How to Enable Access-Based Enumeration (ABE) on Windows Server?
Access-based Enumeration (ABE) allows to hide objects (files and folders) from users who don’t have NTFS permissions (Read or List) on a network shared folder in order to access them. Thus you can provide additional confidentiality of data stored in a shared folder (due to hiding the structure and names of folders and files), improve its usability since users won’t see odd data (they don’t have access to) and, what’s more important, save a system administrator from constant questions of users “Why I cannot access this folder. ”. Let’s try to consider this technology, configuration peculiarities and use of ABE in various Windows versions in details.
How does access to shared folders work in Windows?
One of the drawbacks of network shared folders technology in Windows is the fact that by default all users could at least see its structure and the list of all files and directories in such a folder including those that they don’t have NTFS permissions to access (when trying to open such file or folder, a user receives the error “Access Denied”). Why not to hide those files and folders from the users who don’t have permissions to access them? Access-based Enumeration can help doing it. By enabling ABE on a shared folder, you can ensure that different users see a different list of folders and files in the same network share based on the user’s individual access permissions (ACL).
How does the interaction between the client and the server occurs when accessing a shared folder over the SMB?
- A client requests the server to access a directory in the network shared folder;
- The LanmanServer service on the server checks the user permissions to access this folder;
- If access is allowed (NTFS permissions: list content, read or write), the user sees the directory contents;
- Then the user requests access to a file or a subfolder in the same way (you can view who opened a specific file in a network folder like this);
- If the access is denied, the user is notified accordingly.
According to this scheme, it becomes clear that the server firstly shows the entire contents of the folder to the user, and the NTFS permissions are checked only when the user tries to open a specific file or folder.
Access-based Enumeration (ABE) allows to check access permissions on file system objects before the user receives a list of the folder contents. So, the final list includes only those objects a user has NTFS permissions to access (at least read-only permission), and all inaccessible resources are simply not displayed (hidden).
It means that a user from one department (e.g. warehouse) will see one list of files and folders in a shared folder (\\filesrv1\docs). As you can see, only two folders are displayed for the user: Public and Warehouse.
And for a user from another department, e. g., IT department (which is included in another Windows security group), a different list of subfolders is shown. In addition to the Public and Warehouse directories, this user sees 5 more directories in the same network folder.
The main disadvantage of using ABE on the Windows file servers is the extra load on the server. It is especially prominent in high load file servers. The more objects there are in the viewed directory, and the more users open files on it, the longer the delay is. According to Microsoft, if there are 15,000 objects (files and directories) in the displayed folder, a folder is opening 1-3 seconds slower. That’s is why it is recommended to pay much attention to making a clear and hierarchical subfolder structure when designing a shared folder structure in order to make a delay when opening folders less evident.
You can manage ABE from the command prompt (abecmd.exe utility), from the GUI, PowerShell or a special API.
Access-Based Enumeration Restrictions
Access-based Enumeration on Windows doesn’t work in the following cases:
- If you are using Windows XP or Windows Server 2003 without Service Pack 1 as a file server;
- If you are viewing directories locally (directly from the server);
- For members of the local file server administrators group (they always see the full list of files).
Using ABE on Windows Server 2008/ 2008 R2
In Windows Server 2008/R2 to use the Access Based Enumeration functionality no additional components need to be installed, since the ABE management feature is already built into the Windows GUI. To enable Access-based Enumeration for a certain folder in Windows Server 2008/2008 R2, open the MMC management console Share and Storage Management (Start –> Programs –> Administrative Tools -> Share and Storage Management). Go to the properties of the necessary share. Then go to the Advanced settings and check Enable access-based enumeration.
Configuring Access-based Enumeration on Windows Server 2012 R2/ 2016
ABE configuration in the Windows Server 2012 R2 / 2016 is also very simple. To enable ABE in Windows Server 2012, you firstly have to install File and Storage Services role, and then go to the share properties in the Server Manager.
In Settings section check the option Enable access-based enumeration.
Implementing Access-Based Enumeration on Windows Server 2003
In Windows Server 2003 (not supported now), ABE became supported starting from Service Pack 1. To enable Access-based Enumeration in Windows Server 2003 SP1 (or later), you have to download and install a package following this link http://www.microsoft.com/en-us/download/details.aspx?id=17510. During installation you have to specify whether ABE will be enabled for all shared folders on your server or you’ll configure it manually. If you choose the second option, a new tab, Access-based Enumeration, will appear in the network share properties after the installation.
To activate ABE for a certain folder, check the option Enable access-based enumeration on this shared folder in its properties.
It’s important to mention that Windows 2003 supports DFS-based Access Based Enumeration, but it can be configured only from the command prompt using cacls.
Managing ABE from the Command Prompt
You can manage Access-based Enumeration settings from the command prompt using Abecmd.exe utility. This tool is a part of Access-based Enumeration package for Windows Server 2003 SP1 (see the link above).
Abecmd.exe allows to activate ABE for all directories at once or only for some of them. The next command enables Access-Based Enumeration for all shares:
abecmd /enable /all
This one is for a certain folder (e.g., a network shared folder with the name Docs):
abecmd /enable Docs
Managing Access Based Enumeration Using PowerShell
You can use the SMBShare PowerShell module (installed by default in Windows 10/ 8.1 and Windows Server 2016/2012 R2) to manage the settings of Access Based Enumeration for specific folders. Let’s list the properties of a specific shared folder:
Note the value of the FolderEnumerationMode attribute. In our case, its value is Unrestricted. This means that ABE is disabled for this folder.
You can check the status of ABE for all shared folders of the server:
Get-SmbShare | Select-Object Name,FolderEnumerationMode
To enable ABE for a specific folder:
Get-SmbShare Install | Set-SmbShare -FolderEnumerationMode AccessBased
You can enable Access Based Enumeration for all published network folders (including administrative shares ADMIN$, C$, E$, IPC$,…) by running the command:
Get-SmbShare | Set-SmbShare -FolderEnumerationMode AccessBased
To disable ABE use the command:
Get-SmbShare Install | Set-SmbShare -FolderEnumerationMode Unrestricted
Access-Based Enumeration in Windows 10 / 8.1 / 7
Many users, especially in home or SOHO networks, also would like to use Access-Based Enumeration features. The problem is that Microsoft client OSs have neither graphical, nor command interface to manage Access-Based Enumeration.
In Windows 10 (Server 2016) and Windows 8.1 (Server 2012R2), you can use PowerShell to manage Access-based Enumeration (see the section above). In older versions of Windows, you need to install the latest version of PowerShell (>= 5.0) or use the abecmd.exe utility from the Windows Server 2003 package, it works fine on client OSs. Since the Windows Server 2003 Access-based Enumeration package is not installed on Windows 10, 8.1 or 7, you have to install it first on Windows Server 2003, and then copy it from the C:\windows\system32 directory to the same folder on the client. After that, you can enable ABE according with the commands described above.
In addition, you can enable ABE on computers in the AD domain using GPO. This can be done using GPP in the section: Computer Configuration -> Preferences -> Windows Settings -> Network Shares).
In the properties of the network folder there is an Access-Based Enumeration option, if you change the value to Enable, ABE mode will be enabled for all shared folders created using this GPO.
Using inherited permissions with Access-based Enumeration
Applies to: Windows Server 2019, Windows Server (Semi-Annual Channel), Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008
By default, the permissions used for a DFS folder are inherited from the local file system of the namespace server. The permissions are inherited from the root directory of the system drive and grant the DOMAIN\Users group Read permissions. As a result, even after enabling access-based enumeration, all folders in the namespace remain visible to all domain users.
Advantages and limitations of inherited permissions
There are two primary benefits to using inherited permissions to control which users can view folders in a DFS namespace:
- You can quickly apply inherited permissions to many folders without having to use scripts.
- You can apply inherited permissions to namespace roots and folders without targets.
Despite the benefits, inherited permissions in DFS Namespaces have many limitations that make them inappropriate for most environments:
- Modifications to inherited permissions are not replicated to other namespace servers. Therefore, use inherited permissions only on stand-alone namespaces or in environments where you can implement a third-party replication system to keep the Access Control Lists (ACLs) on all namespace servers synchronized.
- DFS Management and Dfsutil cannot view or modify inherited permissions. Therefore, you must use Windows Explorer or the Icacls command in addition to DFS Management or Dfsutil to manage the namespace.
- When using inherited permissions, you cannot modify the permissions of a folder with targets except by using the Dfsutil command. DFS Namespaces automatically removes permissions from folders with targets set using other tools or methods.
- If you set permissions on a folder with targets while you are using inherited permissions, the ACL that you set on the folder with targets combines with inherited permissions from the folder’s parent in the file system. You must examine both sets of permissions to determine what the net permissions are.
When using inherited permissions, it is simplest to set permissions on namespace roots and folders without targets. Then use inherited permissions on folders with targets so that they inherit all permissions from their parents.
Using inherited permissions
To limit which users can view a DFS folder, you must perform one of the following tasks:
- Set explicit permissions for the folder, disabling inheritance. To set explicit permissions on a folder with targets (a link) using DFS Management or the Dfsutil command, see Enable Access-Based Enumeration on a Namespace.
- Modify inherited permissions on the parent in the local file system. To modify the permissions inherited by a folder with targets, if you have already set explicit permissions on the folder, switch to inherited permissions from explicit permissions, as discussed in the following procedure. Then use Windows Explorer or the Icacls command to modify the permissions of the folder from which the folder with targets inherits its permissions.
Access-based enumeration does not prevent users from obtaining a referral to a folder target if they already know the DFS path of the folder with targets. Permissions set using Windows Explorer or the Icacls command on namespace roots or folders without targets control whether users can access the DFS folder or namespace root. However, they do not prevent users from directly accessing a folder with targets. Only the share permissions or the NTFS file system permissions of the shared folder itself can prevent users from accessing folder targets.
To switch from explicit permissions to inherited permissions
In the console tree, under the Namespaces node, locate the folder with targets whose visibility you want to control, right-click the folder and then click Properties.
Click the Advanced tab.
Click Use inherited permissions from the local file system and then click OK in the Confirm Use of Inherited Permissions dialog box. Doing this removes all explicitly set permissions on this folder, restoring inherited NTFS permissions from the local file system of the namespace server.
To change the inherited permissions for folders or namespace roots in a DFS namespace, use Windows Explorer or the ICacls command.