Q. How can I scan for certain files and move them to a secure folder?
September 24, 2010
Q. I want to scan my Windows 2008 R2 file servers for files that contain information about a confidential project called Pandora. I'd like to mark these files as confidential and store them in a separate file server folder that only gives access to a limited set of accounts. Is there a way to get this done with minimal effort?
A. Windows Server 2008 R2 comes with a new feature called File Classification Infrastructure (FCI) that can help you here. FCI can automate the classification of files on a Server 2008 R2 file server. FCI is installed together with the File Service Resource Manager (FSRM) feature that's part of the Server 2008 File Services role. FCI can be configured through the File Server Resource Manager (FSRM) MMC snap-in.
FCI file properties are stored in an NTFS Alternate Data Stream (ADS). ADSs remain with files as long as the files stay on NTFS-based storage. Because the FCI property storage is NTFS-based, you can use it to mark any file type.
For a good introduction to FCI, refer to the FSRM and FCI FAQ and the FCI Technical Resources page.
In your example, you can instruct FCI to read through all files on your file server, search for the text string Pandora and then assign the confidential property to the matching files. To set this up, open the FSRM MMC snap-in and expand the Classification Management container. First you must create a classification property that allows documents to be tagged with a classification level (such as Confidential). To do so, right-click the Classification Properties subcontainer in the left pane and choose Create Property... This will bring up the Create Classification Property Definition dialog. Give the property the name Classification Level Property and make it a property type String. You can optionally add a description for the property.
Then you must create a classification rule that will scan your file server for files that hold the string Pandora and that will assign the confidential value to their classification level property. To do this, right-click the Classification Rules subcontainer and choose Create a New Rule... This opens the Classification Rules Definitions dialog box. On the Rule Settings tab, you must enter a name for the classification rule, such as Confidential Rule, and select a scope for the rule. In the example, all files to be scanned are stored in the C:Project_Files folder, so that's the scope.
Next, go to the Classification tab and select a method to assign the property. In the example, you want to search files for a string, so you must select the Content Classifier method. In the Property name field, you must then select the Classification Level property that you created earlier and enter the confidential value in the property value, as Figure 1 illustrates.
To specify what FCI should actually search for, click the Advanced… button to open the Additional Rule Parameters dialog. In this dialog select the Additional Classification Parameters tab and enter the String name and Pandora value, as shown in Figure 1.
The final step is to configure a schedule for the classification file rule to run. This can be done by right-clicking the Classification Rules container and choosing Configure Classification Schedule…. On the Automatic Classification tab, click the Create… button to open the Schedule dialog: then click the New button to create a new schedule. Leave the default schedule settings (as Figure 2 shows) and click OK. Note that on the same tab you can also configure FCI to automatically create reports showing the result of the classification process and to e-mail them to an administrator.
So far, you've created a classification rule that tags the confidential Pandora files. For the second part of your question—to move the files marked as confidential to a special folder—you must create a file management task. Right-click the File Management Tasks container in the FSRM and select Create File Management Task…. On the General tab enter a Task name, such as Task to move confidential files to special folder, and enter a scope for the task. In the example, use the same scope you used for the classification rule, C:Project_Files.
In the Action tab, you must refer to a custom batch script that will actually move a file to a folder. Some sample content for this batch script is given below—it's a very simple script that calls on xcopy to first copy the file (using the /X switch to make sure you maintain ownership while copying the file) and then del to delete the file from its old location. You can save this batch script as, for example move_file.cmd in the c:Windowssystem32 folder.
@call :XCOPY_DEL_FILE %1@goto :EOF
:XCOPY_DEL_FILExcopy %1 c:confidential_files /X
del %1
@goto :EOF
In short, you must select or enter the following settings in the Action tab:
Type: Custom
Executable: c:windowssystem32cmd.exe
Arguments: c:windowssystem32cmd.exemove_file.cmd
Select Variable to insert: \[Source File Path\]. Make sure that you click the Insert Variable button to make \[Source File Path\] appear in the Arguments box, as Figure 3 shows.
To apply this action to all files that are marked confidential, you must also specify the associated file classification file property as a condition for the execution of the task. You can do this from the Condition tab. Click the Add button and then Select the Classification Level Property. Select Equal, enter confidential in the value box, and click OK.
Finally, you must assign a schedule to the file management task on the Schedule tab: click the Edit button, leave the defaults and click OK.
About the Author
You May Also Like