It is normal to have a File Server within your Organization. Most especially with IT environments with Electronic Document Management (EDMS), Enterprise Applications like ECMs, CRMs, ERPs, where physical and Logical volumes are created to store all your files ( Video files, Image files, TIFFs, PDF, Electronic documents, and all other files).
It is the task of the Windows Administrator to ensure using Windows Access Securities and other applications to keep the file safe from unauthorised access
So the File Server is accessible to the Administrator and can be to everyone (especially where you have multi-apps CRMs, ERPs, EDMS, BPAs running on your servers) if proper Security Measures are not Implemented.
Some of the Top 10 requirements to Safe guard the Confidential Information as well as File Server.
Make Sure your Servers are Physically Secure - If an intruder can gain physical access to your server, then you're at risk for having the entire machine or one of its hard drives walk out the door. In addition to ensuring physical security, you should also configure your system so that it is only bootable from an internal hard drive to prevent an intruder from starting your system from removable media. The BIOS and boot loader should then be protected with a strong password
Encrypt your Drives - Using a system like WinMagic or BitLocker to encrypt your drives ensures that your files remain secure even if your hard drive is stolen or is discarded insecurely after being replaced. Using the drive on a server with a Trusted Platform Module (TPM) ensures that the use of BitLocker is transparent to administrators and users
Keep the Windows File Server off the Internet - This does not mean that the File Server cannot Access Internet but the internet should be controlled using Internet Access Policies or by Using Web URL Filtering Solutions like Fortinet, ForcePoint. In a lay man language - use a NG-Firewall
Ensuring that the Patches are Installed - Always Patch your Server to the latest patches available to Protect them from known Vulnerabilities & Attacks. You can patch the Server if not connected to the Internet by using WSUS (Windows Server Update Services) on another Server within your Network. Also ensure that the Internet Explorer Security Settings are set to Enhanced Security
Use a Enterprise class Antivirus Solution - Using a Antivirus will help you ward off known Viruses & Malwares even if you have Perimeter Level Antivirus Protection.
Maintain an approved Software Inventory - Maintaining an approved software Inventory will help you limit the use of Freeware/Trialware on File Servers. These Freeware/Trialware can Infect or collect sensitive Information from the File system without your knowledge. Software like Java/Flash/Adobe/Silverlight/MSOffice are not really required on File Server, the only increase the Attack surface.
Harden & Harden - Hardening of the Server plays a major role in securing your File Server. Stop all UN-necessary services on the Server & Maintain a list of approved Services which are allowed to run on the Servers. Stop these services instantly - Fax Service, Messenger, IIS Admin, Netmeeting, SMTP, Task Scheduler, Telnet, Terminal Services, and World Wide Web Publishing Services.
Controlled Logical Access Control - Restrict File & Folder Level Access to specific users, groups by using NTFS Security.
Audit Trails - Please make sure that you are using Auditing Parameter on the File Sever to make sure changes & access are logged and available to analysis if required. Auditing plays a major role once there is a goof up and you are searching who did it? It is there in the Properties of the Folders.
Administration using Least Privileges - Administrative Tasks should be done using the least Privileges. Also please make sure that all the Admin Accounts are protected using strong passwords with the below mentioned criteria :
Complex Password with minimum 12 Characters
Non-Trivial Passwords - Non-Guessable Passwords
Using of Alpha Numeric Key Combinations
Using Special Characters, Symbols & Spaces in the Passwords
Credit: Bharat Gautam Security Operations Vulnerability Manager