By default, when a user opens some shared network folder, SMB displays a full list of files and folders on it. Of course, it happens only if the user has permission to access the share. Access Based Enumeration (ABE) allows hiding the specific files and folders for a user who don’t have access permission.
Access Based Enumeration is available on the Windows platform since Windows Server 2003 SP1, and helps to prevent users from seeing files and folders.
Access Based Enumeration on Server 2016
By default, the process of accessing the network folder performed as follows:
- The user connects to the server and requests access to the shared folder;
- LanmanServer service on the server (responsible for sharing files and folders) checks if the user has NTFS permissions to read/list the folder content. If the access is available, the service returns a list of all files and folders contained in it;
- Next user selects a file or folder and tries to open it;
- The server checks if the user has the necessary access rights. If a user has the necessary permissions, it returns the desired item. If the user has no rights — access denied error returns.
According to this algorithm, the server first returns a list of all the folder contents to the user. The server checks access rights to individual files and folder only when the user tries accessing them.
Then using ABE, the user will be shown only the resources for which he has the necessary rights. List contents for folders, or Read for individual files.
Some ABE features:
- ABE controls only the list of the contents in a shared folder. It does not hide the list of shared folders from the users. Therefore, when a user connects to the server, he will see all shared folders. If you need to create a hidden share, you can simply add the character $ to its name, for example, ShareName$;
- ABE doesn’t work when the user logged locally or when connecting via RDP;
- Members of the local Administrators group always see the full list of the folder contents.
ABE is enabled for each folder individually. To configure ABE, open Server Manager console, and select role File and Storage Services.
Note. To enable Access Based Enumeration, File and Storage Services role must be installed on the server.
Then, go to the Shares section and choose a network folder from the list for which to enable the ABE. Right-click on it, and select its Properties.
Then in the properties of the share switch to the Settings tab. Put the check box on Enable access-based enumeration option.
Also, you can enable the access-based enumeration on a network share using PowerShell cmdlet Set-SmbShare. Use a simple command:
Set-SmbShare -Name "Share" -FolderEnumerationMode AccessBased
Note. Learn how to login with a local Windows account instead of domain account.
If you manage public folders settings centrally through Group Policy (Computer Configuration > Preferences > Windows Settings > Network Shares), you can enable the ABE in the share properties.
For example, here is a content of a network folder with the enabled ABE for the server administrator:
And this is how it looks for the average user:
Thus, ABE technology makes life easier for both Users and Administrators. The redundant information in the network folders is not displayed for User. The administrator no longer has to answer questions about the lack of access.
However, the Access Based Enumeration has a serious minus — an additional server load. The load depends on the number of users per server and the number of objects in the shares. During heavy load, the speed of opening the folder may significantly decrease.
Thank you for the interesting article, Cyril!