Access-based Enumeration (ABE) allows to hide objects (files and folders) from users who don’t have NTFS permissions (Read or List) on a network shared folder in order to access them. Thus you can provide additional confidentiality of data stored in a shared folder (due to hiding the structure and names of folders and files), improve its usability since users won’t see odd data (they don’t have access to) and, what’s more important, save a system administrator from constant questions of users “Why I cannot access this folder!!!”. Let’s try to consider this technology, configuration peculiarities and use of ABE in various Windows versions in details.
- How does access to shared folders work in Windows?
- Access-Based Enumeration Restrictions
- Using ABE on Windows Server 2008/ 2008 R2
- Configuring Access-based Enumeration on Windows Server 2012 R2/ 2016
- Implementing Access-Based Enumeration on Windows Server 2003
- Managing ABE from the Command Prompt
- Managing Access Based Enumeration Using PowerShell
- Access-Based Enumeration in Windows 10 / 8.1 / 7
How does access to shared folders work in Windows?
One of the drawbacks of network shared folders technology in Windows is the fact that by default all users could at least see its structure and the list of all files and directories in such a folder including those that they don’t have NTFS permissions to access (when trying to open such file or folder, a user receives the error “Access Denied”). Why not to hide those files and folders from the users who don’t have permissions to access them? Access-based Enumeration can help doing it. By enabling ABE on a shared folder, you can ensure that different users see a different list of folders and files in the same network share based on the user’s individual access permissions (ACL).
How does the interaction between the client and the server occurs when accessing a shared folder over the SMB?
- A client requests the server to access a directory in the network shared folder;
- The LanmanServer service on the server checks the user permissions to access this folder;
- If access is allowed (NTFS permissions: list content, read or write), the user sees the directory contents;
- Then the user requests access to a file or a subfolder in the same way (you can view who opened a specific file in a network folder like this);
- If the access is denied, the user is notified accordingly.
According to this scheme, it becomes clear that the server firstly shows the entire contents of the folder to the user, and the NTFS permissions are checked only when the user tries to open a specific file or folder.
Access-based Enumeration (ABE) allows to check access permissions on file system objects before the user receives a list of the folder contents. So, the final list includes only those objects a user has NTFS permissions to access (at least read-only permission), and all inaccessible resources are simply not displayed (hidden).
It means that a user from one department (e.g. warehouse) will see one list of files and folders in a shared folder (\\filesrv1\docs). As you can see, only two folders are displayed for the user: Public and Warehouse.
And for a user from another department, e. g., IT department (which is included in another Windows security group), a different list of subfolders is shown. In addition to the Public and Warehouse directories, this user sees 5 more directories in the same network folder.
The main disadvantage of using ABE on the Windows file servers is the extra load on the server. It is especially prominent in high load file servers. The more objects there are in the viewed directory, and the more users open files on it, the longer the delay is. According to Microsoft, if there are 15,000 objects (files and directories) in the displayed folder, a folder is opening 1-3 seconds slower. That’s is why it is recommended to pay much attention to making a clear and hierarchical subfolder structure when designing a shared folder structure in order to make a delay when opening folders less evident.
You can manage ABE from the command prompt (abecmd.exe utility), from the GUI, PowerShell or a special API.
Access-Based Enumeration Restrictions
Access-based Enumeration on Windows doesn’t work in the following cases:
- If you are using Windows XP or Windows Server 2003 without Service Pack 1 as a file server;
- If you are viewing directories locally (directly from the server);
- For members of the local file server administrators group (they always see the full list of files).
Using ABE on Windows Server 2008/ 2008 R2
In Windows Server 2008/R2 to use the Access Based Enumeration functionality no additional components need to be installed, since the ABE management feature is already built into the Windows GUI. To enable Access-based Enumeration for a certain folder in Windows Server 2008/2008 R2, open the MMC management console Share and Storage Management (Start –> Programs –> Administrative Tools -> Share and Storage Management). Go to the properties of the necessary share. Then go to the Advanced settings and check Enable access-based enumeration.
Configuring Access-based Enumeration on Windows Server 2012 R2/ 2016
ABE configuration in the Windows Server 2012 R2 / 2016 is also very simple. To enable ABE in Windows Server 2012, you firstly have to install File and Storage Services role, and then go to the share properties in the Server Manager.
In Settings section check the option Enable access-based enumeration.
Implementing Access-Based Enumeration on Windows Server 2003
In Windows Server 2003 (not supported now), ABE became supported starting from Service Pack 1. To enable Access-based Enumeration in Windows Server 2003 SP1 (or later), you have to download and install a package following this link http://www.microsoft.com/en-us/download/details.aspx?id=17510. During installation you have to specify whether ABE will be enabled for all shared folders on your server or you’ll configure it manually. If you choose the second option, a new tab, Access-based Enumeration, will appear in the network share properties after the installation.
To activate ABE for a certain folder, check the option Enable access-based enumeration on this shared folder in its properties.
It’s important to mention that Windows 2003 supports DFS-based Access Based Enumeration, but it can be configured only from the command prompt using cacls.
Managing ABE from the Command Prompt
You can manage Access-based Enumeration settings from the command prompt using Abecmd.exe utility. This tool is a part of Access-based Enumeration package for Windows Server 2003 SP1 (see the link above).
Abecmd.exe allows to activate ABE for all directories at once or only for some of them. The next command enables Access-Based Enumeration for all shares:
abecmd /enable /all
This one is for a certain folder (e.g., a network shared folder with the name Docs):
abecmd /enable Docs
Managing Access Based Enumeration Using PowerShell
You can use the SMBShare PowerShell module (installed by default in Windows 10/ 8.1 and Windows Server 2016/2012 R2) to manage the settings of Access Based Enumeration for specific folders. Let’s list the properties of a specific shared folder:
Get-SmbShare Install|fl *
You can check the status of ABE for all shared folders of the server:
Get-SmbShare | Select-Object Name,FolderEnumerationMode
To enable ABE for a specific folder:
Get-SmbShare Install | Set-SmbShare -FolderEnumerationMode AccessBased
Get-SmbShare | Set-SmbShare -FolderEnumerationMode AccessBased
To disable ABE use the command:
Get-SmbShare Install | Set-SmbShare -FolderEnumerationMode Unrestricted
Access-Based Enumeration in Windows 10 / 8.1 / 7
Many users, especially in home or SOHO networks, also would like to use Access-Based Enumeration features. The problem is that Microsoft client OSs have neither graphical, nor command interface to manage Access-Based Enumeration.
In Windows 10 (Server 2016) and Windows 8.1 (Server 2012R2), you can use PowerShell to manage Access-based Enumeration (see the section above). In older versions of Windows, you need to install the latest version of PowerShell (>= 5.0) or use the abecmd.exe utility from the Windows Server 2003 package, it works fine on client OSs. Since the Windows Server 2003 Access-based Enumeration package is not installed on Windows 10, 8.1 or 7, you have to install it first on Windows Server 2003, and then copy it from the C:\windows\system32 directory to the same folder on the client. After that, you can enable ABE according with the commands described above.
dfsutil property abde enable \\namespace_root
In addition, you can enable ABE on computers in the AD domain using GPO. This can be done using GPP in the section: Computer Configuration -> Preferences -> Windows Settings -> Network Shares).