Configure Access Based Enumeration on Windows Server 2016

By default, when a user opens some shared network folder, SMB displays a full list of files and folders on it. Of course, it happens only if the user has permission to access the share. Access Based Enumeration (ABE) allows hiding the specific files and folders for a user who don’t have access permission.

Access Based Enumeration is available on the Windows platform since Windows Server 2003 SP1, and helps to prevent users from seeing files and folders.

Access Based Enumeration on Server 2016

By default, the process of accessing the network folder performed as follows:

  1. The user connects to the server and requests access to the shared folder;
  2. LanmanServer service on the server (responsible for sharing files and folders) checks if the user has NTFS permissions to read/list the folder content. If the access is available, the service returns a list of all files and folders contained in it;
  3. Next user selects a file or folder and tries to open it;
  4. The server checks if the user has the necessary access rights. If a user has the necessary permissions, it returns the desired item. If the user has no rights — access denied error returns.

According to this algorithm, the server first returns a list of all the folder contents to the user. The server checks access rights to individual files and folder only when the user tries accessing them.

READ ALSO  How to Configure DFS Replication on Windows Server 2016?

Then using ABE, the user will be shown only the resources for which he has the necessary rights. List contents for folders, or Read for individual files.

Some ABE features:

  • ABE controls only the list of the contents in a shared folder. It does not hide the list of shared folders from the users. Therefore, when a user connects to the server, he will see all shared folders. If you need to create a hidden share, you can simply add the character $ to its name, for example, ShareName$;
  • ABE doesn’t work when the user logged locally or when connecting via RDP;
  • Members of the local Administrators group always see the full list of the folder contents.

ABE is enabled for each folder individually. To configure ABE, open Server Manager console, and select role File and Storage Services.

Note. To enable Access Based Enumeration, File and Storage Services role must be installed on the server.

access based enumeration server 2016

Then, go to the Shares section and choose a network folder from the list for which to enable the ABE. Right-click on it, and select its Properties.

access based enumeration server 2019

Then in the properties of the share switch to the Settings tab. Put the check box on Enable access-based enumeration option.

enable access based enumeration 2016

Also, you can enable the access-based enumeration on a network share using PowerShell cmdlet Set-SmbShare. Use a simple command:

Set-SmbShare -Name "Share" -FolderEnumerationMode AccessBased

access based enumeration 2016

If you manage public folders settings centrally through Group Policy (Computer Configuration > Preferences > Windows Settings > Network Shares), you can enable the ABE in the share properties.

READ ALSO  Data Deduplication on Windows Server 2016

server 2016 access based enumeration

For example, here is a content of a network folder with the enabled ABE for the server administrator:

access based enumeration windows 2016

And this is how it looks for the average user:

server 2019 access based enumeration

Thus, ABE technology makes life easier for both Users and Administrators. The redundant information in the network folders is not displayed for User. The administrator no longer has to answer questions about the lack of access.

However, the Access Based Enumeration has a serious minus — an additional server load. The load depends on the number of users per server and the number of objects in the shares. During heavy load, the speed of opening the folder may significantly decrease.

Cyril Kardashevsky

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.