Laboratory Exercise: File Server Protection Mechanisms in

Windows Server 2022

-ESTIN-
System Security Course

March 23, 2025

Contents
1 Introduction 2

2 Objectives 2

3 Prerequisites 2

4 Laboratory Exercise 1: NTFS Permissions 2

4.1 Understanding NTFS Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . 2
4.2 Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

5 Laboratory Exercise 2: Share Permissions and Their Interaction with NTFS 5

5.1 Understanding Share Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
5.2 Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

6 Laboratory Exercise 3: File Server Resource Manager (FSRM) 8

6.1 Understanding FSRM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
6.2 Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

7 Laboratory Exercise 4: BitLocker and EFS Encryption 9

7.1 Understanding Windows Encryption . . . . . . . . . . . . . . . . . . . . . . . . . 9
7.2 Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

8 Laboratory Exercise 5: Audit and Monitoring 11

8.1 Understanding Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
8.2 Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

9 Laboratory Exercise 6: Dynamic Access Control (DAC) 12

9.1 Understanding Dynamic Access Control . . . . . . . . . . . . . . . . . . . . . . . 12
9.2 Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

10 Laboratory Exercise 7: Combining Protection Mechanisms 13

10.1 Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

1
File Server Protection Windows Server 2022 Security

1 Introduction
This laboratory exercise focuses on the file server protection mechanisms in Windows Server
2022. Protection of files and storage is a critical component of operating system security.
Windows Server provides multiple security mechanisms to ensure data confidentiality, integrity,
and availability through access controls, permissions, encryption, and auditing. This lab will
guide you through the essential security features available in Windows Server 2022 for file server
implementations.

2 Objectives
By the end of this laboratory session, you should be able to:

• Configure basic and advanced NTFS permissions

• Implement Share permissions and understand their interaction with NTFS permissions

• Configure and use Access Control Lists (ACLs)

• Set up File Server Resource Manager (FSRM) for quotas and file screening

• Implement BitLocker and EFS encryption

• Configure auditing for file access

• Implement Dynamic Access Control (DAC)

3 Prerequisites
• Windows Server 2022 virtual machine with GUI

• Administrative access to the server

• File Server role installed

• Multiple user accounts for testing

• Additional virtual drive(s) for storage testing

4 Laboratory Exercise 1: NTFS Permissions

4.1 Understanding NTFS Permissions
NTFS permissions are the foundation of file security in Windows and provide granular control
over access to files and folders.
Basic NTFS permissions include:

• Read

• Write

• Read & Execute

• List Folder Contents

• Modify

2
File Server Protection Windows Server 2022 Security

• Full Control

Advanced NTFS permissions offer more granular control:

• Traverse Folder / Execute File

• List Folder / Read Data

• Read Attributes

• Read Extended Attributes

• Create Files / Write Data

• Create Folders / Append Data

• Write Attributes

• Write Extended Attributes

• Delete Subfolders and Files

• Delete

• Read Permissions

• Change Permissions

• Take Ownership

4.2 Tasks
1. Create a test directory structure:
1 # Open PowerShell as Administrator
2 New - Item - Path " C :\ SecurityLab " - ItemType Directory
3 New - Item - Path " C :\ SecurityLab \ NTFSPermissions " - ItemType Directory
4 New - Item - Path " C :\ SecurityLab \ NTFSPermissions \ TestFile . txt " -
ItemType File - Value " This ␣ is ␣ a ␣ test ␣ file "
5 New - Item - Path " C :\ SecurityLab \ NTFSPermissions \ Confidential " -
ItemType Directory
6 New - Item - Path " C :\ SecurityLab \ NTFSPermissions \ Confidential \ Secret .
txt " - ItemType File - Value " Confidential ␣ information "

2. Create test users and groups:

1 # Create domain users ( if in domain environment )
2 New - ADUser - Name " User1 " - SamAccountName " User1 " - AccountPassword (
ConvertTo - SecureString " P@ssw0rd1 " - AsPlainText - Force ) - Enabled
$true
3 New - ADUser - Name " User2 " - SamAccountName " User2 " - AccountPassword (
ConvertTo - SecureString " P@ssw0rd1 " - AsPlainText - Force ) - Enabled
$true
4
5 # Create groups
6 New - ADGroup - Name " ProjectA " - GroupScope Global - GroupCategory
Security
7 New - ADGroup - Name " Executives " - GroupScope Global - GroupCategory
Security
8

3
File Server Protection Windows Server 2022 Security

9 # Add users to groups

10 Add - ADGroupMember - Identity " ProjectA " - Members " User1 "
11 Add - ADGroupMember - Identity " Executives " - Members " User2 "
12
13 # For non - domain environments , use local users instead
14 New - LocalUser - Name " LocalUser1 " - Password ( ConvertTo - SecureString
" P@ssw0rd1 " - AsPlainText - Force ) - FullName " Local ␣ User ␣ 1 "
15 New - LocalUser - Name " LocalUser2 " - Password ( ConvertTo - SecureString
" P@ssw0rd1 " - AsPlainText - Force ) - FullName " Local ␣ User ␣ 2 "
16 New - LocalGroup - Name " LocalProjectA "
17 New - LocalGroup - Name " LocalExecutives "
18 Add - LocalGroupMember - Group " LocalProjectA " - Member " LocalUser1 "
19 Add - LocalGroupMember - Group " LocalExecutives " - Member " LocalUser2 "

3. Configure basic NTFS permissions:

1 # Remove inheritance and convert inherited permissions to explicit
permissions
2 $acl = Get - Acl - Path " C :\ SecurityLab \ NTFSPermissions "
3 $acl . S e t A c c e s s R u l e P r o t e c t i o n ( $true , $true )
4 Set - Acl - Path " C :\ SecurityLab \ NTFSPermissions " - AclObject $acl
5
6 # Add Read & Execute permission for ProjectA group
7 $acl = Get - Acl - Path " C :\ SecurityLab \ NTFSPermissions "
8 $permission = " DOMAIN \ ProjectA " , " ReadAndExecute " , " Allow "
9 $accessRule = New - Object System . Security . AccessControl .
F i l e S y s t e m A c c e s s R u l e $permission
10 $acl . SetAccessRule ( $accessRule )
11 Set - Acl - Path " C :\ SecurityLab \ NTFSPermissions " - AclObject $acl
12
13 # For local groups use
14 # $permission = " COMPUTER_NAME \ LocalProjectA " , " ReadAndExecute " , "
Allow "

4. Configure advanced NTFS permissions:

1 # Add specific advanced permissions for Executives group to
Confidential folder
2 $acl = Get - Acl - Path " C :\ SecurityLab \ NTFSPermissions \ Confidential "
3 $acl . S e t A c c e s s R u l e P r o t e c t i o n ( $true , $true )
4 Set - Acl - Path " C :\ SecurityLab \ NTFSPermissions \ Confidential " -
AclObject $acl
5
6 $acl = Get - Acl - Path " C :\ SecurityLab \ NTFSPermissions \ Confidential "
7 $permission = " DOMAIN \ Executives " , " ReadData , ␣ ReadAttributes , ␣
ReadExtendedAttributes , ␣ ReadPermissions " , " Allow "
8 $accessRule = New - Object System . Security . AccessControl .
F i l e S y s t e m A c c e s s R u l e $permission
9 $acl . SetAccessRule ( $accessRule )
10 Set - Acl - Path " C :\ SecurityLab \ NTFSPermissions \ Confidential " -
AclObject $acl
11
12 # For local groups use
13 # $permission = " COMPUTER_NAME \ LocalExecutives " , " ReadData ,
ReadAttributes , ReadExtendedAttributes , ReadPermissions " , " Allow
"

5. Set up deny permissions:

4
File Server Protection Windows Server 2022 Security

1 # Deny access to a specific user

2 $acl = Get - Acl - Path " C :\ SecurityLab \ NTFSPermissions \ Confidential \
Secret . txt "
3 $permission = " DOMAIN \ User1 " , " Read " , " Deny "
4 $accessRule = New - Object System . Security . AccessControl .
F i l e S y s t e m A c c e s s R u l e $permission
5 $acl . AddAccessRule ( $accessRule )
6 Set - Acl - Path " C :\ SecurityLab \ NTFSPermissions \ Confidential \ Secret .
txt " - AclObject $acl
7
8 # For local users use
9 # $permission = " COMPUTER_NAME \ LocalUser1 " , " Read " , " Deny "

6. Test the permissions:

1 # Test as User1
2 $credential = Get - Credential - UserName " DOMAIN \ User1 " - Message "
Enter ␣ password "
3 Invoke - Command - ComputerName localhost - Credential $credential -
ScriptBlock {
4 # Try to access regular folder
5 Get - ChildItem - Path " C :\ SecurityLab \ NTFSPermissions " -
ErrorAction SilentlyContinue
6
7 # Try to access confidential folder
8 Get - ChildItem - Path " C :\ SecurityLab \ NTFSPermissions \
Confidential " - ErrorAction SilentlyContinue
9
10 # Try to access secret file
11 Get - Content - Path " C :\ SecurityLab \ NTFSPermissions \ Confidential \
Secret . txt " - ErrorAction SilentlyContinue
12 }
13
14 # Test as User2
15 $credential = Get - Credential - UserName " DOMAIN \ User2 " - Message "
Enter ␣ password "
16 Invoke - Command - ComputerName localhost - Credential $credential -
ScriptBlock {
17 # Try to access regular folder
18 Get - ChildItem - Path " C :\ SecurityLab \ NTFSPermissions " -
ErrorAction SilentlyContinue
19
20 # Try to access confidential folder and file
21 Get - ChildItem - Path " C :\ SecurityLab \ NTFSPermissions \
Confidential " - ErrorAction SilentlyContinue
22 Get - Content - Path " C :\ SecurityLab \ NTFSPermissions \ Confidential \
Secret . txt " - ErrorAction SilentlyContinue
23 }

5 Laboratory Exercise 2: Share Permissions and Their Interac-

tion with NTFS
5.1 Understanding Share Permissions
Share permissions are the first level of security for network-accessed files and folders. They
include:

5
File Server Protection Windows Server 2022 Security

• Read

• Change

• Full Control

When combined with NTFS permissions, the most restrictive permission applies.

5.2 Tasks
1. Create and configure file shares:
1 # Create directories for sharing
2 New - Item - Path " C :\ SecurityLab \ Shares " - ItemType Directory
3 New - Item - Path " C :\ SecurityLab \ Shares \ PublicShare " - ItemType
Directory
4 New - Item - Path " C :\ SecurityLab \ Shares \ RestrictedShare " - ItemType
Directory
5
6 # Add sample content
7 New - Item - Path " C :\ SecurityLab \ Shares \ PublicShare \ PublicDocument .
txt " - ItemType File - Value " This ␣ is ␣ a ␣ public ␣ document "
8 New - Item - Path " C :\ SecurityLab \ Shares \ RestrictedShare \
Re st ri ct ed Do cu me nt . txt " - ItemType File - Value " This ␣ is ␣ a ␣
restricted ␣ document "
9
10 # Create shares using PowerShell
11 New - SmbShare - Name " Public " - Path " C :\ SecurityLab \ Shares \
PublicShare " - FullAccess " Everyone "
12 New - SmbShare - Name " Restricted " - Path " C :\ SecurityLab \ Shares \
RestrictedShare " - ReadAccess " DOMAIN \ ProjectA " - ChangeAccess "
DOMAIN \ Executives "
13
14 # For local groups
15 # New - SmbShare - Name " Restricted " - Path " C :\ SecurityLab \ Shares \
RestrictedShare " - ReadAccess " COMPUTER_NAME \ LocalProjectA " -
ChangeAccess " COMPUTER_NAME \ LocalExecutives "

2. Configure NTFS permissions for shared folders:

1 # Set NTFS permissions for Public share
2 $acl = Get - Acl - Path " C :\ SecurityLab \ Shares \ PublicShare "
3 $acl . S e t A c c e s s R u l e P r o t e c t i o n ( $true , $true )
4 $permission = " Everyone " , " ReadAndExecute " , " Allow "
5 $accessRule = New - Object System . Security . AccessControl .
F i l e S y s t e m A c c e s s R u l e $permission
6 $acl . SetAccessRule ( $accessRule )
7 Set - Acl - Path " C :\ SecurityLab \ Shares \ PublicShare " - AclObject $acl
8
9 # Set NTFS permissions for Restricted share
10 $acl = Get - Acl - Path " C :\ SecurityLab \ Shares \ RestrictedShare "
11 $acl . S e t A c c e s s R u l e P r o t e c t i o n ( $true , $true )
12
13 # Add Read permission for ProjectA
14 $permission = " DOMAIN \ ProjectA " , " ReadAndExecute " , " Allow "
15 $accessRule = New - Object System . Security . AccessControl .
F i l e S y s t e m A c c e s s R u l e $permission
16 $acl . SetAccessRule ( $accessRule )
17

6
File Server Protection Windows Server 2022 Security

18 # Add Modify permission for Executives

19 $permission = " DOMAIN \ Executives " , " Modify " , " Allow "
20 $accessRule = New - Object System . Security . AccessControl .
F i l e S y s t e m A c c e s s R u l e $permission
21 $acl . AddAccessRule ( $accessRule )
22
23 Set - Acl - Path " C :\ SecurityLab \ Shares \ RestrictedShare " - AclObject
$acl
24

25 # For local groups

26 # $permission = " COMPUTER_NAME \ LocalProjectA " , " ReadAndExecute " , "
Allow "
27 # $permission = " COMPUTER_NAME \ LocalExecutives " , " Modify " , " Allow "

3. Test access to shared folders:

1 # Test access from a client machine or using different user
credentials
2 # Using PowerShell as User1
3 $credential = Get - Credential - UserName " DOMAIN \ User1 " - Message "
Enter ␣ password "
4 Invoke - Command - ComputerName localhost - Credential $credential -
ScriptBlock {
5 # Try to access public share
6 Get - ChildItem - Path " \\ localhost \ Public " - ErrorAction
SilentlyContinue
7
8 # Try to access restricted share
9 Get - ChildItem - Path " \\ localhost \ Restricted " - ErrorAction
SilentlyContinue
10
11 # Try to create a file in restricted share
12 New - Item - Path " \\ localhost \ Restricted \ TestFile . txt " - ItemType
File - Value " Test " - ErrorAction SilentlyContinue
13 }
14
15 # Test as User2
16 $credential = Get - Credential - UserName " DOMAIN \ User2 " - Message "
Enter ␣ password "
17 Invoke - Command - ComputerName localhost - Credential $credential -
ScriptBlock {
18 # Try to access public share
19 Get - ChildItem - Path " \\ localhost \ Public " - ErrorAction
SilentlyContinue
20
21 # Try to access restricted share
22 Get - ChildItem - Path " \\ localhost \ Restricted " - ErrorAction
SilentlyContinue
23
24 # Try to create a file in restricted share
25 New - Item - Path " \\ localhost \ Restricted \ ExecutiveFile . txt " -
ItemType File - Value " Executive ␣ content " - ErrorAction
SilentlyContinue
26 }

7
File Server Protection Windows Server 2022 Security

6 Laboratory Exercise 3: File Server Resource Manager (FSRM)

6.1 Understanding FSRM
File Server Resource Manager provides tools for managing and classifying data stored on file
servers, including:

• Quota Management

• File Screening

• Storage Reports

• File Classification

6.2 Tasks
1. Install the FSRM role service:
1 # Install FSRM role service
2 Install - WindowsFeature - Name FS - Resource - Manager -
IncludeManagementTools

2. Configure quotas:
1 # Create a quota template
2 New - Fs rmQuot aTempl ate - Name " UserQuota " - Size 500 MB - Threshold @ (
3 New - Fsr mQ uo ta Th re sh ol d - Percentage 85 - Action @ ( New - FsrmAction
- Type Email - MailTo " admin@domain . com " - Subject " 85% ␣ Quota ␣
Reached " ) ,
4 New - Fsr mQ uo ta Th re sh ol d - Percentage 95 - Action @ ( New - FsrmAction
- Type Email - MailTo " admin@domain . com " - Subject " 95% ␣ Quota ␣
Reached " )
5 )
6
7 # Create a directory for user data
8 New - Item - Path " C :\ SecurityLab \ UserData " - ItemType Directory
9 New - Item - Path " C :\ SecurityLab \ UserData \ User1 " - ItemType Directory
10 New - Item - Path " C :\ SecurityLab \ UserData \ User2 " - ItemType Directory
11
12 # Apply quota to user directories
13 New - FsrmQuota - Path " C :\ SecurityLab \ UserData \ User1 " - Template "
UserQuota "
14 New - FsrmQuota - Path " C :\ SecurityLab \ UserData \ User2 " - Template "
UserQuota "

3. Set up file screening:

1 # Create a file group for executable files
2 New - FsrmFileGroup - Name " ExecutableFiles " - IncludePattern @ ( " *. exe "
, " *. bat " , " *. cmd " , " *. msi " , " *. ps1 " )
3
4 # Create a file screen template
5 New - F s r m F i l e S c r e e n T e m p l a t e - Name " BlockExecutables " - IncludeGroup "
ExecutableFiles " - Active : $true - Action @ (
6 New - FsrmAction - Type Email - MailTo " admin@domain . com " - Subject
" Unauthorized ␣ file ␣ type ␣ blocked "
7 )
8

8
File Server Protection Windows Server 2022 Security

9 # Apply file screen to directories

10 New - FsrmFileScreen - Path " C :\ SecurityLab \ UserData " - Template "
BlockExecutables "

4. Create a file classification rule:

1 # Create a classification property
2 New - F s r m C l a s s i f i c a t i o n P r o p e r t y - Name " Confidentiality " -
PropertyType SingleChoice - PossibleValue @ ( " Public " , " Internal " ,
" Confidential " , " Restricted " )
3
4 # Create a classification rule
5 New - F s r m C l a s s i f i c a t i o n R u l e - Name " C o n f i d e n t i a l D o c u m e n t s " - Property
" Confidentiality " - PropertyValue " Confidential " - Namespace @ ( " C
:\ SecurityLab \ Shares \ RestrictedShare " ) - C l a s s i f i c a t i o n M e c h a n i s m
" Content ␣ Classifier " - ContentString @ ( " confidential " , "
classified " , " sensitive " )

5. Generate storage reports:

1 # Create a storage report
2 New - Fs rmStor ageRep ort - Name " QuotaUsage " - Namespace @ ( " C :\
SecurityLab \ UserData " ) - ReportType @ ( " QuotaUsage " ) - Schedule @ (
New - Fsr mSched uledT ask - Weekly - RunAt 12 am - DaysOfWeek Monday ) -
MailTo " admin@domain . com "

6. Test FSRM functionality:

1 # Test quota by creating large files
2 $largeFile = " C :\ SecurityLab \ UserData \ User1 \ LargeFile . bin "
3 fsutil file createnew $largeFile 400 MB
4
5 # Try to create a larger file ( should approach the quota limit )
6 $secondFile = " C :\ SecurityLab \ UserData \ User1 \ SecondLargeFile . bin "
7 fsutil file createnew $secondFile 150 MB
8

9 # Test file screening

10 $blockedFile = " C :\ SecurityLab \ UserData \ User1 \ test . exe "
11 try {
12 fsutil file createnew $blockedFile 1 MB
13 } catch {
14 Write - Output " File ␣ creation ␣ blocked ␣ as ␣ expected "
15 }
16
17 # Run classification manually
18 Start - F sr mC la ss if ic at io n
19
20 # View classification results
21 Get - F s r m C l a s s i f i c a t i o n P r o p e r t y V a l u e - Path " C :\ SecurityLab \ Shares \
RestrictedShare "

7 Laboratory Exercise 4: BitLocker and EFS Encryption

7.1 Understanding Windows Encryption
Windows Server provides two primary encryption mechanisms:

9
File Server Protection Windows Server 2022 Security

• BitLocker Drive Encryption: Full volume encryption

• Encrypting File System (EFS): Individual file and folder encryption

7.2 Tasks
1. Configure BitLocker on a data drive:
1 # Ensure BitLocker feature is installed
2 Install - WindowsFeature BitLocker - I n c l u d e A l l S u b F e a t u r e -
IncludeManagementTools
3

4 # Initialize a new disk for BitLocker testing ( assumes disk 1 is

available )
5 Initialize - Disk - Number 1 - PartitionStyle GPT
6 New - Partition - DiskNumber 1 - UseMaximumSize - As signDr iveLet ter
7 Format - Volume - DriveLetter D - FileSystem NTFS - Ne wF il eS ys te mL abe l "
Encrypted " - Confirm : $false
8
9 # Create test data
10 New - Item - Path " D :\ ConfidentialData " - ItemType Directory
11 New - Item - Path " D :\ ConfidentialData \ Secret . txt " - ItemType File -
Value " Top ␣ secret ␣ information "
12

13 # Enable BitLocker with TPM ( if available ) or password protector

14 Enable - BitLocker - MountPoint " D : " - EncryptionMethod XtsAes256 -
UsedSpaceOnly - TpmProtector
15 # If TPM is not available , use :
16 # $SecurePassword = ConvertTo - SecureString " Co mp le xP as sw ord 12 3 !" -
AsPlainText - Force
17 # Enable - BitLocker - MountPoint " D :" - EncryptionMethod XtsAes256 -
UsedSpaceOnly - Passw ordPro tector - Password $SecurePassword
18
19 # Backup the recovery key to a file
20 $RecoveryPath = " C :\ SecurityLab \ Bi tLocke rReco very "
21 New - Item - Path $RecoveryPath - ItemType Directory - Force
22 Backup - B i t L o c k e r K e y P r o t e c t o r - MountPoint " D : " - KeyProtectorId ( Get -
BitLockerVolume - MountPoint " D : " ) . KeyProtector [0]. KeyProtectorId
- Path $RecoveryPath

2. Configure Encrypting File System (EFS):

1 # Create a directory for EFS testing
2 New - Item - Path " C :\ SecurityLab \ EFS " - ItemType Directory
3 New - Item - Path " C :\ SecurityLab \ EFS \ Confidential . txt " - ItemType File
- Value " EFS ␣ protected ␣ information "
4
5 # Encrypt a file using EFS
6 cipher / e " C :\ SecurityLab \ EFS \ Confidential . txt "
7
8 # Encrypt a directory
9 cipher / e " C :\ SecurityLab \ EFS "
10
11 # Add a recovery agent ( requires Certificate Services or importing
a recovery certificate )
12 # This is typically managed through Group Policy in a domain
environment

10
File Server Protection Windows Server 2022 Security

3. Test encryption functionality:

1 # Test BitLocker by trying to access the data from another system
or after removing the TPM binding
2 # ( This requires physical testing with multiple systems or drive
removal )
3
4 # Test EFS with different users
5 $credential = Get - Credential - UserName " DOMAIN \ User1 " - Message "
Enter ␣ password "
6 Invoke - Command - ComputerName localhost - Credential $credential -
ScriptBlock {
7 # Try to access EFS encrypted file
8 Get - Content - Path " C :\ SecurityLab \ EFS \ Confidential . txt " -
ErrorAction SilentlyContinue
9 }
10
11 # Check encryption status
12 cipher / s : " C :\ SecurityLab \ EFS "

8 Laboratory Exercise 5: Audit and Monitoring

8.1 Understanding Auditing
Windows Server provides comprehensive auditing capabilities to track file and folder access
attempts.

8.2 Tasks
1. Configure audit policies:
1 # Enable file auditing in Group Policy
2 # This can be done via Local Security Policy or Group Policy
Management Console
3 auditpol / set / subcategory : " File ␣ System " / success : enable / failure :
enable
4
5 # Or using PowerShell
6 $auditFlags = [ System . Security . AccessControl . AuditFlags ] " Success , ␣
Failure "
7 $ f i l e S y s t e m A u d i t R u l e = New - Object System . Security . AccessControl .
F il e S y st e m Au d i tR u l e ( " Everyone " , " ReadData " , $auditFlags )

2. Configure auditing on specific folders:

1 # Create a directory for auditing
2 New - Item - Path " C :\ SecurityLab \ AuditTest " - ItemType Directory
3 New - Item - Path " C :\ SecurityLab \ AuditTest \ AuditedFile . txt " - ItemType
File - Value " This ␣ file ␣ is ␣ being ␣ audited "
4
5 # Configure auditing on a folder
6 $acl = Get - Acl - Path " C :\ SecurityLab \ AuditTest " - Audit
7 $AuditUser = " Everyone "
8 $AuditRules = " ReadData , ␣ WriteData , ␣ AppendData , ␣ Delete "
9 $InheritType = " ContainerInherit , ␣ ObjectInherit "
10 $AuditType = " Success , ␣ Failure "

11
File Server Protection Windows Server 2022 Security

11 $accessRule = New - Object System . Security . AccessControl .

F il e S y st e m Au d i tR u l e ( $AuditUser , $AuditRules , $InheritType , " None
" , $AuditType )
12 $acl . AddAuditRule ( $accessRule )
13 Set - Acl - Path " C :\ SecurityLab \ AuditTest " - AclObject $acl

3. Test and review auditing:

1 # Perform actions to generate audit events
2 $credential = Get - Credential - UserName " DOMAIN \ User1 " - Message "
Enter ␣ password "
3 Invoke - Command - ComputerName localhost - Credential $credential -
ScriptBlock {
4 # Try to access the audited file
5 Get - Content - Path " C :\ SecurityLab \ AuditTest \ AuditedFile . txt " -
ErrorAction SilentlyContinue
6

7 # Try to modify the audited file

8 Add - Content - Path " C :\ SecurityLab \ AuditTest \ AuditedFile . txt " -
Value " Modified ␣ content " - ErrorAction SilentlyContinue
9
10 # Try to delete the audited file
11 Remove - Item - Path " C :\ SecurityLab \ AuditTest \ AuditedFile . txt " -
ErrorAction SilentlyContinue
12 }
13
14 # Review security events
15 Get - WinEvent - LogName Security - FilterXPath " *[ System [ EventID
=4663]] " | Select - Object - First 10

9 Laboratory Exercise 6: Dynamic Access Control (DAC)

9.1 Understanding Dynamic Access Control
Dynamic Access Control provides a way to control access to files and folders based on user and
resource attributes.

9.2 Tasks
1. Configure central access policies:
1 # This requires Active Directory and Group Policy
2 # Note : These commands must be run on a domain controller or with
appropriate permissions
3
4 # Create resource properties
5 New - ADR es ou rc eP ro pe rt y - Name " Confidentiality " -
R e s o u r c e P r o p e r t y V a l u e T y p e " String " - IsSecured $true -
PossibleValues @ ( " Low " , " Medium " , " High " ) - Enabled $true
6
7 # Create a central access rule
8 New - A DC e n tr a l Ac c e ss R u le - Name " Co nfi de nt ia lA cc es s " - TargetResource
@ { ResourceProperty = " Confidentiality " ; R e s o u r c e P r o p e r t y V a l u e = " High
" } - Resou rceCon dition " @Resource . Confidentiality ␣ Equals ␣ " " High " "
" - FolderRights " Read , ␣ Write " - PrincipalScope " DomainLocal " -
ResourceScope " Domain " - IdentitySid ( Get - ADGroup " DOMAIN \
Executives " ) . SID

12
File Server Protection Windows Server 2022 Security

9
10 # Create a central access policy
11 New - A D C e n t r a l A c c e s s P o l i c y - Name " D a t a C l a s s i f i c a t i o n P o l i c y " -
Description " Policy ␣ for ␣ classified ␣ data "
12 Set - A D C e n t r a l A c c e s s P o l i c y - Identity " D a t a C l a s s i f i c a t i o n P o l i c y " -
AddRule " Co nf id ent ia lA cc es s "
13
14 # Configure Group Policy to apply the central access policy

2. Apply resource classification:

1 # Create a directory for DAC testing
2 New - Item - Path " C :\ SecurityLab \ DACTest " - ItemType Directory
3 New - Item - Path " C :\ SecurityLab \ DACTest \ HighConfidential . txt " -
ItemType File - Value " High ␣ confidentiality ␣ data "
4
5 # Classify the folder using resource properties
6 $folder = Get - Item " C :\ SecurityLab \ DACTest "
7 $folder . Classification . Confidentiality = " High "
8 $folder . CommitChanges ()

3. Test Dynamic Access Control:

1 # Test access with different users
2 $credential = Get - Credential - UserName " DOMAIN \ User1 " - Message "
Enter ␣ password "
3 Invoke - Command - ComputerName localhost - Credential $credential -
ScriptBlock {
4 # Try to access classified file
5 Get - Content - Path " C :\ SecurityLab \ DACTest \ HighConfidential . txt "
- ErrorAction SilentlyContinue
6 }
7
8 $credential = Get - Credential - UserName " DOMAIN \ User2 " - Message "
Enter ␣ password "
9 Invoke - Command - ComputerName localhost - Credential $credential -
ScriptBlock {
10 # Try to access classified file
11 Get - Content - Path " C :\ SecurityLab \ DACTest \ HighConfidential . txt "
- ErrorAction SilentlyContinue
12 }

10 Laboratory Exercise 7: Combining Protection Mechanisms

In this exercise, you will create a comprehensive file server security solution that combines
multiple protection mechanisms.

10.1 Tasks
1. Create a secure project data repository:
1 # Create directory structure
2 New - Item - Path " D :\ Projects " - ItemType Directory - Force
3 New - Item - Path " D :\ Projects \ Public " - ItemType Directory - Force
4 New - Item - Path " D :\ Projects \ Internal " - ItemType Directory - Force
5 New - Item - Path " D :\ Projects \ Confidential " - ItemType Directory -
Force

13
File Server Protection Windows Server 2022 Security

6 New - Item - Path " D :\ Projects \ Restricted " - ItemType Directory - Force
7
8 # Create sample files
9 New - Item - Path " D :\ Projects \ Public \ Pu bli cA nn ou nc em en t . txt " -
ItemType File - Value " Public ␣ information "
10 New - Item - Path " D :\ Projects \ Internal \ TeamMeeting . txt " - ItemType
File - Value " Internal ␣ meeting ␣ notes "
11 New - Item - Path " D :\ Projects \ Confidential \ FinancialData . txt " -
ItemType File - Value " Confidential ␣ financial ␣ data "
12 New - Item - Path " D :\ Projects \ Restricted \ StrategicPlan . txt " - ItemType
File - Value " Highly ␣ restricted ␣ strategic ␣ plan "

2. Configure NTFS permissions for tiered access:

1 # Configure permissions for Public folder
2 $acl = Get - Acl - Path " D :\ Projects \ Public "
3 $acl . S e t A c c e s s R u l e P r o t e c t i o n ( $true , $true )
4 $permission = " Everyone " , " ReadAndExecute " , " Allow "
5 $accessRule = New - Object System . Security . AccessControl .
F i l e S y s t e m A c c e s s R u l e $permission
6 $acl . SetAccessRule ( $accessRule )
7 Set - Acl - Path " D :\ Projects \ Public " - AclObject $acl
8
9 # Configure permissions for Internal folder
10 $acl = Get - Acl - Path " D :\ Projects \ Internal "
11 $acl . SetAccessR

14