By default, when user open some shared network folder, SMB displays full list of files and folders on it (of course only if user have permission to access share). Access Based Enumeration (ABE) allows you to hide specific files and folders for user who don’t have access permission.
Access Based Enumeration is available on Windows platform since Windows Server 2003 SP1 and helps to prevent users from seeing files and folders.
Access Based Enumeration on Server 2016
By default, the process of accessing to the network folder performed as follows:
- The user connects to the server and requests access to the shared folder.
- LanmanServer service on the server (responsible for sharing files and folders) checks if the user have NTFS permissions to read/list the folder content. If access is available, the service returns a list of all the files and folders contained in it.
- Next user selects a file or folder and tries to open it.
- The server checks if the user has the necessary access rights. If a user have necessary permissions, it returned desired item. If user have no rights – an access denied error returns.
According to this algorithm, the server at first returns the user a list of all the folder contents, and checks access rights to individual files and folder only when user tries to access them.
Then using ABE, the user will be shown only those resources for which he has the necessary rights: List contents for a folders or Read for individual files.
Some ABE features:
- ABE controls only list of the contents in a shared folder, but does not hide the list of shared folders from the users. Therefore, when a user connects to the server, he will see all shared folders. If you need to create a hidden share, you can simply add the character $ to its name, for example ShareName$.
- ABE doesn’t work when user logged locally or by connecting via RDP.
- Members of the local Administrators group always see the full list of the folder contents.
ABE is enabled for each folder individually. To configure ABE, open Server Manager console and select role File and Storage Services.
Note. To enable Access Based Enumeration, File and Storage Services role must be installed on the server.
Then, go to Shares section and choose from list a network folder, for which it is necessary to enable ABE. Right click on it and select its Properties.
Then in the properties of the share switch to Settings tab and put the check box on Enable access based enumeration option.
Also, you can enable access-based enumeration on a network share using PowerShell cmdlet Set-SmbShare using a simple command:
Set-SmbShare -Name "Share" -FolderEnumerationMode AccessBased
If you manage public folders settings centrally through Group Policy (Computer Configuration -> Preferences -> Windows Settings -> Network Shares), you can enable ABE in the share properties.
As for example – here is a content of a network folder with the enabled ABE for the server administrator:
And this is how it looks for the average user.
Thus, the ABE technology makes life easier for both Users and Administrators. The redundant information in the network folders are not displayed for User and Administrator no longer has to answer questions about the lack of access.
However, Access Based Enumeration has a small lack – an additional server load. The load depends on the number of users per server and the number of objects in the shares. During heavy load the speed of folder opening may significantly decrease.