Enable Access-based Enumeration (ABE) on Shared Folders (SMB)

Access-based Enumeration (ABE) is a shared folder option in Windows that allows to hide files and folders that users don’t have permission to access. ABE is used to hide the directory structure and the names of folders and files, and to limit the number of items in a particular user folder view for a shared network folder.

Using Access-based Enumeration on Windows Server

Let’s say there is a shared network folder on a Windows file server containing the public directories of several departments. All users can see the list of directories in this share. This is done by assigning the List Folders or Browse Folders permissions for the built-in Users group to the root of the folder only. The user will only be able to open the subdirectory if their account is added to the NTFS access list.

Let’s assume that a user is added to the AD security groups that allow two sub-directories to be opened (Public and Salary).

These AD security groups are added to the NTFS permissions of the corresponding sub-directories in a share. Permissions that grant access to sub-folders for the Domain Users group or the Builtin\Users group have been removed from the ACLs.

To enable ABE on a shared folder, open the Server Manager console -> select the File and Storage Services role -> Shares. Open the share properties and enable the Enable access-based enumeration option on the Settings tab.

Refresh shared folder contents in a user session (press F5 in the File Explorer). Now the user sees only two directories that he can access. The rest of the sub-folders are not visible to the user.

In addition, you can enable ABE on computers in the AD domain using Group Policies. This can be done using the GPP option under Computer Configuration -> Preferences -> Windows Settings -> Network Shares.

Enabling Access-based Enumeration will enable ABE mode for the shared folder published by this GPO.

Managing Access-based Enumeration from the Command Prompt (PowerShell)

You can also enable ABE for a shared network folder from the PowerShell command prompt.

For example, to enable access base enumeration mode for a shared folder named DOCS, run the command:

Get-SmbShare DOCS | Set-SmbShare -FolderEnumerationMode AccessBased

List all shared folders (including Windows administrative shares) and the status of the ABE option:

Get-SmbShare | Select-Object Name,FolderEnumerationMode

The value FolderEnumerationMode = AccessBased indicates that access-based enumeration is enabled.

Disable ABE for a share:

Get-SmbShare DOCS | Set-SmbShare -FolderEnumerationMode Unrestricted

To enable Access-based enumeration on a Linux Samba server, add the following options to the smb.conf configuration file

hide unreadable = Yes

The shared folders themselves, to which the user doesn’t have access permissions, can be hidden from the network environment using another Samba option.

access based share enum = Yes

In a corporate environment, ABE works perfectly with DFS folders by hiding unused folders from users and providing a more convenient public folder tree structure.  You can enable ABE in DFS using the DFS Management snap-in or dfsutil.exe command:
dfsutil property abde enable \\namespace_root

Other features and limitations of Access-based enumeration on Windows

• Enabling ABE on a file server may increase the load on the host. There may be a slight delay when refreshing a list of files in an ABE-enabled folder containing thousands of items. For example, folder access will slow down by 1-3 seconds if there are 15,000 objects in a shared folder.
• When browsing a directory locally on the file server, ABE is not used.
• Members of the local Administrators group on the file server will always see a full list of the items in a shared folder.