How to Block Specific File Types in Windows Server 2012?

Ever had a user upload music files or executables to your file servers? Not only can this be a security risk, but it also eats away at expensive storage space. In this Ask an Admin, I’ll show you how to use the File Server Resource Manager (FSRM) to block unwanted file types.

What Is File Screening?

The File Server Resource Manager first appeared in Windows Server 2008. It included the ability for administrators to define which file types users can save to file servers. Administrators can block defined file types from an entire volume, or to specified folders. [Still valid in Windows Server 2016, 2019, and 2022]

Install File Server Resource Manager (FSRM)

Before you can enable file screening on your file server, you will need to make sure the File Server Resource Manager is installed. The quickest way to install FSRM in Windows Server 2012 is to open a PowerShell console on the server with local administrative privileges and run the following command:

Add-WindowsFeature –Name FS-Resource-Manager –IncludeManagementTools

Configure File Screening

Log on to your server as a local administrator. After FSRM is installed, you can open it from the Tools menu in Server Manager.

  • In the left pane of FSRM, expand File Screening Management and click the File Groups node. In the central pane, you’ll see conveniently grouped file types so that you can create rules without individually specifying file extensions.
  • Now click File Screen Templates in the left pane. Here you can see some predefined rules that you can apply to volumes or folders.
  • Double-click the Block Audio and Video Files template in the central pane. In the properties dialog box, the Settings tab shows the actions that will apply if you use this template.
File Screening in Windows Server 2012 R2
File Screening in Windows Server 2012 R2.

 

The main part of the template configuration is that the file types specified in the Audio and Video Files group will be actively blocked. You can use passive screening if you just want to monitor what is happening but not prevent users from saving files. In addition to active and passive screening, you can choose to send alerts via email, run a command or report, and log attempts to save blocked files to the Event Log.

  • Close the properties dialog.
  • If you right-click a template in the central pane of FSRM, the context menu gives you the option to edit the existing template or create a new template based on the settings of the template you have chosen.
  • Now right-click File Screens in the left pane and select Create File Screen from the menu.
  • In the Create File Screen dialog, click Browse and select a volume or folder to which the new rule should be applied, and then click OK.
  • Under How do you want to configure file screen properties?, select the desired template from the drop-down menu and click Create. The new file screen rule will appear in the central pane.

Create an Exception

Exceptions can come in handy if you want a file type, which is blocked by the main rule, to be allowed in a specific location.

  • Right-click File Screens in the left pane again and select Create File Screen Exception from the menu.
  • Select the group to exclude under File groups.
  • Click OK to complete the process.

FAQs

What are the licensing requirements for File Server Resource Manager in Windows Server environments?

File Server Resource Manager is included with Windows Server Standard and Datacenter editions at no additional cost. However, you need appropriate Client Access Licenses (CALs) for users accessing resources managed by File Server Resource Manager.

Can File Server Resource Manager integrate with third-party storage solutions?

Yes, File Server Resource Manager can work with third-party storage solutions through APIs and PowerShell commands, allowing administrators to extend its functionality beyond native Windows storage.

What’s the maximum number of file screening rules that File Server Resource Manager can handle?

File Server Resource Manager can manage thousands of file screening rules simultaneously, with the practical limit depending on server resources. However, Microsoft recommends keeping rule sets manageable by organizing them efficiently.

Does File Server Resource Manager impact server performance?

File Server Resource Manager typically has minimal impact on server performance when properly configured. However, extensive quotas and file screening rules across multiple volumes may require additional system resources.

Can File Server Resource Manager automate storage reports across multiple servers?

Yes, File Server Resource Manager includes built-in scheduling capabilities for generating storage reports across multiple servers, with options to export data in various formats and automatically distribute reports to stakeholders.