- Managing shared mailboxes in Office 365 with PowerShell - Thu, May 5 2016
- Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
- Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016
File Screening is one of my favorite features in FSRM. One of the biggest challenges in running a file server is keeping certain kinds of files off your file server. Typically those are things like mp3 (and other digital music) files, video files, and executables just to name a few. With File Screening, you can control what file types can be saved to folders on your file server. There are two types of File Screens: active and passive. Active screening blocks configured file types from being saved to the folder and sub-folders. Passive screening allows the configured file types to be saved, but performs actions like logging or email notifications and can be useful for monitoring.
Creating a File Screen ^
In the FSRM administrative tool, go to File Screening Management, File Screens, and click on Create New File Screen.
Create File Screen
Like Quota Management, Microsoft recommends using templates for setting up File Screens. In our example, we’ll block users from storing executable files in their home directories. Set the file screen path and choose a template. Click Create to create the file screen.
File screen path and template
Editing the File Screen Properties lets us go in and customize the file screen further. With this particular template, the Screening type has been set to Active meaning that users will not be able to copy any file classified as executable into this path. (Note: this applies to everyone… even users with Administrator rights. If you’re setting an Active file screen, be really sure that is what you want to do.)
File Screen Properties
The E-mail Message tab lets you set a customized message that can be sent to the user (and a server administrator if you desire) that is trying to copy the screened file to the file server. Like Quotas, I highly recommend translating this into something your end users will understand; the built-in messages don’t always make sense to end users.
E-mail message tab
I also recommend leaving the e-mail notifications enabled instead of relying on the built-in error messages that will be generated by Windows on their computers. End users will receive a very basic “Destination Folder Access Denied” error that will tell them “You need permission to perform this action.” If you’re a larger organization, your help desk or frontline support is going to think they’re dealing with a permissions problem unless you’ve provided them with adequate troubleshooting steps and documentation.
You’re always going to have those times where the rule that applies to everyone needs an exception. In those situations, File Screening has the ability to crea
Destination Folder Access Denied
te exceptions for sub-folders. In the FSRM administrative tool, highlight the file screen you want to modify and then click Create File Screen Exception.
Create File Screen Exception
Choose your Exception path, choose the file group that should be excluded for this sub-folder, and then click OK. That’s it!
File Screen Exception - Executable files
File Groups ^
Pre-defined File Groups in FSRM
Needless to say, you’ll probably want to edit the existing File Groups or even create your own that fit your organization’s needs.
File Content ^
There’s one last gotcha you’ll want to know about File Screening. File Screening only looks at the name of the file and not the content of the file. So, if you block “Audio and Video Files,” File Screening won’t block .mp3 files that have their extension changed to something else. Honestly, I’ve never encountered someone that did this to circumvent File Screening, but it is still something you’ll want to be aware of before you implement File Screening.
In my next post I will cover storage reports.