As someone who travels a lot, one of my favorite Windows features is offline caching. This feature (whose name seems to change from one version of Windows to the next) allows mobile users to create a local copy of a shared network folder. Therefore, users can access network files even when they are not connected to the network. Whenever connectivity is reestablished, any changes that have been made to the files are synchronized so both the network and the local copy of the files are up to date.
Although offline caching is an extremely handy feature, it is not without risk. Securing these files can be a challenge since offline caching allows the contents of a file server to be copied to a potentially unsecure laptop.
While technologies like BitLocker can help prevent accidental data disclosure on laptops, it is equally important to implement offline caching in a secure manner. One way of doing so is to regulate offline file caching at the group policy level.
Pay attention to the requirements listed for each group policy setting when controlling offline file caching. The requirements portion of a setting's description tells you which operating systems the setting is compatible with. Don't assume that the available settings will work with Windows 7. There are several settings that appear in the Group Policy Editor even though support for them has been discontinued. One example is the Event Logging Level setting, which will only work with Windows 2000, Windows XP and Windows Server 2003.
Group policy settings
The group policy settings used to regulate offline file caching are located at "Computer Configuration | Administrative Templates | Network | Offline Files," as shown in Figure 1. This container offers a number of settings related to offline file synchronization. Although many of these settings have been around since Windows XP, some are new to Windows 7.
Configure background sync
The Configure Background Sync option is a new group policy setting. The synchronization process can be very time consuming, especially when it is being performed across a slow network link. To make the synchronization process more efficient, schedule a background synchronization to occur on computers that are connected to shared resources over a slow network link.
When enabled, a background synchronization occurs every 360 minutes (six hours). This behavior can be changed by specifying a new sync interval or by setting a policy that dictates the maximum amount of time that can pass without a sync occurring. There is also a variance value that can be set, which helps prevent every machine from synchronizing at the same time.
Exclude files from being cached
Perhaps the most important new group policy setting is the Exclude Files From Being Cached setting. This setting has both security and practical uses.
An example of a practical use is that the setting can prevent database files from being cached. If a user were somehow able to cache a database file that is used by a network application, the synchronization process would likely corrupt the file. Therefore, it is best to configure a group policy setting to prevent database files from being cached.
This setting is also useful for security purposes. For example, your organization is working on a new business plan, and although certain employees need access to the plan, you don't want them to be able to take it outside of the organization. You could prevent the business plan from being written to a user's offline cache by making adjustments to this group policy setting.
Enable transparent caching
Another new setting is Enable Transport Caching, which can improve the end-user experience and decrease bandwidth consumption over slow wide-area network (WAN) links.
Prior to the creation of transport caching, if a user was connected to the network, files were read from network servers even if a copy existed in the local cache. With transport caching enabled, the read process works quite a bit differently when the user is working online and accessing files across a WAN link.
Windows starts by checking to see if the requested file is available locally. If the file does exist in the local cache, then Windows checks to make sure it's up to date. If so, then the requested read operation is performed against the local copy of the file. Write operations are always performed against the network copy, as long as the user is working online.
You can exercise a great deal of control over offline file caching by implementing group policy settings, but remember to pay close attention to which operating systems each setting is valid for.
|ABOUT THE AUTHOR:|
Brien M. Posey, MCSE
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Exchange Server and has previously received Microsoft's MVP award for Windows Server and Internet Information Server (IIS). He has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Posey has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit his personal website at www.brienposey.com.
This was first published in November 2009