By default, when a user opens some shared network folder, SMB displays a full list of files and folders on it. Of course, it happens only if the user has permission to access the share. Access Based Enumeration (ABE) allows hiding the specific files and folders for a user who don’t have access permission on a file server.
Access Based Enumeration is available on the Windows platform since Windows Server 2003 SP1, and helps to prevent users from seeing files and folders using the share and storage management features of Windows Server.
Table of Contents
Access Based Enumeration on Server 2016
By default, the process of accessing the network folder performed as follows:
- The user connects to the server and requests access to the shared folder;
- LanmanServer service on the server (responsible for sharing files and folders) checks if the user has NTFS permissions to read/list the folder content. If the access is available, the service returns a list of all files and folders contained in it;
- Next user selects a file or folder and tries to open it;
- The server checks if the user has the necessary access rights. If a user has the necessary permissions, it returns the desired item. If the user has no rights — access denied error returns.
According to this algorithm, the server first returns a list of all the folder contents to the user. The server checks access rights to individual files and folder only when the user tries accessing them.
Then using ABE, the user will be shown only the resources for which he has the necessary rights. List contents for folders, or Read for individual files.
Some ABE features in Windows Server
- ABE controls only the list of the contents in a shared folder. It does not hide the list of shared folders from the users. Therefore, when a user connects to the server, he will see all shared folders. If you need to create a hidden share, you can simply add the character $ to its name, for example, ShareName$;
- ABE doesn’t work when the user logged locally or when connecting via RDP;
- Members of the local Administrators group always see the full list of the folder contents.
Configure access based enumeration on Windows Server
ABE is enabled for each folder individually. To configure and manage access based enumeration (ABE), open Server Manager console, and select role File and Storage Services.
Note. To enable Access Based Enumeration, File and Storage Services role must be installed on the server.
Then, go to the Shares section and choose a network folder from the list for which to enable the ABE. Right-click on it, and select its Properties.
Then in the properties of the share switch to the Settings tab. Enabling access based enumeration is as simple as the process to put the check box on Enable access-based enumeration option.
Enable access based enumeration using PowerShell
Also, you can enable the access-based enumeration on a network share using PowerShell cmdlet Set-SmbShare. Use a simple command:
Set-SmbShare -Name "Share" -FolderEnumerationMode AccessBased
Note. Learn how to login with a local Windows account instead of domain account.
Enable access based enumeration using Group Policy
If you manage public folders settings centrally through Group Policy (Computer Configuration > Preferences > Windows Settings > Network Shares), you can enable the ABE in the share properties.
For example, once you enable ABE, here is a content of a network folder with the enabled ABE for the server administrator:
And this is how it looks for the average user whose user access and user account does not include permissions to all folders:
Thus, ABE technology makes life easier for both Users and Administrators. The redundant information in the network folders is not displayed for User. The administrator no longer has to answer questions about the lack of access.
However, the Access Based Enumeration has a serious minus — an additional server load. The load depends on the number of users per server and the number of objects in the shares. During heavy load, the speed of opening the folder may significantly decrease.
Frequently Asked Questions about Access Based Enumeration
1. What is the historical evolution of Access Based Enumeration?
Access Based Enumeration, often referred to as ABE, has been an integral part of the Windows platform since its introduction with Windows Server 2003 Service Pack 1. Over the years, Microsoft has enhanced and fine-tuned its functionality to ensure that it keeps pace with evolving user needs and security requirements.
2. How does ABE contribute to maintaining data privacy on a network?
ABE plays a critical role in maintaining data privacy by ensuring that users only see the files and folders for which they have access rights. This reduces the chances of unauthorized access to sensitive data and prevents potential information breaches within shared network environments.
3. Are there any alternatives to using the Server Manager console for enabling ABE?
In addition to the Server Manager console, you can enable ABE using PowerShell or Group Policy. The PowerShell cmdlet Set-SmbShare is a useful tool that can be utilized for this purpose. Group Policy can also be leveraged if you’re managing public folder settings centrally.
4. How does Access Based Enumeration affect server performance?
While ABE significantly enhances data privacy and user experience, it can add an extra load on your server. This is because the server has to verify access rights for individual files and folders each time they’re accessed. In environments with a high number of users or objects in the shares, this can potentially slow down the speed of opening folders.
ABE’s main function is to control the visibility of the contents in a shared folder, not the shared folders themselves. So, a user connecting to the server will see all shared folders. However, if you need to create a hidden share, you can add a $ character to the share name, which will make it invisible in the list of shared resources.
6. What’s the relationship between ABE and NTFS permissions?
ABE and NTFS (New Technology File System) permissions work hand in hand to manage data access in a network. While ABE controls which files and folders are visible to a user based on their access rights, NTFS permissions determine what actions a user can perform on those files and folders, like reading, writing, or executing.
7. Does ABE work for users who are logged in locally or through RDP?
ABE is designed to control the visibility of shared network resources. Therefore, it does not come into play when a user is logged in locally or connecting via Remote Desktop Protocol (RDP). Members of the local Administrators group will also always see the full list of folder contents, regardless of ABE settings.
Wrapping Up
Implementing Access Based Enumeration (ABE) on Windows Server 2016 is an excellent approach to enhance data privacy and user experience in shared network environments. By presenting users only with the files and folders they have access rights to, ABE keeps your data secure and prevents unnecessary clutter in shared directories. It’s vital to remember that while ABE brings significant benefits, it can also increase server load, potentially affecting performance.
In addition to the traditional method of enabling ABE via the Server Manager console, alternatives like PowerShell cmdlets and Group Policy provide more flexibility for IT infrastructure setups.
1 comment
Thank you for the interesting article, Cyril!