Export (0) Print
Expand All

Provide data protection in small and midsize businesses

Published: January 15, 2014

Applies To: Windows Server 2012 Essentials, Windows Server 2012 R2, Windows Server 2012 R2 Essentials

How can this guide help you? Protecting your company against data loss (such as through hardware theft, or a natural disaster) and unauthorized access can save time and money for small and midsize businesses.

This solution guide describes a tested, prescriptive design and implementation solution that can help you protect your business data by backing it up on-premises and in the cloud, by centralizing data storage, and by restricting data access permissions.

In this solution guide:

The following diagram illustrates the problem and scenario that this solution guide addresses.

 Problems associated with data storage, access, and protection

Data Protection Problem Scenario in SMBs

This section describes the scenario, problem, and goals for an example organization. 

The organization is a small to midsize business with up to 100 users and 200 devices, and is looking for a way to secure its company data. Currently, each user is saving data on their local computers and data is shared through print copies and emails, or by creating local shared resources.

Data backups are being created inconsistently, depending on a user’s individual backup schedules. Some users are working on laptop devices, and as a result, critical data is leaving office premises. When a computer’s hardware fails, a lot of company’s critical data is lost permanently due to lack of backups, and tremendous time is spent re-creating a new desktop with all its files and line-of-business applications installed.

The organization wants to address the following problems:

  • Files with business critical data are being be exposed to unintended users.

  • Expanding storage capacity on existing computers in the network involves large administrative and cost overheads.

  • Network users are saving company’s data on multiple devices (on a PC when at work, and on their laptop, when remote,) which is leading to multiple file versions, that are hard to track and locate.

  • Not all users are backing up their computers and data consistently. As a result, if a computer crashes, sometime there is no backup to restore the computer and data from.

  • Company’s backup data is at risk because it resides in a single location.

Your organization is looking for a solution that allows it to:

  • Store the company’s data on-premises in a single centralized location so that all its network users can easily access it and it can more easily apply access restrictions on that data.

  • Easily expand the storage capacity of the server as the organization grows in size.

  • Restrict permissions to shared folders so that only select users can access the data.

  • Define a backup schedule so that backups happen automatically instead of manually.

  • Completely restore a client computer or server from its backup in the event of hardware failure.

  • Create backups both on-site and online, for an additional layer of data protection.

The following diagram illustrates how to store, protect, and securely access data from a server running Windows Server 2012 R2 Essentials or Windows Server 2012 R2 with the Windows Server Essentials Experience role installed (referred to as Windows Server Essentials Experience in the rest of the document).

Solution design for protecting data, centralizing data, and providing secure access to data

Data Protection Solution Scenario in SMBs

Windows Server 2012 R2 Essentials (appropriate for use for up to 25 users and 50 devices) and the Standard and Datacenter editions of Windows Server 2012 R2 with Windows Server Essentials Experience role installed (appropriate for use for up to 100 users and 200 devices) provide a solution for small to midsize business partners and owners to protect their data by centralizing data storage, restricting access to data, and backing up data on-premises and in the cloud.

The following table lists the technologies that are included in Windows Server 2012 R2 Essentials and Windows Server Essentials Experience that are part of this solution design and describes the reason for the design choice.

 

Solution design element Why is it included in this solution?

Windows Server Essentials Dashboard

Use the Dashboard to perform all administrative tasks in your network, such as creating user accounts, granting access permissions, setting up server and client backups, creating storages spaces and server folders, and integrating with Microsoft Azure Backup.

For information about the Dashboard, see Overview of the Dashboard in Windows Server Essentials.

Storage Spaces

Use Storage Spaces for storing your company’s data. With Storage Spaces, you can expand storage as your organization grows, and ensure that your data is highly available and your solution is cost effective. You do not need to spend money on hardware upfront, and you can scale up based on your business needs.

For more information about Storage Spaces, see the Storage Spaces Overview and Storage Spaces Frequently Asked Questions.

Server Folders

Store your organization’s files and folders in the server folders that you create on your server rather than sharing them from individual user PCs. This enables you to consolidate your data in one central location that all network users can access. When you store your data in server folders, you can protect it against total server failure by using Windows Server Backup and Azure Backup.

For more information about server folders, see Manage Server Folders in Windows Server Essentials.

User management

Create user accounts and user groups to control access to your company’s data and devices. When you create a user group, you can provide the same access level to network resources for all members.

For more information, see Manage User Accounts in Windows Server Essentials.

Device management

Join your client computers to the network so that you can easily manage all the client computers in the network through the Windows Server Essentials Dashboard.

For all computer management related tasks, see Manage Devices in Windows Server Essentials.

Windows Server Essentials Group Policy

Protect client computers from network attacks and keep the software and operating system on your computers up-to-date by implementing Windows Server Essentials Group Policy settings. For more information about Windows Server Essentials Group Policy, see Configure Group Policy settings for folder redirection and security.

Windows Server Backup

Use Windows Server Backup to back up the files and folders that are stored on your server. From the backup files, you can restore files and folders on your server or perform a full system restore of your server.

For more Windows Server Backup-related tasks, see Manage server backup in Windows Server Essentials.

Client Computer Backup

Use Client Computer Backup to back up all the clients in your network. The data that is located on the clients is backed up on a server that is running Windows Server 2012 R2 Essentials Windows Server Essentials Experience. From the backup files, you can restore files and folders on the clients, or perform a full system restore of a client in the network.

For more information, see Manage client computer backup in Windows Server Essentials.

File History

File History provides a supplemental mechanism for client computer backups. File History backups are stored in the File History folder, which is located on a server that is running Windows Server 2012 R2 Essentials or Windows Server Essentials Experience. From the File History backups, network users can restore versions of files from a specific point-in-time. In addition, network users can restore the files without asking for help from the administrator.

For more information about File History, see Managing File History in Windows Server Essentials.

Azure Backup

Integrate your server running Windows Server Essentials Experience with Azure Backup to back up files or folders that are located on your server. You can back up your business critical data on-premises and by using Azure Backup to provide dual protection for your company’s data.

For more information, see Manage online backup in Windows Server Essentials.

The following discusses the details of design considerations and decisions that were made that led to the final solution design.

The Windows Server Essentials Dashboard in Windows Server 2012 R2 Essentials and Windows Server Essentials Experience helps you to quickly access key information and the management features of your server instead of using use multiple native Windows Server Administration tools. By using the Dashboard, you can create and manage user accounts, manage devices and backups, manage access and settings for server folders.

Recommendation: Use the Windows Server Essentials Dashboard to perform a majority of administrative tasks in your network. You can run tasks and wizards from the Dashboard to optimally configure the features that are included in your server.

You have a few options for providing highly available and resilient storage for your company’s data. One option is to use the built in RAID controller that comes with common server hardware. Both of these storage options will provide you the storage availability and resiliency you need, but can be relatively complex and costly. In contrast, you can use the Storage Spaces feature to create low-cost, resilient, and dynamically expandable data volumes to store your business data, rather than storing it on standard hard disk volumes. Storage Spaces helps you to save files to two or more drives so that your files remain safe even when a drive fails. With Storage Spaces, you can virtualize your server’s storage by grouping industry standard hard disks into storage pools, and then create virtual disks (called storage spaces) from the available capacity in the storage pools. You can use these storage spaces to store your company’s data in one central location instead of all users saving the data on their PCs.

Recommendation: For small businesses with fewer than 10 users, use at least three SAS or SATA hard disks—one hard disk to be used for the operating system, and other two to be used for storage spaces. We recommend that you create a storage space by using at least two hard drives with mirrored resiliency.

For small businesses with more than 10 users, or midsize businesses with up to 100 users, configure at least three SAS hard disks with Storage Spaces—one hard disk to be used for the operating system, and other two to be used for storage spaces. We also recommend providing a server chassis that supports adding more drives for expansion.

By using server folders, you can store files that are located on client computers to a central location instead of users storing files on their PCs, and hence are easy to back up and easy to access. Storing files in server folders ensures that your files are in a place that is always accessible from each client in a secure manner by using authenticated network credentials.

Recommendation: Create server folders on a storage space drive and create separate server folders for departments or projects. For example, if you have an accounting department, you can create a server folder called “Accounting.” Creating the server folder on a storage space disk increases data availability (due to mirroring). We also recommend that you set a quota for your server folders so that you are alerted when a server folder is about to reach its capacity. When you are alerted, you can delete files in the server folder to increase available space for storage, or you can add more space to the server folder and adjust its quota settings.

User and user group accounts help you specify permissions to your company data. This protects your company data from unintended user access. You can easily manage access to your network resources by creating user accounts for all your network users from the Users tab of the Windows Server Essentials Dashboard. In addition, you can create user group accounts, and make the user accounts as its members. All members of a user group account share the same security access level to server resources. Hence, group membership enables you to specify permissions for a group of users in one single UI page in contrast to opening property pages for each user in the network to assign relevant folder permissions, instead of individual user accounts and helps simplify resource management.

Recommendation: Create user accounts that include members of various user groups, based on the departments that exist in your company or the various projects that people work on within your company. When you create user groups, you can assign a set of permissions to the user groups that will be applicable to all its members. For example, if you have group of users who are working in Department A, you can create a user group account called “Department A User Group,” and then add the relevant user accounts to this group. Next, you can assign the “Department A User Group” permissions to access the server folder named “Accounting.”

To enable users to access server folders from computers in the network, you must connect the users’ computers to the server. Connecting computers to the server provides the following advantages:

  • Enables network users to securely access data that is stored on the server by using their user accounts.

  • Enables you to manage client computers from the Dashboard.

  • Protects client computers in the network by using Group Policy.

  • Backs up data on client computers regularly.

  • Monitors the health of the client computers.

Recommendation: For all the computers (local or remote) that you want to administer, connect them to the server so that you can manage them from the Devices tab of the Windows Server Essentials Dashboard instead of using the native server tool – Active Directory Users and Computers.

Using a simple wizard, the Implement Group Policy Wizard in Windows Server 2012 R2 EssentialsWindows Server Essentials Experience keeps your data centralized by turning on Folder Redirection. In addition, it also helps keep your network secure by enforcing that Windows Update, Windows Defender, and the Windows Firewall remain turned on for all the client computers in the network. This eliminates the need of relying on the end user to turning on these settings on their PCs.

Recommendation: We recommend that you do not turn off the Windows Server Essentials Group Policy.

You can use Windows Server Backup to back up all volumes on your server, selected volumes, the system state, or specific files or folders. You can also create a backup that you can use for bare metal recovery. Instead of using native server tools, you can easily create and administer your backups from the Devices tab on the Windows Server Essentials Dashboard.

noteNote
Only servers running Windows Server 2012 R2 Essentials or Windows Server Essentials Experience are automatically backed up. Servers running the Window Server operating system can be joined to these servers. They will be displayed on and can be monitored from the Dashboard, but automatic and centralized backups for these servers are not supported.

Recommendation: Use removable storage devices (USB 3.0 for cost effective and high-performance versus firewire) for performing your backups. You should use at least two removable storage devices, and ensure that they have a large enough capacity to store the server backups. Using multiple removable storage devices also provides a backup rotation.

By default, all computers that are connected to a server running Windows Server 2012 R2 Essentials or Windows Server Essentials Experience will have their entire system and data backed up instead of relying on the end users to back up their computers, or using third-party backup tools. These computer backups are stored in the Client Computer Backups server folder on the server that is running Windows Server 2012 R2 Essentials or Windows Server Essentials Experience. This feature enables the recovery of individual files and folders, and a bare metal recovery of an entire client computer to a previous state. However, only the domain administrator can recover the data, and this feature does not scale beyond 75 client computers.

Recommendation: To save resources, you should only back up critical client computers and the most important data as your organization grows.

File History is a supplemental mechanism for client computer backups. The File History backups are stored in the File History Server Folder that is located on a server that is running Windows Server 2012 R2 Essentials or Windows Server Essentials Experience. From the File History backups, network users can restore versions of files from a specific point-in-time. In addition, network users can restore the files without asking for help from the administrator.

Recommendation: By default, all users with connected clients running Windows 8.1 or Windows 8 will have their profile data backed up to the server running Windows Server Essentials server. We recommend that you change the settings for File History backups (such as backup retention) per your company’s needs. For example, if your users save large data files on their computers, you may want to reduce the frequency of File History backups and the backup retention time.

Azure Backup is an online backup service that is provided by Microsoft. You can use it to back up files and folders that are critical to your organization. Azure Backup encrypts backups before transmission and stores the encrypted data in Azure. These backups are safely stored offsite from your company’s location, and they are protected by reliable Azurestorage. This provides additional protection in along with the on-premises backups. Online backup storage provides an additional layer of data protection without having to maintain and invest in additional hardware. However, Azure Backup does not create a backup of your system’s state, so it cannot be used to perform a complete bare metal recovery.

Recommendation: Protect the critical data for your organization by using Azure Backup. In addition, use bandwidth throttling to reduce Internet traffic during working hours.

You can use the steps in this section to implement the solution. Make sure to verify the correct deployment of each step before proceeding to the next step.

noteNote
The following steps make the assumption that there is already a server in the network that is running Windows Server 2012 R2 Essentials or Windows Server Essentials Experience. For information about installing Windows Server 2012 R2 Essentials or the Windows Server Essentials Experience role, see Install and Configure Windows Server 2012 R2 Essentials.

  1. Create a storage space on the server.

    To create a storage space, follow the instructions in Create a storage space.

    You can also create a new two-way mirrored storage space using the PowerShell cmdlet - New-WssStorageSpace.

    After you create the storage space, verify that it is listed on the Hard Drives tab of the Dashboard.

  2. Create server folders for various departments or data types as needed.

    To create server folders, follow the instructions in Add or move a server folder.

    noteNote
    If your organization has shared folders that are already being used, also move the data that is stored on various devices to the server folders that you create in this step.

    When you create a new server folder using the Add Folder Wizard, on the Type a name and description for the folder page, for Location, keep the default storage space hard drive location to ensure high-availability of business data. Verify that all the server folders that you have created are listed on the Storage tab of the Dashboard.

    You can also add a server folder using the PowerShell cmdlet Add-WssFolder. For more information, see Add-WssFolder

  3. Create user groups and user accounts to assign access permissions to network resources on departments or projects in your organization.

    Create user accounts for all the users in the network, and then create user groups based on the various departments and projects in your organization. Next, add the user accounts to the relevant user groups based on the departments or projects that the users are associated with. For step-by-step instructions to create user accounts, see Add a user account. For more information about user groups, see Manage User Accounts in Windows Server Essentials.

    You can also add a user account and user group using the PowerShell cmdlets - Add-WssUser and Add-WssUserGroup respectively.. For more information, see Add-WssUser and Add-WssUserGroup.

    Verify that all the user accounts and user groups are listed on the User Groups and Users tab.

  4. Assign user access permissions to server folders.

    To assign permissions to user accounts so that users can access the server folders, follow instructions in Manage access to server folders.

    After you have granted user access permissions, you can view or modify permissions to network resources for any user account by viewing the user account’s properties from the Dashboard. For more information, see Manage User Accounts in Windows Server Essentials.

  5. Connect all the client computers in the network to the server that is running Windows Server 2012 R2 Essentials or Windows Server 2012 R2 with the Windows Server Essentials Experience role installed.

    Before you connect a client computer to the server that is running Windows Server Essentials, review the following:

    Next, run the Connect Computer to the Server Wizard on all computers in your network, whether they are local or remote. For step-by-step instructions to connect client computers to a server running Windows Server Essentials Experience, see Connect computers to the server.

    After you have connected a client computer to the server, verify that the computer’s name is listed on the Devices tab of the Dashboard. You can manage all computers that are connected to the server through the administrative tasks that are listed in the task pane of the Dashboard. For more information about using the Dashboard to manage computers, see Manage devices by using the Dashboard.

  6. Implement Windows Server Essentials Group Policy.

    To implement Windows Server Essentials Group Policy, turn on Group Policy settings for Folder Redirection, Windows Defender, Windows Firewall, and Windows Update as discussed in Configure Group Policy settings for folder redirection and security.

  7. Set up Windows Server Backup.

    To set up a backup for your server, follow instructions in Set up or customize server backup.

    After you have set up the backup for your server, the Customize backup for the server task appears on the Devices tab of the Dashboard when you select your server from the list of devices. You can change the server backup settings with this task.

  8. Set up client computer backup.

    By default, client backups are automatically configured when you connect a client computer to a server that is running Windows Server 2012 R2 Essentials or Windows Server Essentials Experience. Backup is performed on a daily basis for every computer that is configured.

    As the number of computers increase in your organization, we recommend that you back up only computers that contain critical company data. For more client computer backup related tasks, see Manage client computer backup in Windows Server Essentials.

  9. Set up File History backup settings for client computers.

    For all client computers that are running Windows 8 or Windows 8.1 and are connected to Windows Server Essentials, File History is automatically turned on—and by default, the data on the Desktop and in the Documents folder is backed up on an hourly basis, with the backup being stored on the server for a year. You can configure the File History backup setting for each computer using the Change the File History setting task, which you can access from the Users tab on the Dashboard. For more information, see Managing File History in Windows Server 2012 Essentials.

  10. Set up your server for online backup with Azure Backup.

    To set up your server for online backup by using Azure Backup, use the following steps:

    1. Sign up for Azure Backup Service

    2. Upload a certificate to the Azure Backup vault

    3. Register this server for backup

    4. Configure online backup

    noteNote
    Before you begin to integrate your server with Azure Backup, ensure that you turn off the enhanced Internet security settings on your server by using Server Manager.

    After you have completed the integration of your server with Azure Backup, verify that the Online Backup tab has been added to the Dashboard. From this tab, you can configure online backup settings to perform regularly scheduled backups. To initiate an online backup, click Start backup now on the Online Backup tab of the Dashboard, and then verify that the server backup was created.

After you complete Steps 1 through 9, all your organization’s goals as listed in this document are met as follows:

  • Your organization’s data is now stored in a central location on a server running Windows Server 2012 R2 Essentials or Windows Server Essentials Experience so that all network users can easily access it.

  • Use of Storage Spaces as your destination for creating server folders allows you to easily expand the storage capacity of your server.

  • You have set access permissions for user accounts in your network, so only select users can access server folders and the data in them as needed.

  • A defined schedule for creating backups by using Windows Server Backup solves the problem of inconsistent manual backups.

  • In the event of hardware failure, you can restore a client computer or server from its backup.

  • If the on-site backups are unavailable, you can still restore your files and folders from your online backups stored in Azure.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft