The file extension filtering mechanism uses a combination of a file’s extension and access control lists (ACLs) to allow or disallow access to files with certain file extensions. The combination of file extensions and ACLs provides fine-grain control of filtering, and Microsoft Windows users can save to a CIFS share or a Data Mover. This article will demonstrate file extension filtering on VNX.

Content The File extension filtering uses two components:

• A set of filter files named with a special naming convention that includes the name of the extension and share that you want to filter. You must store these files in the \.filefilter directory, a special directory on the Data Mover. If there are no filter files in the \.filefilter directory, filtering does not occur.
• The ACL set on the filter file. You can use the ACL to set exceptions to the filter policy. The ACL allows you to limit file extension filtering on a domain-user basis.

Create a filter file

To create a filter file:

1. From a Windows workstation on the domain, log in as the domain administrator.

2. From Windows Explorer, map a drive to the root file system of the Data Mover (\\<movername>\C$).

Where:

<movername> = name of the CIFS server.

3. Move to the \.filefilter directory on the root of the file system (C$ share).

4. Use Windows Notepad to create a blank file.

Use the filter files naming convention:

     <extension_name>[@<sharename>[@<netbios_name>]]

Where:

<extension_name> = file extension that you want to filter.

<sharename> = name of the share to which you want to apply the filter. The <sharename> is an optional part of the filename. If you do not include a <sharename>, the filter is applied to all shares on the Data Mover.

<netbios_name> = NetBIOS name to which you want to limit the filtering. The <netbios_name> element is an optional part of the filename. If you specify the NetBIOS name, you must also specify a share name. If the share is available on multiple NetBIOS names, this name element limits the filtering to a particular NetBIOS name.

For example:

To prevent .ppt files from being saved on the \jeffey_fs_01 share on Data Mover server_2, you would create a file in the \.filefilter directory of server_2 and name it ppt@jeffey_fs_01.:

Use file extension filtering to control privileges

Instead of enforcing a blanket restriction against a type of file, you can configure the filter file’s ACL so that everyone can perform (or is prevented from performing) certain actions against a file type. To do this, you would add an ACE for everyone, and then modify the advanced properties to allow or deny specific actions.

For example:

You can allow everyone access to .ppt files on \jeffey_fs_01, while preventing anyone from deleting .pptfiles from the share. In this case, you create the filter file, ppt@jeffey_fs_01, and in the file’s ACL, create an ACE for Everyoneand set privileges to Modify, Read & Execute, Read, and Write. Then, under Advanced properties, you can explicitly deny Delete privilege to Everyone. 

Author: Jeffey Liu

             

iEMC APJ

Please click here for all contents shared by us.