SolutionBase: Managing file types on Windows Storage Server with file screening

Given the opportunity, users will store all sorts of files on your network. Using File Screening on Windows Storage Server, you can control the types of files that users are allowed to save. Here's how it works.

This article is also available as a TechRepublic download.

Have you ever noticed the number of unnecessary files that some users (and perhaps even you) manage to store on file servers? People will save just about anything: some people save MP3 files; some, JPEG images once thought funny. In the meantime, this extra stuff takes up valuable storage space on the file server.

What if there was a way to prevent certain files from ever being stored in a share? Windows Storage Server (WSS) has just the mechanism to make this happen, and with very little administrative effort. This article will walk through the steps it takes to put file screening to work for you.

What's file screening?

File screening is a server-side technology in WSS that allows administrators to filter content. Any items that meet the conditions of the filter are allowed or disallowed based on rules.

For example, your company may publish white papers for download by its customers. For security reasons, the IT department has chosen the PDF file format for these documents and created a share on the WSS server called white_papers. They want to ensure no documents other than those in PDF format can be saved in the white papers share. There may have been e-mails sent out to make sure only PDF files get saved there, but enforcing those rules would require monitoring of the share on a regular basis.

WSS can employ file screening to ensure only PDF documents get stored in the specified directory. As we go through file screening, I will refer back to the PDF file example.

Note: File Screening is available on a per-share basis. You can configure different rules for each share you wish to monitor. This allows some shares to have rules, and others not.

Setting up File Screening

To set up File Screening, visit the Shares screen of the WSS administration site shown in Figure A. Select the File Screening link on the lower right hand side to open the File Screening Management page.

Figure A

WSS Shares screen

The initial File Screening page shows a list of rules already configured, if any are available. As you can see in Figure B, there is a rule allowing only PDF files to be saved into the selected share.

Figure B

View existing file screening objects

Similarly to directory quotas, file screening objects are based on policies that contain conditions that are met or not met. Some commonly used policies are shipped with WSS, including the PDF files policy used above. However, it may be advantageous to create a policy for other things, so I will look at file screening policies below.

Click Policies to create a file screening policy. From here, you will be taken to a page listing policies that already exist, as seen in Figure C. You will also be able to create new policies from this screen.

Figure C

Existing Policies

As you can see from the list, there are quite a few rules already in place to help you get the most out of File Screening and WSS. There are rules for many different types of media files, PDF files, office files, in addition to several other types. You can use any of these rules to control how WSS behaves, so there may be little need for new rules.

Let's suppose you want to filter out any files containing the MP3 extension. You can create a rule to disallow any files of this type. To begin, click New; the File Screening Policy wizard will welcome you. Click Next to proceed to the useful portion of the tool, seen in Figure D.

Figure D

The policy wizard welcome screen

After clicking Next on the Welcome screen, you are asked to name your rule. You can choose anything you like, as long as it does not already exist. If you are creating rules by department, you may want to append the department name to the rule. Figure E shows the policy naming page of the wizard. Enter a name for your policy and click Next to continue.

Figure E

Naming file screening policies

After naming the policy, you will need to provide some properties for the policy to evaluate, as seen in Figure F. These properties come in the form of groups. WSS groups like file types together to allow easy management of similar types of files. This can eliminate the need to create multiple rules to prevent the storage of MP2, MP3, or MP4 files. Since the creation of groups takes place separately from the creation of policies, we will visit this following policy creation.

Figure F

File screening group selection

When selecting a group of files, you can have authorized and unauthorized file types within the same group. For example, a group may disallow MP3 files while allowing WMA files because the marketing department creates a lot of presentations using Windows Media Audio.

Once you have selected the group that most closely matches your needs, select it in the list of available groups. Doing so will show you which file types are unauthorized and which are authorized for that group. Then click [<<] to move that group to the selected groups list, and click Next to continue. You can have many groups used in one policy; however, this may not make sense unless the files among those groups are very closely related.

On the next screen, shown below in Figure G, you will be asked questions about how this policy should behave. You can mark the policy active and allow findings to be recorded into the database running WSS. This keeps track of the number of times this policy has been triggered.

Figure G

How should your policy behave?

You can configure notifications to be sent out when this policy is triggered — such as a simple e-mail to let users know WSS prevented them from saving MP3 files to a share. When composing the messages for the policies, you can make use of macros to save time in referencing common elements like server name, share name, user name, etc. Simply begin entering your message and select the appropriate macro from the drop down list as needed. Messages can be sent to the offending user and/or saved to the event log of the server appliance.

Finally, the wizard will allow you to perform some actions each time the alert occurs. For example, you could run a report showing all of the files of a certain type that reside in the Accounting share whenever your new alert is triggered. You could also have WSS fire an executable application when the alert occurs. When you have made all of the needed choices on this page, click Next to proceed.

You have effectively completed the wizard. Click Finish to save this policy. You will now be able to use your new policy when creating File Screening Objects.

File screening groups

Before we create any objects that use your new policy, I want to go through the process of creating the file groups used in the policy process. File Screening in WSS uses groups to allow multiple file types to be checked together for screening. For example, one of the groups that ships with WSS is called Office Files. These are any of the file types created by Microsoft Office: text documents, spreadsheets, or presentation files, related only because they are produced by the same suite of applications.

You can also create custom groups to tie files together in the screening process. Let's give it a try.

From the main File Screening page in the WSS administration site, select the Groups button on the right side of the page. Clicking this link will display a list of currently available file screening groups. All of the default groups can also be modified if additional types need to be added; in many cases the need to add more groups is very low. Figure H shows the list of available groups.

Figure H

Groups available out of the box with WSS

To add a custom group, click the New button. Adding groups is as simple as telling WSS the name of your group, the files that are authorized, and the files that are unauthorized. Files are managed by extension. On the page shown in Figure I, complete the form as shown to create your new file screening group.

Figure I

Adding a new file screening group

Note: The button highlighted above is the link to add the entered file type to the list. If clicked as shown, .mov will be added to the unauthorized files list.

When you are finished adding authorized and unauthorized files to your new group, click OK. The list of groups will return, now displaying the new group you have just added, as seen in Figure J.

Figure J

The newly created file screening group

Adding custom groups may be useful if there are many file types you wish to manage for many different circumstances and only want to use one policy or file screening object to do so.

Note: Modifying existing groups is handled in the same screen as creating groups, check the box next to the group you wish to change and click Properties. From there, you can add and remove authorized and unauthorized file types.

Creating a File Screening object

Now that we have created policies and groups, we can use them to create a File Screening object which will be monitored to trigger alerts as needed. As with most things in WSS, creating a File Screening object is done with a wizard. The following will step through the wizard.

From the File Screening page in WSS administration, select the new button to enter the wizard. Click Next, past the opening welcome screen, to begin. Once past the wizard's welcome screen, you will be asked to select the directory the File Screening Object will monitor. Figure K shows this step in the wizard.

Figure K

Selecting a directory

In the directory path box on the right, enter the path to the directory you want this object to monitor. For example: D:\PDF_Files. Then click Add to include the entered directory in the list of selected directories. You can screen multiple directories with one file screening object: simply add them to the selected directories list before clicking Next to proceed.

On the next screen, select the policy that will be applied to this object. Remember, the policy is the set of rules that will screen the selected directories. This step is shown in Figure L.

Figure L

Selecting the policies for this screening object

After you have selected all of the policies necessary to adequately screen the directories chosen previously, click Next and then Finish to save the File Screening object. You will then see your new File Screening object in the list of objects when in the File Screening section of the WSS administration site.

File screening is a good addition

File screening is a great technology and can be a great help if the time is taken to get it configured and running. It does take a bit of work in the beginning to get things set up, but may be very useful and time saving when the need arises to enforce certain rules within your organization.

There are things that could be improved — removing some of the obligatory welcome and finish screens from the configuration wizards would certainly speed up the process — but overall, the File Screening portion of Windows Storage Server is worth a shot and may just save time if you later have a need to restrict the storage of certain files.

About Derek Schauland

Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.

Editor's Picks

Free Newsletters, In your Inbox