Windows

Discover Windows Server 2003's access-based enumeration feature

Why can users who don't even have explicit permission to access certain folders still see them? Scott Lowe can tell you how to use Windows Server 2003's access-based enumeration (ABE) to close the door to inadvertent glimpses.

Since the beginning, Windows has had some truly puzzling features that inspire significant head-scratching. For example, how often have you had to respond to a user asking why he is unable to open a particular folder in a share only to find that, while the user does not have appropriate rights to see into the folder, he is still presented with the fact that the folder exists? In theory, if a user has no rights to a folder, he should not be able to see that a particular folder even exists.

Besides being annoying for users (and for the poor help desk tech who has to field potential complaints), the fact that users can sometimes see information that is supposed to be off-limits can present a security concern.

This is where access-based enumeration (ABE) comes in. Included with Windows Server 2003 SP1/R2, access-based enumeration allows you to limit, either server-wide or on a per-share basis, what users can see. In short, users will see only what they are supposed to see.

All your friends are doing it...

If, at this point, you're thinking, "It's about time," you're not alone. This access limitation is a feature of most other operating systems—a fact that played a part in Microsoft's decision to create the feature. According to Microsoft, ABE was created to solve the following problems:

  • Increase security. After all, what users can't see they can't question.
  • Ease up on the help desk. Make it easier for less technically-inclined users to get to their files and folders.
  • Simplify migration. Under other operating systems, users are used to seeing only what you allow. ABE brings this same level of access to Windows.

ABE's base functionality is included in both Windows Server 2003 SP1 and R2; however, in order to use the feature you need to download an installer package that adds a tab to folder properties, allowing you to manage ABE. There are three installer packages available for download, each for a different platform. Specifically, Microsoft provides a general 32-bit version as well as 64-bit versions for AMD/x64 and IA64 (Itanium) versions of Windows.

To enable ABE's management capability, download the installer appropriate for your server and execute the download. During the installation process, the ABE enabler asks you if you want to enable ABE on the entire server or on a per-folder basis. For my servers, I've enabled this feature on a per-folder basis for greater control. However, you can also selectively disable the feature on specific folders.

Once installed, visit one of your shared folders and open its properties page. A new tab, appropriately named Access-based Enumeration, should be present. On On the tab are two selections: Enable Access-based Enumeration On This Shared Folder and Apply This Folder's Setting To All Existing Shared Folders On This Computer. These options and their use are self-explanatory.

Summary

After you've implemented ABE, users won't even be able to see resources they don't have explicit permission to use.

Miss a column?

Check out the Windows Server 2003 archive, and catch up on the most recent tips from this newsletter.

Stay on top of the latest WS2K3 tips and tricks with our free Windows Server 2003 newsletter, delivered each Wednesday. Automatically sign up today!

5 comments
staylor
staylor

This is great news. I met with a Microsoft Account Manager a couple of years ago and put it to him that Novell Netware was a superior product for this very reason. All be it the only one!

david.hicks
david.hicks

Before implementing ABE, something I've been searching for since we sadly migrated from Novell to 2003, does it work seamlessly on Clusters? I assume I can just install it on one server, then the other, and away we go? Anyone tried it on a 2003 Cluster?

gsimoni
gsimoni

In Novell you can put quotas on folders. This is a great feature if you don;t whant to deal with userbased quotas that may be severalhundred. I resolved this problem like this: Created logical drives without a drive letter, and mounted them to the apropriate folders(first created folders, only after mounted logical drives under it. This trick solved my problem.

JoelB
JoelB

We've found that you should install ABE on the cluster itself - installing it on the individual servers did not work. Also be aware that you'll have to rerun it whenever a failover occurs - it doesn't seem to "stick", even if installed on all member servers.

shawnyongfc
shawnyongfc

Any new, if MS will have a patch or fixes fo r the incomplete solution?