Organizations today store data in many places, including both the corporate file servers and users’ personal devices. To ensure both security and regulatory compliance, IT administrators need to tightly control access to data stored on file servers, and also protect data on portable devices to minimize the risk of data loss or exposure if the devices are lost or stolen.

Windows Server 2016 offers several features that help you protect data:

File Server Resource Manager (FSRM)

Encrypting File System (EFS)

BitLocker

Handpicked related content: Microsoft Windows Server 2016 Security

File Server Resource Manager (FSRM)

File servers hold most of the data that your users and applications use. FSRM is a set of tools that help you understand, control and manage the quantity and type of data stored on your servers. FSRM offers:

Quota management. You can create, obtain and manage information about quotas to set storage limits on volumes or folders.

You can create, obtain and manage information about quotas to set storage limits on volumes or folders. File screening management. You can prevent specific file types from being stored on a volume or folder, or be notified when users store these types of files.

You can prevent specific file types from being stored on a volume or folder, or be notified when users store these types of files. Storage report management. You can schedule and configure reports on the components and aspects of FSRM, including: Quota usage File screening activity Files that might negatively affect capacity management, such as large files, duplicate files or unused files Files listed and filtered according to owner, file group or a specific file property

You can schedule and configure reports on the components and aspects of FSRM, including: Classification management. You can identify, categorize and manage files using a wide array of properties.

You can identify, categorize and manage files using a wide array of properties. File management tasks. You can delete old files or move files to a specific location based on a file property, such as filename or file type.

Handpicked related content: Auditing Windows Server 2016

Encrypting File System (EFS)

If unauthorized users have physical access to a device (for example, if they have stolen a user’s laptop or smartphone), they can bypass file security to access the data. If you use EFS to protect data, unauthorized users cannot view a file’s content even if they have full access to the device.

Specifically, when an authorized user opens an encrypted file, EFS decrypts the file in the background and provides an unencrypted copy to the application. Authorized users can view or modify the file, and EFS saves changes transparently as encrypted data. If unauthorized users try to do the same, they receive an “Access denied” error.

EFS provides the following important capabilities:

EFS works at the file level, and you can have encrypted and unencrypted files on the same volume.

EFS operates in the background and is transparent to users and applications.

Only authorized users can access encrypted files.

You can use data recovery agents to recover data that was encrypted by any user.

You can use EFS to encrypt files locally or across the network.

In File Explorer, by default, EFS shows encrypted files and folders in a different color than unencrypted files.

EFS can encrypt data at rest only; it does not encrypt data while it is being transmitted over the network.

BitLocker

BitLocker complements EFS by providing an additional layer of protection for data stored on Windows devices. BitLocker protects devices that are lost or stolen against data theft or exposure, and it offers secure data disposal when you decommission a device.

BitLocker has the following features: