Меню

Access based enumeration windows 10

Enable access-based enumeration on a namespace

Applies to: Windows Server 2019, Windows Server (Semi-Annual Channel), Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008

Access-based enumeration hides files and folders that users do not have permissions to access. By default, this feature is not enabled for DFS namespaces. You can enable access-based enumeration of DFS folders by using DFS Management. To control access-based enumeration of files and folders in folder targets, you must enable access-based enumeration on each shared folder by using Share and Storage Management.

To enable access-based enumeration on a namespace, all namespace servers must be running Windows ServerВ 2008 or newer. Additionally, domain-based namespaces must use the Windows ServerВ 2008 mode. For information about the requirements of the Windows ServerВ 2008 mode, see Choose a Namespace Type.

In some environments, enabling access-based enumeration can cause high CPU utilization on the server and slow response times for users.

If you upgrade the domain functional level to Windows ServerВ 2008 while there are existing domain-based namespaces, DFS Management will allow you to enable access-based enumeration on these namespaces. However, you will not be able to edit permissions to hide folders from any groups or users unless you migrate the namespaces to the Windows ServerВ 2008 mode. For more information, see Migrate a Domain-based Namespace to Windows Server 2008 Mode.

To use access-based enumeration with DFS Namespaces, you must follow these steps:

  • Enable access-based enumeration on a namespace
  • Control which users and groups can view individual DFS folders

Access-based enumeration does not prevent users from getting a referral to a folder target if they already know the DFS path. Only the share permissions or the NTFS file system permissions of the folder target (shared folder) itself can prevent users from accessing a folder target. DFS folder permissions are used only for displaying or hiding DFS folders, not for controlling access, making Read access the only relevant permission at the DFS folder level. For more information, see Using Inherited Permissions with Access-Based Enumeration

To enable access-based enumeration by using the Windows interface

In the console tree, under the Namespaces node, right-click the appropriate namespace and then click Properties .

Click the Advanced tab and then select the Enable access-based enumeration for this namespace check box.

To enable access-based enumeration by using a command line

Open a command prompt window on a server that has the Distributed File System role service or Distributed File System Tools feature installed.

Type the following command, where is the root of the namespace:

To manage access-based enumeration on a namespace by using Windows PowerShell, use the Set-DfsnRoot, Grant-DfsnAccess, and Revoke-DfsnAccess cmdlets. The DFSN Windows PowerShell module was introduced in Windows Server 2012.

You can control which users and groups can view individual DFS folders either by using the Windows interface or by using a command line.

To control folder visibility by using the Windows interface

In the console tree, under the Namespaces node, locate the folder with targets for which you want to control visibility, right-click it and then click Properties.

Click the Advanced tab.

Click Set explicit view permissions on the DFS folder and then Configure view permissions.

Add or remove groups or users by clicking Add or Remove.

To allow users to see the DFS folder, select the group or user, and then select the Allow check box.

To hide the folder from a group or user, select the group or user, and then select the Deny check box.

To control folder visibility by using a command line

Open a Command Prompt window on a server that has the Distributed File System role service or Distributed File System Tools feature installed.

Type the following command, where is the path of the DFS folder (link), is the name of the group or user account, and (. ) is replaced with additional Access Control Entries (ACEs):

For example, to replace existing permissions with permissions that allows the Domain Admins and CONTOSO\Trainers groups Read (R) access to the \contoso.office\public\training folder, type the following command:

To perform additional tasks from the command prompt, use the following commands:

Источник статьи: http://docs.microsoft.com/en-us/windows-server/storage/dfs-namespaces/enable-access-based-enumeration-on-a-namespace

How to Enable Access-Based Enumeration (ABE) on Windows Server?

Access-based Enumeration (ABE) allows to hide objects (files and folders) from users who don’t have NTFS permissions (Read or List) on a network shared folder in order to access them. Thus you can provide additional confidentiality of data stored in a shared folder (due to hiding the structure and names of folders and files), improve its usability since users won’t see odd data (they don’t have access to) and, what’s more important, save a system administrator from constant questions of users “Why I cannot access this folder. ”. Let’s try to consider this technology, configuration peculiarities and use of ABE in various Windows versions in details.

How does access to shared folders work in Windows?

One of the drawbacks of network shared folders technology in Windows is the fact that by default all users could at least see its structure and the list of all files and directories in such a folder including those that they don’t have NTFS permissions to access (when trying to open such file or folder, a user receives the error “Access Denied”). Why not to hide those files and folders from the users who don’t have permissions to access them? Access-based Enumeration can help doing it. By enabling ABE on a shared folder, you can ensure that different users see a different list of folders and files in the same network share based on the user’s individual access permissions (ACL).

How does the interaction between the client and the server occurs when accessing a shared folder over the SMB?

  • A client requests the server to access a directory in the network shared folder;
  • The LanmanServer service on the server checks the user permissions to access this folder;
  • If access is allowed (NTFS permissions: list content, read or write), the user sees the directory contents;
  • Then the user requests access to a file or a subfolder in the same way (you can view who opened a specific file in a network folder like this);
  • If the access is denied, the user is notified accordingly.

According to this scheme, it becomes clear that the server firstly shows the entire contents of the folder to the user, and the NTFS permissions are checked only when the user tries to open a specific file or folder.

Access-based Enumeration (ABE) allows to check access permissions on file system objects before the user receives a list of the folder contents. So, the final list includes only those objects a user has NTFS permissions to access (at least read-only permission), and all inaccessible resources are simply not displayed (hidden).

It means that a user from one department (e.g. warehouse) will see one list of files and folders in a shared folder (\\filesrv1\docs). As you can see, only two folders are displayed for the user: Public and Warehouse.

And for a user from another department, e. g., IT department (which is included in another Windows security group), a different list of subfolders is shown. In addition to the Public and Warehouse directories, this user sees 5 more directories in the same network folder.

The main disadvantage of using ABE on the Windows file servers is the extra load on the server. It is especially prominent in high load file servers. The more objects there are in the viewed directory, and the more users open files on it, the longer the delay is. According to Microsoft, if there are 15,000 objects (files and directories) in the displayed folder, a folder is opening 1-3 seconds slower. That’s is why it is recommended to pay much attention to making a clear and hierarchical subfolder structure when designing a shared folder structure in order to make a delay when opening folders less evident.

You can manage ABE from the command prompt (abecmd.exe utility), from the GUI, PowerShell or a special API.

Access-Based Enumeration Restrictions

Access-based Enumeration on Windows doesn’t work in the following cases:

  • If you are using Windows XP or Windows Server 2003 without Service Pack 1 as a file server;
  • If you are viewing directories locally (directly from the server);
  • For members of the local file server administrators group (they always see the full list of files).

Using ABE on Windows Server 2008/ 2008 R2

In Windows Server 2008/R2 to use the Access Based Enumeration functionality no additional components need to be installed, since the ABE management feature is already built into the Windows GUI. To enable Access-based Enumeration for a certain folder in Windows Server 2008/2008 R2, open the MMC management console Share and Storage Management (Start –> Programs –> Administrative Tools -> Share and Storage Management). Go to the properties of the necessary share. Then go to the Advanced settings and check Enable access-based enumeration.

Configuring Access-based Enumeration on Windows Server 2012 R2/ 2016

ABE configuration in the Windows Server 2012 R2 / 2016 is also very simple. To enable ABE in Windows Server 2012, you firstly have to install File and Storage Services role, and then go to the share properties in the Server Manager.

In Settings section check the option Enable access-based enumeration.

Implementing Access-Based Enumeration on Windows Server 2003

In Windows Server 2003 (not supported now), ABE became supported starting from Service Pack 1. To enable Access-based Enumeration in Windows Server 2003 SP1 (or later), you have to download and install a package following this link http://www.microsoft.com/en-us/download/details.aspx?id=17510. During installation you have to specify whether ABE will be enabled for all shared folders on your server or you’ll configure it manually. If you choose the second option, a new tab, Access-based Enumeration, will appear in the network share properties after the installation.

To activate ABE for a certain folder, check the option Enable access-based enumeration on this shared folder in its properties.

It’s important to mention that Windows 2003 supports DFS-based Access Based Enumeration, but it can be configured only from the command prompt using cacls.

Managing ABE from the Command Prompt

You can manage Access-based Enumeration settings from the command prompt using Abecmd.exe utility. This tool is a part of Access-based Enumeration package for Windows Server 2003 SP1 (see the link above).

Abecmd.exe allows to activate ABE for all directories at once or only for some of them. The next command enables Access-Based Enumeration for all shares:

This one is for a certain folder (e.g., a network shared folder with the name Docs):

Managing Access Based Enumeration Using PowerShell

You can use the SMBShare PowerShell module (installed by default in Windows 10/ 8.1 and Windows Server 2016/2012 R2) to manage the settings of Access Based Enumeration for specific folders. Let’s list the properties of a specific shared folder:

Note the value of the FolderEnumerationMode attribute. In our case, its value is Unrestricted. This means that ABE is disabled for this folder.

You can check the status of ABE for all shared folders of the server:

Get-SmbShare | Select-Object Name,FolderEnumerationMode

To enable ABE for a specific folder:

Get-SmbShare Install | Set-SmbShare -FolderEnumerationMode AccessBased

You can enable Access Based Enumeration for all published network folders (including administrative shares ADMIN$, C$, E$, IPC$,…) by running the command:

Get-SmbShare | Set-SmbShare -FolderEnumerationMode AccessBased

To disable ABE use the command:

Get-SmbShare Install | Set-SmbShare -FolderEnumerationMode Unrestricted

Access-Based Enumeration in Windows 10 / 8.1 / 7

Many users, especially in home or SOHO networks, also would like to use Access-Based Enumeration features. The problem is that Microsoft client OSs have neither graphical, nor command interface to manage Access-Based Enumeration.

In Windows 10 (Server 2016) and Windows 8.1 (Server 2012R2), you can use PowerShell to manage Access-based Enumeration (see the section above). In older versions of Windows, you need to install the latest version of PowerShell (>= 5.0) or use the abecmd.exe utility from the Windows Server 2003 package, it works fine on client OSs. Since the Windows Server 2003 Access-based Enumeration package is not installed on Windows 10, 8.1 or 7, you have to install it first on Windows Server 2003, and then copy it from the C:\windows\system32 directory to the same folder on the client. After that, you can enable ABE according with the commands described above.

In addition, you can enable ABE on computers in the AD domain using GPO. This can be done using GPP in the section: Computer Configuration -> Preferences -> Windows Settings -> Network Shares).


In the properties of the network folder there is an Access-Based Enumeration option, if you change the value to Enable, ABE mode will be enabled for all shared folders created using this GPO.

Источник статьи: http://woshub.com/enable-access-based-enumeration-in-windows-server/


Adblock
detector