Provide data protection in small and midsize businesses
Updated: July 10, 2014
Applies To: Windows Server 2012 Essentials, Windows Server 2012 R2, Windows Server 2012 R2 Essentials, Windows Storage Server 2012 R2 Essentials
How can this guide help you? This solution guide describes how you can protect your small to midsize business against data loss (such as through hardware theft or a natural disaster) and unauthorized access, so that you can save time and money.
This guide describes a tested, prescriptive design and implementation solution that can help you protect your business data by backing it up on-premises and in the cloud, by centralizing data storage, and by restricting data access permissions.
In this solution guide:
Scenario, problem statement, and goals
What is the recommended design for this solution?
Why are we recommending this design?
What are the steps to implement this solution?
The following diagram illustrates the problem and scenario that this solution guide addresses.
Problems associated with data storage, access, and protection
This section describes the scenario, problem, and goals for an example organization.
The organization is a small to midsize business with up to 100 users and 200 devices, and it is looking for a way to secure its company data. Currently, each user is saving data on their local computers, and data is shared through print copies and emails or by creating local shared resources.
Data backups are created inconsistently, depending on a user’s individual backup schedules. Some users are working on laptop devices, and as a result, critical data is leaving office premises. When a computer’s hardware fails, a lot of the company’s critical data is lost permanently due to lack of backups, and tremendous time is spent re-creating a new desktop with all its files and line-of-business applications installed.
The organization wants to address the following problems:
Files with business critical data are being exposed to unintended users.
Expanding storage capacity on existing computers in the network involves large administrative and cost overheads.
Network users are saving company’s data on multiple devices (for example, on a PC when at work, and on their laptop when remote). This is leading to multiple file versions that are hard to track and locate.
Not all users are backing up their computers and data consistently. As a result, if a computer crashes, sometime there is no backup from which to restore the computer and data.
The company’s backup data is at risk because it resides in a single location.
Your organization is looking for a solution that allows it to:
Store the company’s data on-premises in a single centralized location so that all its network users can easily access it and so your administrator can more easily apply access restrictions on the data.
Easily expand the storage capacity of the server as the organization grows in size.
Restrict permissions to shared folders so that only select users can access the data.
Define a backup schedule so that backups happen automatically instead of manually.
Completely restore servers and client computers from backups in the event of hardware failure.
Create backups on-site and online to provide an additional layer of data protection.
The following diagram illustrates how to store, protect, and securely access data from a server running Windows Server 2012 R2 Essentials or the Standard and Datacenter editions of Windows Server 2012 R2 with the Windows Server Essentials Experience role installed (referred to as Windows Server Essentials Experience in the remainder of the document).
Solution design for protecting, centralizing, and providing secure access to data
Windows Server 2012 R2 Essentials (appropriate for use for up to 25 users and 50 devices) or Windows Server Essentials Experience (appropriate for use for up to 100 users and 200 devices) provide a solution for small to midsize business partners and owners to protect their data by centralizing data storage, restricting access to data, and backing up data on-premises and in the cloud.
The following table lists the technologies that are included in Windows Server 2012 R2 Essentials and Windows Server Essentials Experience that are part of this solution design and describes the reason for the design choice.
Solution design element | Why is it included in this solution? |
---|---|
Windows Server Essentials Dashboard |
Use the Dashboard to perform all administrative tasks in your network, such as creating user accounts, granting access permissions, setting up server and client backups, creating storage spaces and server folders, and integrating with Microsoft Azure Backup. For information, see Overview of the Dashboard in Windows Server Essentials. |
Storage Spaces |
Use Storage Spaces for storing your company’s data. With Storage Spaces, you can expand storage as your organization grows, ensure that you are providing high availability for your data, and provide a cost effective solution. You do not need to spend money on hardware upfront, and you can scale up based on your business needs. For more information about Storage Spaces, see the Storage Spaces Overview and Storage Spaces Frequently Asked Questions. |
Server Folders |
Store and share your organization’s files and folders in server folders that you create on your server rather than sharing them from individual user's PCs. This enables you to consolidate your data in one central location that all network users can access. When you store your data in server folders, you can protect it against total server failure by using Windows Server Backup and Azure Backup. For more information, see Manage Server Folders in Windows Server Essentials. |
User management |
Create user accounts and user groups to control access to your company’s data and devices. When you create a user group, you can provide the same access level to network resources for all members. For more information, see Manage User Accounts in Windows Server Essentials. |
Device management |
Join your client computers to the network so that you can easily manage all the client computers in the network through the Windows Server Essentials Dashboard. For more information about computer management-related tasks, see Manage Devices in Windows Server Essentials. |
Group Policy settings |
Protect client computers from network attacks and keep the software and operating system on your computers up-to-date by implementing Windows Server Essentials Group Policy settings. For more information , see Configure Group Policy settings for folder redirection and security. |
Windows Server Backup |
Use Windows Server Backup to back up the files and folders that are stored on your server. From the backup files, you can restore files and folders on your server or perform a full system restore of your server. For more information, see Manage server backup in Windows Server Essentials. |
Client Computer Backup |
Use Client Computer Backup to back up all the clients in your network. The data that is located on the clients is backed up on a server that is running Windows Server 2012 R2 Essentials or Windows Server Essentials Experience. From the backup files, you can restore files and folders on the clients, or perform a full system restore of a client in the network. For more information, see Manage client computer backup in Windows Server Essentials. |
File History |
File History provides a supplemental mechanism for client computer backups. File History backups are stored in the File History folder, which is located on a server that is running Windows Server 2012 R2 Essentials or Windows Server Essentials Experience. From the File History backups, network users can restore versions of files from a specific point-in-time. In addition, network users can restore the files without asking for help from the administrator. For more information, see Managing File History in Windows Server Essentials. |
Azure Backup |
Integrate your server running Windows Server Essentials Experience with Azure Backup to back up files or folders that are located on your server. You can back up your business critical data on-premises and by using Azure Backup to provide dual protection for your company’s data. For more information, see Manage online backup in Windows Server Essentials. |
This section explains the details of the design considerations and the decisions that were made that led to the final solution design. It also provides the recommended configuration or usage of each feature that is used this solution.
The Windows Server Essentials Dashboard in Windows Server 2012 R2 Essentials and Windows Server Essentials Experience helps you quickly access key information and the management features of your server instead of using multiple native Windows Server Administration tools. By using the Dashboard, you can create and manage user accounts, manage devices and backups, and manage access and settings for server folders.
Recommendation: Use the Windows Server Essentials Dashboard to perform a majority of administrative tasks in your network. You can run tasks and wizards from the Dashboard to optimally configure the features that are included in your server.
Options for providing high availability and resilient storage for your company’s data include using the built-in RAID controller that comes with common server hardware. This storage option will provide the storage availability and resiliency you need, but it can be relatively complex and costly.
In contrast, you can use the Storage Spaces feature to create low-cost, resilient, and dynamically expandable data volumes to store your business data, rather than storing it on standard hard drives. Storage Spaces are virtual hard disk drives (VHDs) that appear on the Hard Drives tab of the Dashboard. Storage Spaces helps you save files to two or more drives so that your files remain safe even when a drive fails. With Storage Spaces, you can virtualize your server’s storage by grouping industry standard hard drives into storage pools, and then create VHDs (called storage spaces) from the available capacity in the storage pools. You can use these storage spaces to store your company’s data in one central location instead of all users saving data on their PCs.
Recommendation: For small businesses with fewer than 10 users, use at least three SAS or SATA drives—one drive to be used to back up the operating system, and the other two to be used for storage spaces. We recommend that you create a storage space by using at least two drives with mirrored resiliency.
For small businesses with more than 10 users, or midsize businesses with up to 100 users, configure at least three SAS drives with Storage Spaces—one drive to be used to back up the operating system, and the other two to be used for storage spaces. We also recommend providing a server chassis that supports adding more drives for expansion.
By using server folders, you can store files that are located on client computers to a central location instead of users storing files on their PCs.
Storing files in server folders ensures that your files are easy to back up and easy to access. They are located in a place that is always accessible from every client. Files are secure because accessing them requires using authenticated network credentials.
Recommendation: Create server folders on a Storage Space drive and create separate server folders for departments or projects. For example, if you have an accounting department, you can create a folder called “Accounting.” Creating the server folder on a Storage Space drive increases data availability (due to mirroring). We also recommend that you set a quota for your server folders so that you are alerted when a server folder is about to reach its capacity. When you are alerted, you can delete files in the server folder to increase available space for storage, or you can add more space to the server folder and adjust its quota settings.
User and user group accounts help you specify permissions that allow users to access your company data. This protects your company data from unintended user access. You can easily manage access to your network resources by creating user accounts for all your network users from the Users tab of the Windows Server Essentials Dashboard.
In addition, you can create user group accounts, and make the user accounts as its members. All members of a user group account share the same security access level to server resources. Group membership simplifies resource management because you can specify permissions for a group of users on one UI page. This is in contrast to opening property pages for each user in the network to assign relevant folder permissions.
Recommendation: Create user accounts that include members of various user groups, based on the departments that exist in your company or the various projects that people work on within your company. When you create a user group, you can assign a set of permissions to the group that will be applicable to all its members. For example, if you have group of users who are working in Department A, you can create a user group account called “Department A User Group,” and then add the relevant user accounts to this group. Next, you can assign permissions for the “Department A User Group” to access the server folder named “Accounting.”
To enable users to access server folders from computers in the network, you must connect the users’ computers to the server. Connecting computers to the server provides the following advantages:
Enables network users to securely access data that is stored on the server by using their user accounts.
Enables you to manage client computers from the Dashboard.
Protects client computers in the network by using Group Policy.
Backs up data on client computers regularly.
Monitors the health of the client computers.
Recommendation: Connect all the computers (local or remote) that you want to administer to the server so that you can manage them from the Devices tab of the Windows Server Essentials Dashboard instead of using the native server tool, Active Directory Users and Computers.
Using the Implement Group Policy Wizard in Windows Server 2012 R2 Essentials or Windows Server Essentials Experience keeps your data centralized by turning on Folder Redirection. In addition, it helps keep your network secure by enforcing that Windows Update, Windows Defender, and the Windows Firewall remain turned on for all the client computers in the network. This eliminates relying on end users to turn on these settings on their PCs.
Recommendation: We recommend that you do not turn off the Group Policy settings in Windows Server Essentials.
You can use Windows Server Backup to back up all volumes on your server, selected volumes, the system state, or specific files or folders. You can also create a backup that you can use for bare metal recovery. Instead of using native server tools, you can easily create and administer your backups from the Devices tab on the Windows Server Essentials Dashboard. For more information, see Manage server backup in Windows Server Essentials.
Note
Only servers running Windows Server 2012 R2 Essentials or Windows Server Essentials Experience are automatically backed up. Other servers running the Window Server operating system can also be joined to these servers. They will be displayed on and can be monitored from the Dashboard, but automatic and centralized backups for these servers are not supported.
Recommendation: Use removable storage devices for your backups. For cost effectiveness and high-performance, we recommend using a USB 3.0 device rather than an IEEE 1394 interface (also known as FireWire). You should use at least two removable storage devices, and ensure that they have a large enough capacity to store the server backups. Using multiple removable storage devices also provides a backup rotation.
By default, all computers that are connected to a server running Windows Server 2012 R2 Essentials or Windows Server Essentials Experience will have their entire system and data backed up instead of relying on end users to back up their computers, or using non-Microsoft backup tools. These computer backups are stored in the Client Computer Backups server folder on a server that is running Windows Server 2012 R2 Essentials or Windows Server Essentials Experience. This feature enables the recovery of individual files and folders, and a bare metal recovery of an entire client computer to a previous state. However, only the domain administrator can recover the data, and this feature does not scale beyond 75 client computers. For more information, see Manage client computer backup in Windows Server Essentials.
Recommendation: To conserve resources, you should only back up critical client computers and the most important data as your organization grows.
File History is a supplemental mechanism to use for client computer backups. The File History backups are stored in the File History server folder, which is located on a server that is running Windows Server 2012 R2 Essentials or Windows Server Essentials Experience. From the File History backups, network users can restore versions of files from a specific point-in-time. In addition, network users can restore the files without asking for help from the administrator.
Recommendation: By default, all users with connected clients running Windows 8.1 or Windows 8 will have their profile data backed up to the server running Windows Server Essentials. We recommend that you change the settings for File History backups (such as backup retention) per your company’s needs. For example, if your users save large data files on their computers, you may want to reduce the frequency of File History backups and the backup retention time.
Azure Backup is an online backup service that is provided by Microsoft. You can use it to back up files and folders that are critical to your organization. For more information, see Manage Online Backup in Windows Server Essentials.
Azure Backup encrypts, backups before transmission and stores the encrypted data in Azure. These backups are safely stored offsite from your company’s location, and they are protected by reliable Azure Storage. Online backup storage provides an additional layer of data protection with the on-premises backups, without having to maintain and invest in additional hardware. However Azure Backup does not create a backup of your system’s state, so it cannot be used to perform a complete bare metal recovery.
Recommendation: Protect the critical data for your organization by using Azure Backup. In addition, use bandwidth throttling to reduce Internet traffic during working hours. For more information, see article 238145 in the Microsoft Knowledge Base.
You can follow the steps in this section to implement this solution. Make sure to verify the correct deployment of each step before proceeding to the next step.
Note
The following steps make the assumption that there is already a server in the network that is running Windows Server 2012 R2 Essentials or Windows Server Essentials Experience. For information about installing Windows Server 2012 R2 Essentials or the Windows Server Essentials Experience role, see Install and Configure Windows Server 2012 R2 Essentials.
Create a storage space on the server.
To create a storage space, follow the instructions in Create a storage space.
You can also create a new two-way mirrored storage space by using the New-WssStorageSpace Windows PowerShell cmdlet.
After you create the storage space, verify that it is listed on the Hard Drives tab of the Dashboard.
Create server folders for various departments or data types as needed.
To create server folders, follow the instructions in Add or move a server folder.
Note
If your organization has shared folders that are already being used, also move the data that is stored on various devices to the server folders that you create in this step.
When you create a new server folder using the Add Folder Wizard, on the Type a name and description for the folder page, in the Location field, store the folder in its default location, which is the storage space that you created in Step 1, to ensure high availability for the data. Verify that all the server folders you created are listed on the Storage tab of the Dashboard.
You can also add a server folder by using the Add-WssFolder Windows PowerShell cmdlet. For more information, see Add-WssFolder.
Create user groups and user accounts.
Create user accounts for all the users in the network, and then create user groups based on the various departments and projects in your organization. Next, add the user accounts to the relevant user groups based on the departments or projects that the users are associated with. For step-by-step instructions to create user accounts, see Add a user account. For more information about user groups, see Manage User Accounts in Windows Server Essentials.
You can also add a user account and user group by using the Add-WssUser and Add-WssUserGroup Windows PowerShell cmdlets respectively. For more information, see Add-WssUser and Add-WssUserGroup.
Verify that all the user accounts and user groups are listed on the Users and User Groups tabs of the Dashboard.
Assign user access permissions for the server folders.
To assign permissions to user accounts so that users can access the server folders, follow instructions in Manage access to server folders.
After you have granted user access permissions, you can view or modify permissions to network resources for any user account by viewing the user account’s properties from the Dashboard. For more information, see Manage User Accounts in Windows Server Essentials.
Connect all the client computers in the network to the server.
All clients need to be connected to a server that is running Windows Server 2012 R2 Essentials or Windows Server Essentials Experience. Before you connect a client to a server that is running Windows Server Essentials, review the following:
Run the Connect Computer to the Server Wizard on all computers in your network, whether they are local or remote. For step-by-step instructions to connect client computers to a server running Windows Server Essentials Experience, see Connect computers to the server.
After you have connected a client computer to the server, verify that the computer’s name is listed on the Devices tab of the Dashboard. You can manage all computers that are connected to the server through the administrative tasks that are listed in the task pane of the Dashboard. For more information, see Manage devices by using the Dashboard.
Implement Group Policy settings.
To implement Group Policy settings in Windows Server Essentials, turn on settings for Folder Redirection, Windows Defender, Windows Firewall, and Windows Update as discussed in Configure Group Policy settings for folder redirection and security.
Set up Windows Server Backup.
To set up a backup for your server, follow instructions in Set up or customize server backup.
After you set up the backup for your server, the Customize backup for the server task appears on the Devices tab of the Dashboard when you select your server from the list of devices. You can change the server backup settings with this task.
Set up the client computer backup.
By default, client backups are automatically configured when you connect a client computer to a server that is running Windows Server 2012 R2 Essentials or Windows Server Essentials Experience. A backup is performed on a daily basis for every computer that is configured.
As the number of computers increase in your organization, we recommend that you back up only computers that contain critical company data. For more client computer backup-related tasks, see Manage client computer backup in Windows Server Essentials.
Set up File History backup settings.
For all client computers that are running Windows 8.1 or Windows 8 and are connected to Windows Server Essentials, File History is automatically turned on. By default, the data on the Desktop and in the Documents folder is backed up on an hourly basis. The backup is stored on the server for a year. You can configure the File History backup setting for each computer by using the Change the File History setting task, which you can access from the Users tab on the Dashboard. For more information, see Managing File History in Windows Server 2012 Essentials.
Set up your server for online backup with Azure Backup.
To set up your server for online backup by using Azure Backup, use the following steps:
Note
Before you begin to integrate your server with Azure Backup, ensure that you turn off the enhanced Internet security settings on your server by using Server Manager.
After you have completed the integration of your server with Azure Backup, verify that the Online Backup tab has been added to the Dashboard. From this tab, you can configure online backup settings to perform regularly scheduled backups. To initiate an online backup, click Start backup now on the Online Backup tab of the Dashboard, and then verify that the server backup was created.
After you complete Steps 1 through 10, all your organization’s goals as listed in this document are met as follows:
Your organization’s data is now stored in a central location on a server running Windows Server 2012 R2 Essentials or Windows Server Essentials Experience so that all network users can easily access it.
You have created a storage space to use as your destination for creating server folders, which allows you to easily expand the storage capacity of your server.
You have set access permissions for user accounts in your network, so only selected users can access server folders and the data in them as needed.
You have defined a schedule for creating backups by using Windows Server Backup, which solves the problem of inconsistent manual backups.
In the event of hardware failure, you can restore a client computer or server from its backup.
If the on-site backups are unavailable, you can restore your files and folders from your online backups stored in Azure.
Content type | References |
---|---|
Product evaluation/Get started |
|
Deployment |
|
Operations |
Manage Windows Server Essentials |
Support |
|
Reference |
|
Community resources |
The Windows Server Essentials and Small Business Server Blog |