Often File Shares have been used to store company and user profile data. There is a need to setup File Shares in a way that make them secure without adding too much administrative overhead and to optimize ever growing need of terabytes of storage. That’s what I am going to show you guys how can we achieve

  1. To optimize the File Share storage.
  2. Setup a File Share in Secure manner.

     

There are several architectures you can choose, from scale out file servers to highly available file servers. Today’s setup is using NAS volumes running on Synology RP 815+ with RAID 50, connected to server via iSCSI using MPIO Round Robin Policy.

As my client is using Server 2012 R2, I am going to install File and Storage Services with following components.

I am assuming that you can go through the installation steps so I am not including every single detail : )

 

To optimize the File Share storage.

Once installed, Go to Server Manager > File and Storage Services > Volumes

Select the Volume which is going to host the File Shares, Right click and select Configure Deduplication and Select General purpose file server and leave the days to 30 days or you can select your preferred days. This feature will identify duplicate files (chunks) and save them as single chuck utilizating much less disk space. A general purpose file server with data deduplication can achieve 2:1 space optimization. You can find more about Data Depulication feature on technet.

Now go to Shares > Click on Top Right Hand side and click on Tasks > New Share > Create your new share on the volume where you have enabled the data deduplication.

Setup a File Share in Secure manner.

Once you have created the Share, you can either enable access based enumeration during the share setup or later by accessing the Share properties. Access Based Enumeration will only show the shares/folders to the user who have access to them. You can leverage encryption for further protection however in this particular case, it isn’t a requirement.

Now Let’s look at setting up the permission. Although, you can customize the permission from Share Properties, I have chosen to do it the old style.

Go to the drive where you have the File Share created > Properties > Sharing > Advance Sharing > Permissions and grant everyone read and change permission. This will ensure that everyone can see the share. Make sure you add the custom admin group and grant them full access for management of the share.

Now to go the security tab, this is to be done on the top level share only. Click on Advance > Change Permission > Disable inheritance. At this point you will be prompted with 2 options

Select Convert inherited permissions into explicit permissions on this object. This will ensure that your inherited permissions are retained on the share.

You would notice that there are 2 permissions which looks like ServerNameUsers, we are going to modify these permissions. Although it says, it’s for local server users group however domain users are member of local users group on server.

For the First Users ACL, Select the following advance permissions and make sure that it applied to “This folder, subfolders and files”

For Second Users ACL, map the following permissions.

Click Apply to save the changes and that’s it. Now end users will only see the folder on to which they have access.

Note: There may be other ways to achieve the same however for me this method works fine without compromising security and performance.

Hope this helps.