If you manage one or several file servers in your infrastructure, you may have the will to prevent users to paste files with specific extensions. This behavior can be motivated because you don’t have enough storage for big files or for security reasons. Moreover, if you use DFSR to replicate shared folder to another site, you don’t want to block the bandwidth with a movie replication.
Microsoft Windows Server included a role which provide us the ability to manage files on shared folder: File Server Resource Manager (FSRM).
File Server Resource Manager FSRM
In order to block, deny some file extensions, we need to install and configure this role. Let’s see how to do that with Server 2012 R2.
Role Installation
File Server Resource Manager is a role included under the File and Storage Services.
- To install FSRM, go to Server Manager and check File Server Resource Manager:
FSRM Installation
- Confirm Role installation and wait to finish:
Role Installation
Role Installation
- After the installation, you will get the File Server Resource Manager console.
FSRM Console
Configuring Server Options
In addition to deny the file, we can enable file server to send email for each file blocked, to administrator and the user itself. To do this, we need to configure Server Options:
- Right clic on File Server Resource Manager (Local) and select Configure Options.
FSRM Server Options
- On the Email notification tab, set your email server and an email address. You can set your security team distribution list for example.
FSRM Email notification
Extensions Policy
Microsoft provides us 11 File Groups which contain extension types. For example, the File Group Audio and Video Files blocks all movies and music extension, like .avi and .mp3.
Default File Group extensions
Once, the file Group is created, we need to deploy the template on a folder.
- Right clic on File Screen under File Screening Management:
Create File Screen
- Enter the path of your folder and select the template used.
File Screen Information
- We want to change settings for this screen, like email notification. Right clic on your File Screen and select “Edit File Screen Properties“
File Screen Properties
- On the first tab, we can change if it is an Active or Passive screening. We can select one or several file groups to deny.
File Screen Settings
- On the Email Message, we enabled FSRM to send email at the user and another address when a file is blocked.
File Screen Setting Messages
- By default, FSRM send a Warning information to the Event Logs. We can enable or disable this:
Screen Settings Event Logs
- It is possible to run a command line or script for each file blocked:
File Screen Command
Validation
Henceforth, when a user tries to copy paste a file with a blocked extension, he will get an Access denied error:
Access denied file extension
At the same time, he will receive an email, just as the email set in Email message tab.
Blocked file email
More
You can get more information about File Server Resource Manager here.
Pingback: WanaCry 2.0, el mayor ciberataque a empresas y administraciones públicas que ha colapsado a medio mundo | Wise