Access Based Enumeration (ABE)
Neither the concept, nor the implementation are new-so why blog about it?
Well,it seems that ABE received a lot less attention then it should have. Most
networked operating systems will allow you to share information, and based
on your permissions you will only be able to “see” the resources that you can
actually access. Microsoft Windows has been (and to some extent still is)
different.
With Windows, you can see all objects inside a specific network share, even if you
have no permissions on the object itself. In other words, if a share exists (say
”Home Folders”) and you access it, you will see all the folders under it (most likely
reflecting the users in your company) even though you will have permissions
to access the information only on your home folder.
ABE changes this. When you have ABE enabled on a shared folder, you will only
see the objects that you actually have permissions to.
There are several advantages to this:
- Even if a user can’t access a file, he can still deduct a lot of information
from knowing that a file or directory exist and knowing their name. ABE
prevents this.
- Lower the number of security events in the Security Log due to curious
double-clicks…
- Facilitate sharing a file (as opposed to a folder),more on this in a future post.
As I mentioned in the opening paragraph,neither the concept nor the implementation
are new. The concept has been here for a long time (I remember it from the time
I used to manage Novell based servers) and the implementation has been around for
quite a while (on Microsoft systems):Windows 2003 SP1.
Make ABE work For You
Lets start with an example. We have share called ‘Files’, our user has permissions on
a folder called “Test” inside that share. When he accesses the share called ‘Files’, he can
actually see all the other folders and files under this share:
Once you have ABE enabled this is what the user will see(the folders and file to which our
user has no permissions are gone):
Enabling ABE on Windows 2008
I am still not used to Windows 2008 so it never ceases to surprise me. Windows 2008 has
four methods (that I found) of sharing a folder (we will discuss sharing files in a later post).
Either method you use will automatically and seamlessly install the ‘File Server’ role on you
server, and the ‘File Services’ node under ‘Roles’ in the Server Manager MMC console (as a matter
of fact the role is seamlessly removed when the last user shared folder is removed):
This tool is very important as it replaces(more or less) the old ‘Shared Folders’ interface found under the ‘Computer
Management’ console, which means that you will be managing and configuring your shares through this
relatively new interface. In my opinion it would have been beneficial to have the old ‘Shared Folders’
available here too (it can be added to a custom MMC).
Ok,now lets go back and analyze the four methods that can be used to share a folder (bear with me here, it
might sound as if there isn’t anything new to learn about folder sharing since it has bee around forever.
But, in my opinion you will be surprised).
The first method for sharing a folder is:
- Right click the folder
- Choose ‘Share…’
- Set the Share Permissions you would like to apply
Note that when using this method-ABE is enabled by default.
The second method:
- Right click the folder
- Choose ‘Properties’
- Select the ‘Sharing’ tab
- Press the ‘Advanced Sharing Button’
- Enable the share
Note that when using this method, the share permissions are set to Everyone:Read and ABE is disabled
by default.
The third method is using the command line:
- Open a command line
- Use the following command: net share sharename=folder path
Note that when using this method, the share permissions are set to Everyone:Read and ABE is disabled
by default.
The fourth and last method (to the best of my knowledge) is a relatively new method:
- Open ‘Server Manager’
- Expand ‘Roles’
- Expand ‘File Services’ and right click ‘Share and Storage management’ (if no user created shares exist
on the system, you will have to manually add the role or add the snap-in to a custom MMC). - Choose ‘Provision Share’,enter the wizard…
The major advantage of using this wizard is that it will walk you through all the tasks concerned with
provisioning a share, this way you will not forget anything.
The first page of the wizard provides you an overview of the volumes located on the system and requests the
path that leads to the share. If the storage on the system isn’t configured to your liking you can use the
Provision Storage’ at the bottom of the screen:
The second window of the wizard provides you with the opportunity of changing the NTFS permissions on the
chose folder:
On the third window you will be able to choose the share protocols you would like to use (SMB,NFS or
both):
The fourth window is important. Here, you are given the opportunity to change the SMB protocols settings
such as user limit, caching options and finally Access Based Enumeration. This is achieved by pressing
on the advanced button(note that be default ABE is disabled):
In the remaining windows you will be able to configure SMB permissions (share Permissions), DFS configuration
and finally create the share:
Managing ABE on Windows 2008
Managing ABE (which is a nicer way of saying enabling,disabling and checking it’s status) can be done by using
’Share and Storage Management’ snap-in. Once you right click on a share choose Properties and then press on
the Advanced button you will be presented with an all so familiar window that will enable you to manage ABE on
that share.
An additional option for managing ABE is to install the tools provided for Windows 2003 on the Windows 2008
server. You can do so by downloading the management tools form this link. By installing these tools you
will have your standard UI extended with an additional tab that will provide you with opportunity of enabling
and disabling ABE or enabling/disabling ABE on all shares on the system:
An additional tool that is installed is a command line tool that provides more of the same but at the command line:
In Conclusion
Access Based Enumeration is a good feature that provides a streamlined experience for users that
access shares. On the other hand, in my opinion, this feature has received too little attention and it may
cause confusion with IT departments that are not aware of it’s existence due to the radical change it causes
in the way that shares are handled. In addition to that I personally find it somewhat odd that the Windows
2003 tools used to manage ABE are not installed by default with Windows 2008 and that different ways of
sharing folders provide different results in regards to ABE.
All in all, once you get the hang of it , it’s a great feature that can improve usability.