Advertisment

Juggling Drives with NTFS

author-image
PCQ Bureau
New Update

Windows administrators have long complained that the OS lacked basic features to better enforce file system security. The common way to securing drives, directories and files has been to set up access control lists to make sure only authorized users can gain access to resources. This has many pitfalls and problems that lead to false denied services and locked files. 

Advertisment

The concept of file system jails and HoneyPots has existed on the Unix and Linux systems for long. File system jails the function by restricting what the logged-on user can see and hence manipulate. Modern deployments of these OSs use different partitions to store their various folders. Similar techniques can be used on Windows with that little extra in the form of drive letters, to add the oomph back to Windows. To do this, we must first understand the underlying concepts and their behavior under NTFS and

NTFS-capable Windows.

Drive letters



Yes, everyone knows that these are letters from A through Z and each one will denote a disk or a partition. A and B are reserved for floppy disks and the rest go to our hard disks, removable storage, optical drives, network-mapped drives and what not.

Direct Hit!
Applies to: Windows Server 2003 administrators
USP:

NTFS mount points and multiple drive letters that can be used to enhance security
Advertisment

NTFS mount points



Otherwise, we can do away with drive letters altogether and mount everything in different places on our system drive. Only requirement is that both the 'host' partition (where we mount it) and the 'target' (what we are mounting) should be NTFS formatted.

Some considerations



There are certain things Windows just won't allow us to do. And, we can take advantage of these 'limitations' as discussed below. 

  • We can neither change nor remove the drive letter assigned to the drive Windows is installed on.
  • We can neither change nor remove the drive letter assigned to the C drive. Windows will always call the drive our MBR is on, as our C drive.
  • We should not mount the Windows folder-tree anywhere else. Although we would get no problems while mounting it. It would create all kinds of access problems later on.
  • Each partition can have only one drive letter.
  • We can mount a partition any number of times on any number of partitions.
  • We can mount a partition only into an empty folder, but this folder can be anywhere in the tree.
  • We can have only 26 drive letters (A to Z) in total.
  • Windows will let us set permissions separately for each partition taken separately, the mounted one and the one with the drive letter. So, we must take care when doing this.
Advertisment

We can easily take care of the first and second limitation by installing Windows on an NTFS formatted C drive. 

Standard disclaimer: Do not experiment with this on a production server. Any data lost will be at your own risk.

Preparing for deployment



Though we can easily implement this using multiple hard disks, we shall take a single hard disk of 80 GB. Windows Server 2003 takes up around 2 GB with most of its services. Then we will need space for the swap file and more for user profiles. 

Advertisment

Any server applications we install will need space. If you are one of those who like to keep software copies or drivers and patches on your server for quick access, then add sufficiently more space. Now, let's partition the disk as follows.

Set aside 4 GB at the beginning of the disk for the C drive, where we shall install Windows. Now add the swap file drive-use the same calculation we would for sizing the swap file, but add about 10 to 20 MB more to allow for future bad sectors and other overheads. Extend a 500 MB partition for our drivers and patches, add more if needed. 

If this server should also serve as a local Windows update repository running SUS, make a 4 GB partition for it. Dedicate the rest of the space to user data. 

Advertisment

Most enterprise users will have employees who handle sensitive data (called 'NFPC' or Not for Public Consumption). Put the profiles and document folders for these users on the same partition, all the other users can share a single partition. Alternatively, we can have a single NFPC and then partitions for each department, depending on the load of each scheme.

If you've created these drives anywhere outside the partition tool in the Windows Server 2003 installer, you must not assign any drive letters. 

In the installer, when prompted for the drive to install on, select the 4 GB at the top of the list and install it there. It will become C and we can no longer change it. Select to format this partition with

NTFS.

Advertisment

Mounting differently



Fire up Disk Management (Start>Run>Diskmgmt.msc) and assign a drive letter for our swap drive (say 'D'). Go to the System Properties in Control Panel and set up the swap location to this drive. Now Reboot.

Once all the drivers and services have been installed, fire up Windows Explorer, open C (it should be the only hard drive listed) and create folders for other partitions.

You need the following: NFPC, SOFTWARE, PUBLIC and COMMON. Of course, like we discussed above, this can easily be: NFPC1, NFPC2, ACCOUNTS, PRODCN, HR, GENADMIN, PUBLIC, COMMON and SOFTWARE according to your requirements. 

Advertisment

Fire up the Disk Management console again, right click on the particular partition, select 'Change drive letter and paths', click on Add and then on the 'Mount in the following empty NTFS folder' option. Click on Browse and select the folder we made for that partition. Click on OK on the boxes to return to the console. Repeat

for each partition.

Go to each folder and set up the permissions and shares as appropriate. Create user accounts and then set up the profiles to point to these folders-with the 'Connect (X drive) to (Y folder)' option.

Mess it up



We can add another level of complexity to the setup, by roping in the DFS (Distributed File System) to create new mount points and then mounting combinations of these for a particular purpose. For example, if Ravi in Accounts needs access to folders in NFPC2, ACCOUNTS and COMMON, we can create a DFS point called 'Ravi' and mount these folders into it, map the whole thing to a drive letter and share it with

Ravi.

Sujay V Sarma

Advertisment