SMB displays a full list of files and folders on a shared network folder by default when a user opens it. Of course, this only occurs if the user has access to the share. Access Based Enumeration (ABE) allows a user who does not have access authorization to hide specific files and directories.
Since Windows Server 2003 SP1, Access Based Enumeration has been available on the Windows platform to assist block users from seeing files and directories.
Enumeration by Access on Server 2016
The following was the default procedure for accessing the network folder:
- The user establishes a connection with the server and asks for access to the shared folder;
- The server’s LanmanServer service (which is in charge of sharing files and folders) checks whether the user has NTFS permissions to read/list the folder content. If access is granted, the service returns a list of all files and folders within it.
- The next step is for the user to select a file or folder and attempt to open it;
- The server verifies that the user has the required permissions. It returns the desired item if the user has the necessary rights. The access denied error is returned if the user has no rights.
The server first gives the user a list of all the folder contents, according to this algorithm. Only when the user attempts to access a file or folder does the server check access rights.
The user will then be shown only the resources for which he has the requisite permissions using ABE. For folders, list the contents, or read individual files.
Some ABE characteristics include:
ABE only has access to the contents of a shared folder’s list. The list of shared folders is not hidden from users. As a result, when a user connects to the server, all shared folders are visible. If you want to make a secret share, simply add the character $ to its name, such as ShareName$.
When a user logs in locally or over RDP, ABE does not operate; members of the local Administrators group always view the complete list of folder contents.
ABE is turned on for each folder separately. Open the Server Manager console and select the role File and Storage Services to setup ABE.
Then, go to the Shares section and choose a network folder from the list for which to enable the ABE. Right-click on it, and select its Properties.
Then in the properties of the share switch to the Settings tab. Put the check box on Enable access-based enumeration option.
Also, you can enable the access-based enumeration on a network share using PowerShell cmdlet Set-SmbShare. Use a simple command:
Set-SmbShare -Name "Share" -FolderEnumerationMode AccessBased
If you manage public folders settings centrally through Group Policy (Computer Configuration > Preferences > Windows Settings > Network Shares), you can enable the ABE in the share properties.
For example, here is a content of a network folder with the enabled ABE for the server administrator:
As a result, ABE technology simplifies the lives of both users and administrators. User does not see the redundant information in the network folders. The administrator is no longer required to respond to inquiries about the absence of access.
The Access Based Enumeration, on the other hand, has a significant disadvantage: it adds to the server burden. The amount of traffic is determined by the number of users on each server and the quantity of objects in the shared folders. During periods of high load, the speed with which the folder is opened may be greatly reduced.