File Sharing Overview

File transfer is one of the original applications of networking, preceding even email.  At it simplest, it is the practice of making files available for users to download over private or public networks.  There are several design issues surrounding file sharing, the two most important are the centralization and the privacy of the file-data.  The latter takes on added importance when the regulatory impact of file sharing is considered.

The Old Way

Distributed data storage has several serious shortcomings.  It is cost prohibitive to implement data protection capabilities in a distributed workstation and server environment.  Labor, software licensing, and other hidden system administration costs tend to increase exponentially when implementing these types of capabilities in a distributed environment.  Nevertheless, preservation of data in case a particular desktop client fails or loses data still requires a nightly backup of all pertinent data on every workstation in the computing and workstation infrastructure.  In a typical organization, 50–60 percent of all relevant mission related data is stored on the desktop.  This data is at great risk and is expensive to manage.

The traditional file sharing model of centralized storage counters many of the risks associated with distributed file sharing and simplifies the associated management process.  In a centralized model, data to be distributed resides in one central location, and users who want the information must go to that location.  In most installations, the server is a dedicated computer whose entire purpose is to distribute files.  Depending on the size of the operation, the location could comprise a group of computers.

Unlike distributed file sharing, where every user needs to be his or her own security officer and set file permissions on every share, client-side users typically don’t have to change any security settings in order to access files on the server or post files for distribution from the server.  The security design is taken care of by the server’s administrators.

Because this model transfers most of the security responsibilities to the central server, most of the security risks focus on the server as well.  If a file is infected with a virus, security problems can arise for the users who download infected files.  In addition, the file sharing model is more vulnerable to denial-of-service attacks.  Since everyone knows that the data comes from the central system, attackers can overload the system with fake requests for information and slow the system to a halt.

To maximize the benefits and mitigate some of the limitations associated with a single file store, the use of clustering technology is strongly recommended.  Clustering software controls provides a fail-over process so that application(s) continues to run on a second server, without any loss of data or interruption in service.

Protecting the File-store

The specifics of how to protect a centralized file-store are beyond the scope of this whitepaper.  The technology changes fast as new threats are identified and new tools developed to protect the integrity and privacy of an organization’s/individual’s data.  With that said, it would be remiss not to cover the broad strokes.

Backup

Centralizing information provides significant advantages to an organization.  Sharing knowledge and process between is users in an efficient way, reducing development time and leveraging previous efforts until it’s not.

AntiVirus

Encryption

Structuring the File-store

Application Data File Sharing

Each application that executes from and/or store file data on the network will be provided a folder within the Application Data file share.  These folders will be created by the network administration team as applications are identified.

Each Application folder will have the following properties:

• Permissions – Any user give access to the Application Data file share will be provided list access to the root of the share.  Sub-folders will created for each application and user access and permissions will be determined on a per application basis.  The most restrictive set of permissions will be used.  Network administrators will be given full control to perform backup and restores as needed.
• Drive Mapping – a single drive mapping will be provided for all application folders (M:\).  This drive mapping will allow users access to each of their application shares without creating administrative or network overhead.

Group Data File Share

The Group Data file share will be modeled on the organizational structure.  Group accounts will be created within the directory services structure to control access to the data stored within the Group Data file share.  Folders will be created by the network administration team for each department identified within the organization.  As new groups of users are identified, group accounts and directories will be created by the network administrators.  The contents of the Group Data folder structure will be the responsibility of the department head.

Each folder will have the following properties:

• File Permissions – each group will be given modify permissions to all data stored within their group share.  This allows users to create, remove, and modify data stored within the file structure.  Network administrators will be given access to perform backup and restore operations as necessary.
• Drive Mapping – a single drive mapping will be provided for all group folders (G:\).  This drive mapping will allow users access to each of their group shares without creating administrative or network overhead.
• Desktop Shortcut – A desktop shortcut will be created for each user that access the Group Data file share.
• Department Head – this is the individual responsible for the contents of the Group Data folder.  Changes to the file structure and permissions, and/or notifications will be sent to this user.

In addition, Group Data folders may have the following properties:

• File Encryption – users that store sensitive data can have their file automatically encrypted limiting access to network administrators and reducing the potential of data loss.
• File Synchronization – users requiring mobile access to the network may have their group folder synchronized with their laptop.  Changes made to with location will be automatically synchronized in either direction.

Project Data File Share

This file share is very similar to the Group Data file share described above.  Users will be allowed to create and share data with a subset of users within the organization.  The primary difference is the network administration support associated with the folders.  Users will be allowed to create new folders within the Project Data file share.  Once created only owning user will be allowed to access the contents of the new folder.  Users will then be able to share the folder, and its contents, with other network users.  This is completed without the involvement of the network administration team.

Each folder will have the following properties:

• File Permissions – The creator/owner of the folder will have full control of the file folder.  They are given the permission to add or remove any other users to the folder.  The extent of the permissions given to the other users is left to the creator’s discretions.  The administrators will be given access to perform backup and restore operations as necessary.
• Drive Mapping – a single drive mapping will be assigned for all Project Data folders (J:\).  This drive mapping will allow users to access or create their project folders without the involvement of network administrators or create additional network overhead.
• Folder Owner – each folder will be assigned an owner.  This user will be given responsible for assigning other user’s access and removing the folder when the project is finished.  Any system notification will be sent to this user account.

Public Data File Share

Individual users may want to share data with colleagues in the same or different departments outside a project.  This directory structure and the naming scheme ensure that users clearly understand which folders are confidential (and will remain that way) and which folders are shareable

The Public Data file share will have the following properties:

• Permissions – All users given access to the Public Data file share will have the ability to read and create data within the share.  Only the creator of a file will be able to modify or remove the data from the share.  Administrators will be given full control to perform backup and restore operations as necessary.
• File Quota – users will be limited to 50mb of disk space within the Public Data file share.
• Drive Mapping – a single drive mapping will be assigned for the Public Data folders (P:\).  This drive mapping will allow users to access the public data share from any workstation they log on to.

User Data Files Share

During the first wave of distributed computing, it was standard practice to assign home directories to each individual desktop and/or server.  The distributed nature of such an implementation created almost insurmountable problems when it came to protecting and preserving data availability during backup, restore, and disaster recovery.  These limitations still exist today.

To mitigate these risks each network user will be assigned a personal folder on the network.  This folder will have the following properties:

• Redirected My Documents – users access the network through Windows 2000/XP/2003 desktops will have their My Documents folder redirected to their personal folder on the network.
• Roaming Profiles – users that require workstation mobility and the consistency of profiles will be given a roaming profile[3].  This profile will be stored in the users personal folder.
• Drive Mapping – users may access their personal folder though the use of a drive letter (H:\).  This provides users with traditional methods of file access and
• File Synchronization – users requiring mobile access to the network will have their personal folder synchronized with their laptop.  Changes made to with location will be automatically synchronized in either direction.
• File Permissions – each user will be given modify permission to their personal folder.  In addition, network administrators will be given access to perform backups and restores.

In addition to these properties, additional properties may be assigned to the user’s personal folders.  These properties are:

• File Quota – a limitation of the amount of data an individual user may store within their personal folder can be assigned.  This limitation should be standardized across all users, though exceptions can be provided.
• File Encryption – users that store sensitive data can have their file automatically encrypted limiting access to network administrators and reducing the potential of data loss.

Distribution Share

This is an administrative file share used to store source files for programs that are available on the network.  This share will be accessible to the network administration team for performing installations and updates.

The Distribution share will have the following properties:

• Permissions – Network administrators will be given full control permissions to add and remove programs as needed.  Network support staff will be provided read access to the share to simplify the installation process.
• Drive Mapping – no drive mapping will be provided for this file share
• Hidden Share – This share will be hidden from the general user population.  Access to this share will require specific knowledge of its existence and location.

Table 17: File Sharing Services

File Share	Drive Mapping	Description / Comment
Application Data Share	not mapped	Network and shared application data
Group Data Share	G:\	Organizational group data
Personal Data Share	H:\	Personal folders
Project Data Share	J:\	Temporary and project group data
Public Data	P:\	Public share data for entire organization
Distribution Share	not mapped	Software installation files