Screening Files
Applies To: Windows Server 2008 R2
Create file screens to block files that belong to particular file groups from being saved on a volume or in a folder tree. A file screen affects all folders in the designated path. For example, you might create a file screen to prevent users from storing audio and video files in their personal folders on the server.
You can configure File Server Resource Manager to generate e-mail or other notifications when a file screening event occurs.
A file screen can be active or passive:
Active screening prevents users from saving unauthorized file types on the server, and generates configured notifications when they attempt to do so.
Passive screening sends configured notifications to users who are saving specific file types, but it does not prevent users from saving those files.
A file screen does not prevent users and applications from accessing files that were saved to the path before the file screen was created, regardless of whether the files are members of blocked file groups.
To simplify the management of file screens, we recommend that you base your file screens on file screen templates. A file screen template defines a screening type (active or passive), a set of file groups to block, and a set of notifications to be generated when a user attempts to save an unauthorized file. File Server Resource Manager provides several default file screen templates, which you can use to block audio and video files, executable files, image files, and e-mail files—and to meet some other common administrative needs. To view the default templates, select the File Screen Templates node in the File Server Resource Manager console tree.
For additional flexibility, you can configure a file screen exception in a subfolder of a path where you have created a file screen. When you place a file screen exception on a subfolder, you allow users to save file types there that would otherwise be blocked by the file screen applied to the parent folder.
In this section:
Working with file groups
Creating a file screen
Creating a file screen exception
Monitoring file screening
Working with file groups
Before you begin working with file screens, you must understand the role of file groups in determining which files are screened. A file group is used to define a namespace for a file screen or a file screen exception, or to generate a Files by File Group storage report.
A file group consists of a set of file name patterns, which are grouped into files to include and files to exclude:
Files to include: Files that belong in the group.
Files to exclude: Files that do not belong in the group.
For example, an Audio Files file group might include the following file name patterns:
Files to include:*.mp*: Includes all audio files created in current and future MPEG formats (MP2, MP3, and so forth).
Files to exclude:*.mpp: Excludes files created in Microsoft® Project (.mpp files), which would otherwise be included by the *.mp* inclusion rule.
File Server Resource Manager provides several default file groups, which you can view in File Screening Management by clicking the File Groups node. You can define additional file groups, or change the files to include and exclude. Any changes that you make to a file group affect all existing file screens, templates, and reports to which the file group has been added.
Note
For convenience, you can modify file groups when you edit the properties of a file screen, file screen exception, file screen template, or the Files by File Group report. Note that any changes that you make to a file group from these property sheets will affect all items that use that file group.
To create a file group
In File Screening Management, click the File Groups node.
In the Actions pane, click Create File Group. This opens the Create File Group Properties dialog box.
(Alternatively, while you edit the properties of a file screen, file screen exception, file screen template, or Files by File Group report, under Maintain file groups, click Create.)
In the Create File Group Properties dialog box, type a name for the file group.
Add files to include and files to exclude:
For each set of files that you want to include in the file group, in Files to include, type a file name pattern, and then click Add.
Standard rules for wildcard characters apply. For example, *.exe selects all executable files.
For each set of files that you want to exclude from the file group, in Files to exclude, type a file name pattern, and then click Add.
Note that standard wildcard rules apply—for example, *.exe selects all executable files.
Click OK.
Creating a file screen
In the following procedure, you will create a new file screen, and in the process save a file screen template that is based on the custom file screen properties that you defined. The new template is applied to the file screen so that a link is maintained between the file screen and the template. In a similar way, you can save a new quota template that is based on the custom properties of a quota you create.
To create a file screen
In File Screening Management, click the File Screens node.
Right-click File Screens, and click Create File Screen (or click Create File Screen in the Actions pane). This opens the Create File Screen dialog box.
Under File screen path, type the name of or browse to the folder that the file screen will apply to. The file screen will apply to the selected folder and all of its subfolders.
Under How do you want to configure file screen properties, click Define custom file screen properties, and then click Custom Properties. This opens the File Screen Properties dialog box.
If you want to copy the properties of an existing template to use as a base for your new file screen, select a template from the Copy properties from template drop-down list. Then click Copy.
Under Screening type, click the Active screening or Passive screening option.
Under File groups, select each file group that you want to include in your file screen.
If you want to view the file types that a file group includes and excludes, click the file group label, and then click Edit. To create a new file group, click Create.
Additionally, you can configure File Server Resource Manager to generate one or more notifications by setting the following options on the E-mail Message, Event Log, Command, and Report tabs.
If you want to generate e-mail notifications, on the E-mail Message tab, set the following options:
To notify administrators when a user or application attempts to save an unauthorized file, select the Send e-mail to the following administrators check box, and then enter the names of the administrative accounts that will receive the notifications. Use the format account@domain, and use semicolons to separate multiple accounts.
To send an e-mail notification to the user who attempted to save the file, select the Send e-mail to the user who attempted to save an unauthorized file check box.
To configure the message, edit the default subject line and message body that are provided. The text that is in brackets inserts variable information about the file screen event that caused the notification. For example, the [Source Io Owner] variable inserts the name of the user who attempted to save an unauthorized file. To insert additional variables in the text, click Insert Variable.
To configure additional e-mail headers (including From, Cc, Bcc, and Reply-to), click Additional E-mail Headers.
If you want to log an error to the event log when a user tries to save an unauthorized file, on the Event Log tab, select the Send warning to event log check box. Optionally, edit the default log entry.
If you want to run a command or script when a user tries to save an unauthorized file:
On the Command tab, select the Run this command or script check box. Then type the command, or click Browse to search for the location where the script is stored. You can also enter command arguments, select a working directory for the command or script, or modify the command security setting.
If you want to generate one or more storage reports when a user tries to save an unauthorized file:
On the Report tab, select the Generate reports check box, and then select which reports to generate. The reports are saved in the default location for incident reports, which you can modify in the File Server Resource Manager Options dialog box. Optionally, you can choose one or more administrative e-mail recipients for the report or e-mail the report to the user who attempted to save the file.
After you have selected all of the file screen properties that you want to use, click OK to close the File Screen Properties dialog box.
In the Create File Screen dialog box, click Create to save the file screen. This opens the Save Custom Properties as a Template dialog box.
To save a template that is based on these customized properties, click Save the custom properties as a template and type a name for the template. This option applies the template to the new file screen, and you can use the template to create additional file screens in the future.
Click OK.
Creating a file screen exception
Occasionally, you will need to allow exceptions to file screening. For example, you might want to block video files from a file server, but you need to allow your training group to save the video files for their computer-based training. To allow files that other file screens are blocking, create a file screen exception.
A file screen exception is a special type of file screen that overrides any file screening that would otherwise apply to a folder, and all its subfolders, in a designated exception path. That is, it creates an exception to any rules derived from a parent folder. To determine which file types the exception will allow, file groups are assigned.
To create a file screen exception
In File Screening Management, click the File Screens node.
Right-click File Screens, and click Create File Screen Exception (or click Create File Screen Exception in the Actions pane). This opens the Create File Screen Exception dialog box.
In the Exception path text box, type or select the path that the exception will apply to. The exception will apply to the selected folder and all of its subfolders.
To specify which files to exclude from file screening:
Under File groups, select each file group that you want to exclude from file screening.
If you want to view the file types that a file group includes and excludes, click the file group label, and then click Edit.
To create a new file group, click Create.
Click OK.
Monitoring file screening
In addition to the information in your file screen notifications, you can monitor file screening by viewing file screens in the File Screens results pane and by generating a File Screening Audit report.
Viewing file screening information
To view file screening information in the File Server Resource Manager console tree, click File Screening Management, and then click the File Screens node.
For each file screen, the results pane displays the following information: The path that the file screen was created for, the type of file screen (block or exception), the file groups included in the file screen, the template on which the file screen is based, and whether the current configuration of the file screen matches the configuration of the template.
For the selected file screen, the description area lists all file groups that are being blocked on the file screen path. This includes file groups that are blocked by the current file screen and file groups that are blocked by file screens created higher in the file screen path.
To filter the results pane display to the file screens that affect a specific path:
Click Filter.
In the File Screen Filter dialog box, under File Screen path, click the Parents of the following folder option or the Children of the following folder option.
Type or browse to the path.
Click OK.
File screening audit report
Use the File Screening Audit report to identify individuals or applications that violate the file screening policies. For instructions on generating a File Screening Audit report, see Generating Storage Reports.
Important
Before you run a File Screening Audit report, in the File Server Resource Manager Options dialog box, on the File Screen Audit tab, verify that the Record file screening activity in auditing database check box is selected.