Use Access Based Enumeration to prevent users from seeing objects they can't access
Tuesday, August 11, 2009 12:10 PM
Windows Server 2008 now includes a feature for administrators to hide files and folders from users who do not have read permissions to these objects.
On a company network, many different departments have their own shares to create folders and store documents. For example, a member of the marketing team may have read permissions to all or most of the folders in the marketing network share, but probably not to folders in the shares for Human Resources or Finance.
Previously in versions of Windows Server, even though users didn't have permissions to access the documents in other network shares, they could still see the folders that held them.
Access-based Enumeration (ABE) is a new feature available as part of the file server role in Windows Server 2008 (and as a download for Windows Server 2003). It will allow an administrator to hide objects from view on an entire server or on a per-share basis.
When enabled for a file share, users who do not have read access to objects would not be able to see those objects. Hiding these objects would prevent nosy (or worse) users from trying to access confidential files and could clear up some of the confusion caused by a bunch of "access denied" messages when trying to open them.
There are a number of privacy or security reasons why the folder names in Accounts Receivable, for example, shouldn't be viewable by the rest of the company. When the ABE feature is enabled on the file server, a user browsing the file share would not be able to see the Accounts Receivable folder at all.
Making use of the ABE feature can help clean up file shares by hiding the folders that users don't need to see, and it reduces the number of calls to the help desk from users who are trying to gain access to things they do not need, whether out of confusion or mischief. It could also keep unauthorized people out of files that do not have appropriate permissions set due to someone's oversight.
Note: The ABE features work only on Server Message Block (SMB) shares. If a user has access to a file server via Remote Desktop, the entire contents of the share will be visible.
Other network operating systems, such as Novell Netware, have had access enumeration features for many releases, leaving one to wonder why Microsoft has waited so long to introduce it. The argument is that the feature isn't needed if properly configured permissions on objects are already in place, but that doesn't necessarily cover all the reasons one might want to hide the names of certain folders.
You can download ABE for Windows Server 2003 Access-based Enumeration. Windows Server 2003 SP1 is required to install the feature.
Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT manager for a manufacturing company in Wisconsin. In 2008, he was awarded a Microsoft MVP in File System Storage.
Use Access Based Enumeration to prevent users from seeing objects they can't access
In server 2003 we had the abecmd.exe that automated this. How do we do this in server 2008 from a command line / powershell?
Posted by Box293 on Friday, November 06 2009 08:40 AM