, including system freezing, lost, damaged or corrupted files due to inadequate save space and a significant reduction in the performance of the system as a whole.
There are several products on the market that can be used to impose custom quota systems or set trigger alarms, but there is no need for third-party code with Windows 2000. Windows 2000 includes both a basic quota system and system alerts.
You can set system alerts through the Performance Logs and Alerts tool. Just create an alert to scan each drive every 15 minutes for remaining free space. If the free space available is less than five percent, the alarm should notify the system administrator. An alert will clue in the right person just before the denial of service sets in but there is an even better way to handle this and avert the crisis altogether -- namely, quotas.
Quotas limit the amount of hard drive space any user can consume with files stored on local hard drives of the network client. Quotas can be enabled and defined on a domain container basis -- domain, site or OU -- through an Active Directory group policy object (GPO). The quota control settings are found in the Local Computer Policy, Administrative Templates, System, Disk Quotas section. When you implement quotas through GPO, they apply to the members of the container and only to the client systems. To enable quotas on servers, configure the quotas directly through the Quota tab of the drive's Properties dialog box.
When defining quotas via GPO, here are a few key issues to keep in mind:
- GPO quota settings apply only to users who have not yet stored any files on the hard drive. You have to add quota entries to include existing users.
- GPO quota settings are applied to all users within the container, no exceptions (just like any other GPO setting)
- GPO quota settings define the same quota limits for all hard drives within the client that the user has access to.
James Michael Stewart is a researcher and writer for Lanwrights, Inc.