Access Based Enumeration (ABE)

Neither the concept, nor the implementation are new-so why blog about it?
Well,it seems that ABE received a lot less attention then it should have. Most
networked operating systems will allow you to share information, and based
on your permissions you will only be able to “see” the resources that you can
actually access. Microsoft Windows has been (and to some extent still is)
different.

With Windows, you can see all objects inside a specific network share, even if you
have no permissions on the object itself. In other words, if a share exists (say
”Home Folders”) and you access it, you will see all the folders under it (most likely
reflecting the users in your company) even though you will have permissions
to access the information only on your home folder.

ABE changes this. When you have ABE enabled on a shared folder, you will only
see the objects that you actually have permissions to.

There are several advantages to this:

  1. Even if a user can’t access a file, he can still deduct a lot of information
    from knowing that a file or directory exist and knowing their name. ABE
    prevents this.
  2. Lower the number of security events in the Security Log due to curious
    double-clicks…
  3. Facilitate sharing a file (as opposed to a folder),more on this in a future post.

As I mentioned in the opening paragraph,neither the concept nor the implementation
are new. The concept has been here for a long time (I remember it from the time
I used to manage Novell based servers) and the implementation has been around for
quite a while (on Microsoft systems):Windows 2003 SP1.

 

Make ABE work For You

Lets start with an example. We have share called ‘Files’, our user has permissions on
a folder called “Test” inside that share. When he accesses the share called ‘Files’, he can
actually see all the other folders and files under this share:

image  

Once you have ABE enabled this is what the user will see(the folders and file to which our
user has no permissions are gone):

image

 

Enabling ABE on Windows 2008

I am still not used to Windows 2008 so it never ceases to surprise me. Windows 2008 has
four methods (that I found) of sharing a folder (we will discuss sharing files in a later post).

Either method you use will automatically and seamlessly install the ‘File Server’ role on you
server, and the ‘File Services’ node under ‘Roles’ in the Server Manager MMC console (as a matter
of fact the role is seamlessly removed when the last user shared folder is removed):

image

This tool is very important as it replaces(more or less) the old ‘Shared Folders’ interface found under the ‘Computer
Management’ console, which means that you will be managing and configuring your shares through this
relatively new interface. In my opinion it would have been beneficial to have the old ‘Shared Folders’
available here too (it can be added to a custom MMC).

Ok,now lets go back and analyze the four methods that can be used to share a folder (bear with me here, it
might sound as if there isn’t anything new to learn about folder sharing since it has bee around forever.
But, in my opinion you will be surprised).

The first method for sharing a folder is:

  1. Right click the folder
  2. Choose ‘Share…’
  3. Set the Share Permissions you would like to apply

Note that when using this method-ABE is enabled by default.

The second method:

  1. Right click the folder
  2. Choose ‘Properties’
  3. Select the ‘Sharing’ tab
  4. Press the ‘Advanced Sharing Button’
  5. Enable the share

Note that when using this method, the share permissions are set to Everyone:Read and ABE is disabled
by default.

The third method is using the command line:

  1. Open a command line
  2. Use the following command: net share sharename=folder path

Note that when using this method, the share permissions are set to Everyone:Read and ABE is disabled
by default.

The fourth and last method (to the best of my knowledge) is a relatively new method:

  1. Open ‘Server Manager’
  2. Expand ‘Roles’
  3. Expand ‘File Services’ and right click ‘Share and Storage management’ (if no user created shares exist
    on the system, you will have to manually add the role or add the snap-in to a custom MMC).
  4. Choose ‘Provision Share’,enter the wizard…

The major advantage of using this wizard is that it will walk you through all the tasks concerned with
provisioning a share, this way you will not forget anything.

The first page of the wizard provides you an overview of the volumes located on the system and requests the
path that leads to the share. If the storage on the system isn’t configured to your liking you can use the
Provision Storage’ at the bottom of the screen:

image 

The second window of the wizard provides you with the opportunity of changing the NTFS permissions on the
chose folder:

image

On the third window you will be able to choose the share protocols you would like to use (SMB,NFS or
both):

image

The fourth window is important. Here, you are given the opportunity to change the SMB protocols settings
such as user limit, caching options and finally Access Based Enumeration. This is achieved by pressing
on the advanced button(note that be default ABE is disabled):

image

In the remaining windows you will be able to configure SMB permissions (share Permissions), DFS configuration
and finally create the share:

image image image
                                                  image

 

Managing ABE on Windows 2008

Managing ABE (which is a nicer way of saying enabling,disabling and checking it’s status) can be done by using
’Share and Storage Management’ snap-in. Once you right click on a share choose Properties and then press on
the Advanced button you will be presented with an all so familiar window that will enable you to manage ABE on
that share.

image

An additional option for managing ABE is to install the tools provided for Windows 2003 on the Windows 2008
server. You can do so by downloading the management tools form this link. By installing these tools you
will have your standard UI extended with an additional tab that will provide you with opportunity of enabling
and disabling ABE or enabling/disabling ABE on all shares on the system:

image

An additional tool that is installed is a command line tool that provides more of the same but at the command line:

image

 

In Conclusion

Access Based Enumeration is a good feature that provides a streamlined experience for users that
access shares. On the other hand, in my opinion, this feature has received too little attention and it may
cause confusion with IT departments that are not aware of it’s existence due to the radical change it causes
in the way that shares are handled. In addition to that I personally find it somewhat odd that the Windows
2003 tools used to manage ABE are not installed by default with Windows 2008 and that different ways of
sharing folders provide different results in regards to ABE.
All in all, once you get the hang of it , it’s a great feature that can improve usability.

12 thoughts on “Access Based Enumeration (ABE)”

  1. Does anyone know if ABE works within shares that are many levels deep? I share a folder that contains user home data and a group shared folder. ABE works great here and I only see my one home folder and the group folder as desired. However within the group folder I have restricted folders that only certain groups should be able to access. ABE does not appear to extend to this location. I can not see these sub-folders with group permissions. If I add myself as a user permission is works ok but does not appear to work with group restrictions.

  2. I think one of your imaged got replaced…image_5F00_4.png seems to be of a Hyper-V monitor instead of showing an ABE example

  3. I use it extensively on Windows 2003 but on Windows 2008 it is just plain SHIT! It doesn’t work that ‘simple’ as you pretend.
    From Technet: “even after enabling access-based enumeration, all folders in the namespace remain visible to all domain users.

    To limit which groups or users can view a DFS folder, you must use the Dfsutil command to set explicit permissions on each DFS folder.”

    This is the best way to forget about it!

  4. Sorry for the late reply, I am sure you have figured this out by now. This is more for anyone else hitting this issue.

    I have done some testing and it appears that with ABE user assignments apply immediatly. However, when applying permissions through a group (or adding a user to the group), the folders do not appear until the workstation (not server!) is restarted.

    Hope this helps!

  5. Erik,

    I wanted to tell you how helpful I found this article, particularly the different defaults applied using the different sharing methods, like ABE.

    I’ve also found that the Share button makes a great shortcut for changing the NTFS permissions on a folder, as it disables inheritance and applies intelligent permissions in very few clicks.

    I click the Share button, quickly set permissions, then click the Advanced Sharing button, and uncheck “Share this file”. If necessary, I can then tweak the permissions further via the Security tab. Odd to use Sharing functionality on a folder you don’t want to share, but a big time saver for me.

    Thanks!

  6. I am glad you wrote this kind info up and explained it so someone new to Windows server 2008 might be able to follow alone. My problem still remains though, we would to hide all others directories a user does not have access to from that user, but no matter how I configure it all users still see all shares. This is even after having installed the MS utility for the ABE that was written for a 2003 server. Any other suggestions would be appreciated.

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>