Access-based Enumeration allows on network shared folders hide files and folders from the users who don’t have NTFS permissions to access them. Thus you can provide additional security to the information stored in the network folder (due to hiding the structure and names of folders and files), improve its usability since users won’t see odd data (they don’t have access to) and, what’s more important, save a system administrator from constant questions «Why I cannot access this folder!!» Let’s try to consider this technology, configuration peculiarities and use in various Windows versions in detail.
A Bit of Theory
One of the drawbacks of Windows network shares is the fact that by default all users could at least see its structure and the list of all files and directories in it including those that they don’t have NTFS permissions to access (when trying to open such file or folder, a user sees the error «Access Denied»). Why not hiding those files and folders from the users who don’t have access to them? Access-based Enumeration can help doing it. Having enabled ABE for the shared folder, you can make different users see a different list of folders and files in the same network share based on the individual access rights (ACL).
How a client and a server interact when addressing a network share:
- A client requests access to a directory in a network share from a server
- A server checks if a client has NTFS permissions to access this folder
- If the access is granted (view/read/write), a user sees the list of the directory contents
- Then the user requests access to a file or a subdirectory in the same way. If the access is denied, the user gets the corresponding warning
According to this scheme, it becomes clear that the server firstly shows the whole contents of the folder to the user, and the permissions are checked only when the user tries to access its contents.
Access-based Enumeration (ABE) allows to check access permissions on file system objects before the user receives a list of the folder contents. So, the final list includes only those objects a user has NTFS permissions to access, and all unavailable resources are hidden.
It means that a user from one department (e. g., stock department) sees one list of files and folders in a network share.
And a user from another department, e. g., IT department, sees another one.
The main problem of using ABE on the file servers is the extra load on the server. It is especially prominent in high load file servers. The more objects there are in the viewed directory, and the more users there are, the longer the delay is. According to Microsoft, if there are 15,000 objects (files and directories) in the displayed folder, a folder is opened 1-3 seconds slower. This is why when designing a network share structure, it is recommended to pay much attention to making a clear and hierarchical subfolder structure to make a delay when opening folders less evident.
You can manage ABE from the command prompt (abecmd.exe), graphic interface or a special API.
Access-based Enumeration in Windows doesn’t work in the following cases:
- If you are using Windows XP or Windows Server 2003 without Service Pack 1 as a file server
- If you are viewing directories locally (directly on the server)
- If you are a member of the local administrator group (they always see the full list)
ABE in Windows Server 2003
In Windows Server 2003, ABE became supported starting from Service Pack1. To enable Access-based Enumeration in Windows Server 2003 SP1 (or later), you have to download and install a package following this link http://www.microsoft.com/en-us/download/details.aspx?id=17510. During installation you have to specify whether ABE will be enabled for all network shares on your server or you’ll configure it manually. If you choose the second variant, a new tab, Access-based Enumeration, will appear in the network share properties after the installation.
To activate ABE for a certain folder, check the option Enable access-based enumeration on this shared folder in its properties.
It should also be noted that Windows 2003 supports DFS-based Access Based Enumeration, but it can be configured only from the command prompt using cacls.
ABE in Windows Server 2008 and 2008 R2
In Windows Server 2008/R2 no additional components should be installed, since the ABE management feature is already integrated into Windows GUI. To enable Access-based Enumeration for a certain folder in Windows Server 2008, open the MMC management console Share and Storage Management (Start –> Programs –> Administrative Tools ->Share and Storage Management). Go to the properties of the necessary share. Then go to the Advanced settings and check Enable access-based enumeration.
Access-based Enumeration in Windows Server 2012
ABE configuration in the Windows Server 2012 / 2012 R2 is also very simple. To enable ABE in Windows Server 2012, you firstly have to install File And Storage Services role, and then go to the share properties in the Server Manager.
In Settings check Enable access-based enumeration.
ABE Management from the Command Prompt
You can manage Access-based Enumeration settings from the command prompt using Abecmd.exe. This tool is a part of Access-based Enumeration package for Windows Server 2003 SP1 (see the link above).
Abecmd.exe allows to activate ABE for all directories at once or only for some of them. The next command enables Access-Based Enumeration on all shares:
abecmd /enable /all
This one is for a certain folder (e.g., a shared folder with the name Docs):
abecmd /enable Docs
ABE in Client OSs : Windows Vista, Windows 7, Windows 8
Many users, especially in home or SOHO networks, also would like to use Access-Based Enumeration features. The problem is that Microsoft client OSs have neither graphical, nor command interface to manage Access-Based Enumeration. Luckily, abecmd.exe being a part of Windows Server 2003 package work on client OSs as well. Since Windows Server 2003 Access-based Enumeration package cannot be installed in Windows 8/7/Vista, you will have to install it in Windows Server 2003 first, and then copy it from C:\windows\system32 into the same directory in the client OS. After that you can enable ABE using the command prompt as described above.
dfsutil property abde enable \\namespace_root