none
windows server 2012 Access based enumeration RRS feed

  • Question

  • I have configured Access based enumeration but still the users that are not authorized to shared folders can see the shared folders, though they cant access it but can see the folders that are not shared with them
    Monday, July 22, 2019 12:46 PM

All replies

  • Hello,

    The process of accessing to the network folder performed in the following steps:

    1. The user connects to a server and requests access to the shared folder.

    2. The LanmanServer service on the server (responsible for sharing files and folders) checks if the user has NTFS permissions to read or list the folder content. If the user has access, the service returns a list of all the files and folders contained in it.

    3. Next user selects a file or folder and tries to open it.

    4. The server will then check if the user has the necessary access rights. If a user have the necessary permissions, the desired items will be returned. If user have no rights – an access denied error will be returned.

    At first the server will return a list of all the folder contents to the user, and then checks access rights to individual files and folder only when user tries to access them.

    By using Access Based Enumeration, the user will be shown only those resources for which he has the necessary rights: List contents for a folders or Read for individual files.

    Some of the Access Based Enumeration features:

    • The Access Based Enumeration controls only list of the contents in a shared folder, but does not hide the list of shared folders from the users. Therefore, when a user connects to the server, he will see all shared folders. If you need to create a hidden share, you can simply add the character $ to its name, for example ShareName$.
    • The Access Based Enumeration doesn’t work when user logged locally or by connecting via RDP.
    • Members of the local Administrators group always see the full list of the folder contents.


    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    Monday, July 22, 2019 1:00 PM
  • Hi,

    Thanks for your question.

    “Access-based enumeration displays only the files and folders that a user has permissions to access. If a user does not have Read (or equivalent) permissions for a folder, Windows hides the folder from the user’s view. This feature is active only when viewing files and folders in a shared folder; it is not active when viewing files and folders in the local file system.”

    Note that ABE has to check the user’s permissions at the time of enumeration and filter out files and folders they don’t have Read permissions to. Also note that this filtering only applies if the user is attempting to access the share via SMB versus simply browsing the same folder structure in the local file system.

    It only filters the response to a Directory Enumeration. The access control is still done through NTFS.

    Meanwhile, as Leon’s suggestion, there’re the points in ABE feature.

    ABE does not do access control.

    ABE does not do any caching.

    ABE cannot predict the permissions or the result.

    Details:

    https://blogs.technet.microsoft.com/askds/2016/09/01/access-based-enumeration-abe-concepts-part-1-of-2/#comments

    Furthermore, we could monitor ABE by taskmanager/ network trace / Performance Monitor.

    Details,

    https://blogs.technet.microsoft.com/askds/2016/09/21/access-based-enumeration-abe-troubleshooting-part-2-of-2/

    Hope this helps.

    Highly appreciate your effort and time. If you have any question or concern, please feel free to let me know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, July 23, 2019 3:12 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, July 24, 2019 10:21 AM
    Moderator
  • Hi,

    Could the above reply be of help? If yes, you may mark it as answer, if not, feel free to feed back.

    Best Regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, July 26, 2019 6:45 AM
    Moderator
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, July 29, 2019 6:49 AM
    Moderator