Access Based Enumeration (ABE)

Neither the concept, nor the implementation are new-so why blog about it?
Well,it seems that ABE received a lot less attention then it should have. Most
networked operating systems will allow you to share information, and based
on your permissions you will only be able to “see” the resources that you can
actually access. Microsoft Windows has been (and to some extent still is)
different.

With Windows, you can see all objects inside a specific network share, even if you
have no permissions on the object itself. In other words, if a share exists (say
”Home Folders”) and you access it, you will see all the folders under it (most likely
reflecting the users in your company) even though you will have permissions
to access the information only on your home folder.

ABE changes this. When you have ABE enabled on a shared folder, you will only
see the objects that you actually have permissions to.

There are several advantages to this:

  1. Even if a user can’t access a file, he can still deduct a lot of information
    from knowing that a file or directory exist and knowing their name. ABE
    prevents this.
  2. Lower the number of security events in the Security Log due to curious
    double-clicks…
  3. Facilitate sharing a file (as opposed to a folder),more on this in a future post.

As I mentioned in the opening paragraph,neither the concept nor the implementation
are new. The concept has been here for a long time (I remember it from the time
I used to manage Novell based servers) and the implementation has been around for
quite a while (on Microsoft systems):Windows 2003 SP1.

 

Make ABE work For You

Lets start with an example. We have share called ‘Files’, our user has permissions on
a folder called “Test” inside that share. When he accesses the share called ‘Files’, he can
actually see all the other folders and files under this share:

image  

Once you have ABE enabled this is what the user will see(the folders and file to which our
user has no permissions are gone):

image

 

Enabling ABE on Windows 2008

I am still not used to Windows 2008 so it never ceases to surprise me. Windows 2008 has
four methods (that I found) of sharing a folder (we will discuss sharing files in a later post).

Either method you use will automatically and seamlessly install the ‘File Server’ role on you
server, and the ‘File Services’ node under ‘Roles’ in the Server Manager MMC console (as a matter
of fact the role is seamlessly removed when the last user shared folder is removed):

image

This tool is very important as it replaces(more or less) the old ‘Shared Folders’ interface found under the ‘Computer
Management’ console, which means that you will be managing and configuring your shares through this
relatively new interface. In my opinion it would have been beneficial to have the old ‘Shared Folders’
available here too (it can be added to a custom MMC).

Ok,now lets go back and analyze the four methods that can be used to share a folder (bear with me here, it
might sound as if there isn’t anything new to learn about folder sharing since it has bee around forever.
But, in my opinion you will be surprised).

The first method for sharing a folder is:

  1. Right click the folder
  2. Choose ‘Share…’
  3. Set the Share Permissions you would like to apply

Note that when using this method-ABE is enabled by default.

The second method:

  1. Right click the folder
  2. Choose ‘Properties’
  3. Select the ‘Sharing’ tab
  4. Press the ‘Advanced Sharing Button’
  5. Enable the share

Note that when using this method, the share permissions are set to Everyone:Read and ABE is disabled
by default.

The third method is using the command line:

  1. Open a command line
  2. Use the following command: net share sharename=folder path

Note that when using this method, the share permissions are set to Everyone:Read and ABE is disabled
by default.

The fourth and last method (to the best of my knowledge) is a relatively new method:

  1. Open ‘Server Manager’
  2. Expand ‘Roles’
  3. Expand ‘File Services’ and right click ‘Share and Storage management’ (if no user created shares exist
    on the system, you will have to manually add the role or add the snap-in to a custom MMC).
  4. Choose ‘Provision Share’,enter the wizard…

The major advantage of using this wizard is that it will walk you through all the tasks concerned with
provisioning a share, this way you will not forget anything.

The first page of the wizard provides you an overview of the volumes located on the system and requests the
path that leads to the share. If the storage on the system isn’t configured to your liking you can use the
Provision Storage’ at the bottom of the screen:

image 

The second window of the wizard provides you with the opportunity of changing the NTFS permissions on the
chose folder:

image

On the third window you will be able to choose the share protocols you would like to use (SMB,NFS or
both):

image

The fourth window is important. Here, you are given the opportunity to change the SMB protocols settings
such as user limit, caching options and finally Access Based Enumeration. This is achieved by pressing
on the advanced button(note that be default ABE is disabled):

image

In the remaining windows you will be able to configure SMB permissions (share Permissions), DFS configuration
and finally create the share:

image image image
                                                  image

 

Managing ABE on Windows 2008

Managing ABE (which is a nicer way of saying enabling,disabling and checking it’s status) can be done by using
’Share and Storage Management’ snap-in. Once you right click on a share choose Properties and then press on
the Advanced button you will be presented with an all so familiar window that will enable you to manage ABE on
that share.

image

An additional option for managing ABE is to install the tools provided for Windows 2003 on the Windows 2008
server. You can do so by downloading the management tools form this link. By installing these tools you
will have your standard UI extended with an additional tab that will provide you with opportunity of enabling
and disabling ABE or enabling/disabling ABE on all shares on the system:

image

An additional tool that is installed is a command line tool that provides more of the same but at the command line:

image

 

In Conclusion

Access Based Enumeration is a good feature that provides a streamlined experience for users that
access shares. On the other hand, in my opinion, this feature has received too little attention and it may
cause confusion with IT departments that are not aware of it’s existence due to the radical change it causes
in the way that shares are handled. In addition to that I personally find it somewhat odd that the Windows
2003 tools used to manage ABE are not installed by default with Windows 2008 and that different ways of
sharing folders provide different results in regards to ABE.
All in all, once you get the hang of it , it’s a great feature that can improve usability.

UC practical demo

I stumbled upon a video that demos the abilities of Microsoft UC. It looks at
it from the lighter side by building upon the plot of the “Devil Wears Prada”.

I found this demo to be one of the better demos I have witnessed, it simply
shows how technology can be used to help day-to-day tasks without adding
in any marketing fluff or overbearing technical details.

http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=668

Knight Rider is back

If you were around during the eighties there is no way you could have
avoided Knight Rider with David Hasselhoff:
image

I used to love the show,the notion of a speaking car that could think for itself seemed
unbelievable and cool at the same time. Lately, there is a revival of this show as a pilot
for a new series has been aired with several differences. David Hasselhoff is no longer the
star of the show(he does make a cameo appearance during the pilot) and KITT is replaced
by a killer Mustang:

image

Now while on the subject of Knight Rider, it seems that Mio want in on the party as they
have released a “Knight Rider” GPS device that mimics KITT and uses the voice of William
Daniels (the original KITT).

When the GPS starts up, it says:”Michael,where would you like to go today?”. Now how
can you resist that?!?!?


mio knight rider gps from knight rider online on Vimeo.

 

For the full story, go to:

http://knightrideronline.com/news/2008/06/mio_knight_rider_gps_has_voice.php

Dance Charge by Orange

Don’t you hate it when your mobile devices run out of power? What’s
the solution: dancing!

Well according to Orange it is. Orange released a and armband that uses
kinetics to charge your devices. In other words, while you flap your hands
around and call it dancing your mobile device will be charging.

The device will be offered at the Glastonbury music festival (June 27-29).

image

http://blog.wired.com/music/2008/06/dance-powered-c.html

The age of distraction

We live in an age of distraction. It seems that everything is geared towards getting our
attention,everywhere you turn information is poured upon you. Personally, I find it very
hard to concentrate on a specific topic these days because of that. When working
on something it seems that temptation lurks everywhere, all of a sudden we are surrounded
by other “things” that seem more interesting at that moment…is this due to a flaw in the
human psyche,or is it, that today we do actually live in the age of distraction?

Look at the Internet,from a small network it has turned into a mammoth of information. You
can find your friends, see what they are doing, update them about what you are doing, watch a
movie (or TV series),listen to music, research a topic, read the news, watch sports, read
a book, read magazines, participate in forums, track your workouts, compare them with others,
log-on and play a massive multiplayer online role playing games,chat with your friends, chat
with strangers…I guess you get the point-now add in other more traditional media devices
such as TV and radio, how much time will there be left for you to simply ponder and think?

We might even end up blaming all of these distractions for turning us into dumber people
since we just sit in front of a screen and we stare like hypnotized minions of a greater evil.
When I look at my parents, I actually do feel dumber-they know a lot more than I do,
they know physics, mathematics, chemistry and geography…Even though I was in school just
a few years ago (ok,a bit more then a few) I couldn’t find Micronezia on a map even if my life
depended on it…

An interesting claim was raised by A.J. Jacobs in his article:”You (We) Are Not Stupid”
in this months Esquire (American edition). Jacobs says that even though past generations
have managed to memorize more information then we have we are actually smarter.  He also
claims that we are less handy but we solve problems better, since we can think and we have tools
at our disposal that can help us remember instead of having to memorize (Internet and a
search engine…say Google).

The claim itself is a reasonable one,why should we bother with memorizing information if
that information can be recorded for us and accessed whenever we need it…?
In my opinion this is the catch of the claim – we have to trust that fact that the source
of information that we have used to memorize the information for us will still be there when
we need and that it will still be valid.
Basically by becoming totally dependent on these information guardians we might actually be
turning into those hypnotized zombies – we would have no way of knowing wether someone
changed the information in their favor (Moses said that we should all buy brand A…)…

After writing quite a few words, all I wanted to ask is how do you filter the information flow
towards you (to keep focused) and how do you know wether what you do process is valid or not?

Love my mobile phone

In my line of work, I find myself having to coordinate between different people (from
different companies) to complete tasks. This seems to be a fairly simple issue, yet as it
turns out, what seems to be simple isn’t necessarily so…

When coordinating between people that have dependent tasks, some people have
the tendency to entrench themselves in counterproductive positions while blaming
the other side for the failure. This is emphasized when dealing with each party at the
singular level. (As you may or mat not know,every story has three sides,mine, yours
and the truth…)

One remedy for such issues is to call a meeting. You bring everyone in (accommodating
everyone’s schedule), you provide refreshments, you listen to everyone and in my humble
opinion, you waste a lot of time…

So how do I solve this problem?

Well,quite simply by using the conference option on my mobile phone. Instead of calling
together a meeting-I simply get everyone that is involved on the line (which doesn’t allow
them to prepare) and create a natural confrontation between the sided. Oddly enough,
most conflicts, as by magic, disappear. People are so surprised and shocked when they are
directly confronted without having time to dig in that they prefer to resolve the issue
and leave the discussion as soon as possible.

You might say that this is solution is too blunt-yet from my experience it is as effective
as it is blunt…