Access-Based Enumeration (ABE, перечисление на основе доступа) это опция файлового сервера Windows, которая позволяет скрыть от пользователя файлы и папки, к которым у него доступа. Это позволяет скрыть структуру каталогов и имена папок и файлов в общей сетевой папке.
Содержание:
- Как включить Access Based Enumeration в Windows Server
- Управление Access Based Enumeration из командной строки (PowerShell)
Как включить Access Based Enumeration в Windows Server
Рассмотрим сценарий, когда на файловом сервере Windows есть некая общая сетевая папка с каталогами нескольких отделов. Все пользователи могут просматривать список директорий в этой папке (для этого на корневую папку даны права List folder или Traverse folder для группы Users). Но пользователи могут зайти только в каталоги, в списки доступа NTFS которых они добавлены.
Предположим, пользователь добавлен в группы доступа AD, назначенные на 2 каталога Public и Salary.
Группы безопасности AD добавлены в NTFS разрешения соответствующих подкаталогов в общей папки. Из ACL убраны разрешения, дающие доступ к подпапкам для групп Domain Users или Builtin\Users.
Чтобы включить ABE, откройте консоль Server Manager -> выберите роль File and Storage Services -> Shares. Отройте свойства общей папки и на вкладке Settings включите опцию Enable access-based enumeration.
Обновите содержимое общей папки у пользователя. Теперь пользователеь видит только два каталога, к которым ему предоставлен доступ. Оставшиеся папки скрыты от пользователя.
Кроме того, вы можете включать ABE на компьютерах домена AD с помощью групповых политик. Для этого используется GPP в секции: Computer Configuration -> Preferences -> Windows Settings -> Network Shares).
Если включить опцию Access-Based Enumeration, то для сетевой папки, опубликованной с помощью данной GPO, будет включен режим ABE.
Управление Access Based Enumeration из командной строки (PowerShell)
Можно включить ABE для сетевой папки из командной строки PowerShell.
Это в том числе позволяет включить Access-Based enumeration для сетевых папок, опубликованных на обычных рабочих станциях с десктопными версиями Windows 10 и 11.
Например, чтобы включить режим перечисления для общей папка с именем Docs, выполните команду:
Get-SmbShare Docs | Set-SmbShare -FolderEnumerationMode AccessBased
Вывести список опубликованных сетевых папок (включая общие административные папки Windows) и статус опции ABE:
Get-SmbShare | Select-Object Name,FolderEnumerationMode
Значение FolderEnumerationMode =
AccessBased
указывает, что Access Based-enumeration для них включен.
Отключить ABE для папки:
Get-SmbShare Docs | Set-SmbShare -FolderEnumerationMode Unrestricted
В Samba сервере на Linux для включения Access-based Enumeration нужно добавить в конфигурационный файл
smb.conf
опции:
hide unreadable = Yes access based share enum = Yes
В корпоративной среде ABE часто применяется для папок DFS, скрывая от пользователей «ненужные» папки и предоставляя более удобную структуру дерева общих папок. Включить ABE на пространстве имен DFS можно с помощью консоли DFS Management или утилиты dfsutil.exe:
dfsutil property abde enable \\<namespace root>
Другие особенности и ограничений Access-based Enumeration в Windows
- Включение ABE на файловых серверах может увеличить нагрузку на сервер. Особенно заметна будет задержка отображения списка файлов в каталогах, которые содержат тысячи файлов (например, при наличии 15000 объектов в общей папке, скорость ее открытия замедлится на 1-3 секунды).
- ABE не работает при локальном просмотре каталогов на сервере.
- Члены локальной группы администраторов файлового сервера всегда видят полный список объектов в сетевой папке.
Access-based Enumeration (ABE) is a shared folder option in Windows that allows to hide files and folders that users don’t have permission to access. ABE is used to hide the directory structure and the names of folders and files, and to limit the number of items in a particular user folder view for a shared network folder.
Contents:
- Using Access-based Enumeration on Windows Server
- Managing Access-based Enumeration from the Command Prompt (PowerShell)
Using Access-based Enumeration on Windows Server
Let’s say there is a shared network folder on a Windows file server containing the public directories of several departments. All users can see the list of directories in this share. This is done by assigning the List Folders or Browse Folders permissions for the built-in Users group to the root of the folder only. The user will only be able to open the subdirectory if their account is added to the NTFS access list.
Let’s assume that a user is added to the AD security groups that allow two sub-directories to be opened (Public and Salary).
These AD security groups are added to the NTFS permissions of the corresponding sub-directories in a share. Permissions that grant access to sub-folders for the Domain Users group or the Builtin\Users group have been removed from the ACLs.
To enable ABE on a shared folder, open the Server Manager console -> select the File and Storage Services role -> Shares. Open the share properties and enable the Enable access-based enumeration option on the Settings tab.
Refresh shared folder contents in a user session (press F5 in the File Explorer). Now the user sees only two directories that he can access. The rest of the sub-folders are not visible to the user.
In addition, you can enable ABE on computers in the AD domain using Group Policies. This can be done using the GPP option under Computer Configuration -> Preferences -> Windows Settings -> Network Shares.
Enabling Access-based Enumeration will enable ABE mode for the shared folder published by this GPO.
Managing Access-based Enumeration from the Command Prompt (PowerShell)
You can also enable ABE for a shared network folder from the PowerShell command prompt.
This allows enabling Access-based Enumeration for shared folders on workstations running desktop OS versions (Windows 10 or 11).
For example, to enable access base enumeration mode for a shared folder named DOCS, run the command:
Get-SmbShare DOCS | Set-SmbShare -FolderEnumerationMode AccessBased
List all shared folders (including Windows administrative shares) and the status of the ABE option:
Get-SmbShare | Select-Object Name,FolderEnumerationMode
The value FolderEnumerationMode = AccessBased indicates that access-based enumeration is enabled.
Disable ABE for a share:
Get-SmbShare DOCS | Set-SmbShare -FolderEnumerationMode Unrestricted
To enable Access-based enumeration on a Linux Samba server, add the following options to the smb.conf configuration file
hide unreadable = Yes
The shared folders themselves, to which the user doesn’t have access permissions, can be hidden from the network environment using another Samba option.
access based share enum = Yes
In a corporate environment, ABE works perfectly with DFS folders by hiding unused folders from users and providing a more convenient public folder tree structure. You can enable ABE in DFS using the DFS Management snap-in or dfsutil.exe command:
dfsutil property abde enable \\namespace_root
Other features and limitations of Access-based enumeration on Windows
- Enabling ABE on a file server may increase the load on the host. There may be a slight delay when refreshing a list of files in an ABE-enabled folder containing thousands of items. For example, folder access will slow down by 1-3 seconds if there are 15,000 objects in a shared folder.
- When browsing a directory locally on the file server, ABE is not used.
- Members of the local Administrators group on the file server will always see a full list of the items in a shared folder.
Access-based Enumeration (ABE) allows objects (files, folders) on local resources to be hidden from users who do not have permission for those objects. Access-based Enumeration was designed to cut the grapevine before it can even grow.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform related Windows servers queries.
Enable ABE on Windows Server
Here, let us see how to configure and use of ABE in various Windows versions.
How does access to shared folders work in Windows ?
By enabling ABE on a shared folder, we can ensure that different users see a different list of folders and files in the same network share based on the user’s individual access permissions (ACL).
Let us see how the interaction between the client and the server occurs when accessing a shared folder over the SMB:
- Firstly, a client requests the server to access a directory in the network shared folder.
- Then, the LanmanServer service on the server checks the user permissions to access this folder.
- Next, if access is allowed (NTFS permissions: list content, read or write), the user sees the directory contents.
- Then, the user requests access to a file or a subfolder in the same way (we can view who opened a specific file in a network folder like this).
- Finally, if the access is denied, the user is notified accordingly.
According to this scheme, the server firstly shows the entire contents of the folder to the user.
Then, when the user tries to open a specific file or folder the NTFS permissions are checked.
If we need to hide a shared folder from a user, we have to add a $ symbol at the end of the share name.
We can manage ABE from the command prompt (abecmd.exe utility), from the GUI, PowerShell or a special API.
Access-Based Enumeration Restrictions
Access-based Enumeration on Windows does not work in the following cases:
- If we are using Windows XP or Windows Server 2003 without Service Pack 1 as a file server.
- Then, if we are viewing directories locally (directly from the server) or connecting via RDP.
- For members of the local file server administrators group (they always see the full list of files).
How to use ABE on Windows Server 2008/2008 R2 ?
To enable Access-based Enumeration for a certain folder in Windows Server 2008/2008 R2, follow the steps given below:
- Open the MMC management console Share and Storage Management (Start –> Programs –> Administrative Tools -> Share and Storage Management).
- Go to the properties of the necessary share.
- Then go to the Advanced settings and check Enable access-based enumeration.
How to Configure Access-based Enumeration on Windows Server 2012 R2/2016 ?
To enable ABE in Windows Server 2012, follow the steps given below:
- Firstly, we have to install File and Storage Services role.
- Then go to the share properties in the Server Manager.
- In Settings section, check the option Enable access-based enumeration.
How to Implement Access-Based Enumeration on Windows Server 2003 ?
In Windows Server 2003 (not supported now), ABE became supported starting from Service Pack 1.
To enable Access-based Enumeration in Windows Server 2003 SP1 (or later), follow the steps given below:
1. Firstly, download and install a package following this link:
https://www.microsoft.com/en-us/download/details.aspx?id=15656
2. Then during installation, we have to specify whether ABE will be enabled for all shared folders on the server or we will configure it manually. If we choose the second option, a new tab, Access-based Enumeration, will appear in the network share properties after the installation.
3. Finally, to activate ABE for a certain folder, check the option «Enable access-based enumeration on this shared folder» in its properties.
How to Manage ABE from the Command Prompt ?
We can manage Access-based Enumeration settings from the command prompt using Abecmd.exe utility.
This tool is a part of Access-based Enumeration package for Windows Server 2003 SP1.
Abecmd.exe allows to activate ABE for all directories at once or only for some of them. The next command enables Access-Based Enumeration for all shares:
abecmd /enable /all
This one is for a certain folder (for example, a network shared folder with the name Docs):
abecmd /enable Docs
How to Manage Access Based Enumeration Using PowerShell ?
We can use the SMBShare PowerShell module (installed by default in Windows 10/8.1 and Windows Server 2016/2012 R2) to manage the settings of Access Based Enumeration for specific folders.
To list the properties of a specific shared folder:
Get-SmbShare Install|fl
Note the value of the FolderEnumerationMode attribute. In our case, its value is Unrestricted. This means that ABE is disabled for this folder.
Then, we can check the status of ABE for all shared folders of the server:
Get-SmbShare | Select-Object Name,FolderEnumerationMode
To enable ABE for a specific folder:
Get-SmbShare Install | Set-SmbShare -FolderEnumerationMode AccessBased
We can enable Access Based Enumeration for all published network folders (including administrative shares ADMIN$, C$, E$, IPC$,…) by running the command:
Get-SmbShare | Set-SmbShare -FolderEnumerationMode AccessBased
To disable ABE use the command:
Get-SmbShare Install | Set-SmbShare -FolderEnumerationMode Unrestricted
Access-Based Enumeration in Windows 10/8.1/7
In Windows 10 (Server 2016) and Windows 8.1 (Server 2012R2), we can use PowerShell to manage Access-based Enumeration.
In older versions of Windows, we need to install the latest version of PowerShell (>= 5.0) or use the abecmd.exe utility from the Windows Server 2003 package, it works fine on client OSs.
Since the Windows Server 2003 Access-based Enumeration package is not installed on Windows 10, 8.1 or 7, we have to install it first on Windows Server 2003 and then copy it from the C:\windows\system32 directory to the same folder on the client. After that, we can enable ABE.
We can enable ABE in DFS using DFS Management or dfsutil.exe:
dfsutil property abde enable \\namespace_root
In addition, we can enable ABE on computers in the AD domain using GPO. This can be done using GPP in the section:
Computer Configuration -> Preferences -> Windows Settings -> Network Shares
In the properties of the network folder there is an Access-Based Enumeration option, if we change the value to Enable, ABE mode will be enabled for all shared folders created using this GPO.
[Need assistance in fixing Windows Server errors? We can help you. ]
Discus and support ABE (access based enumeration) on a Windows 10 Share? in Windows 10 Ask Insider to solve the problem; Does anyone know if its possible to enable ABE (Access Based Enumeration) on a Windows 10 (Enterprise) share?
thanks…
submitted by /u/Prog44…
Discussion in ‘Windows 10 Ask Insider’ started by /u/Prog44, Feb 21, 2021.
-
ABE (access based enumeration) on a Windows 10 Share?
Does anyone know if its possible to enable ABE (Access Based Enumeration) on a Windows 10 (Enterprise) share?
thanks…
submitted by /u/Prog44
[link] [comments]
-
Access Based Enumeration on Windows Server 2016 Essentials does not hide folders in shared folders
Hello Everyone.
I’ve just installed Windows Server 2016 Essentials for our home office, and currently playing around with it before deploying in real office.
I enabled the Access Based Enumeration (ABE) to hide the folders in Shared Folders so the staffs here only see the folders they have access to.
However all the folders still appear there, even though they don’t have access to it. True though they cannot open the folders, just to avoid confusion with lots of folders they don’t have access to.
I checked on effective access on each folders, it shows that normal users does not have access ion «List folders/ read data».
Just wondering if anyone have solution to this.
Thank you in advance.
-
Windows 10 Tweaks
Pressing “Windows+Pause Break” (it’s up there next to scroll lock) opens the “System” Window.
Windows 10: In the new version of Windows, Explorer has a section called Quick Access. This includes your frequent folders and recent files. Explorer defaults to opening this page when you open a new window. If you’d rather open the usual This PC, with links to your drives and library folders, follow these steps:
- Open a new Explorer window.
- Click View in the ribbon.
- Click Options.
- Under General, next to “Open File Explorer to:” choose “This PC.”
- Click OK
credit to Lifehacker.
-
ABE (access based enumeration) on a Windows 10 Share?
Cannot access shared network drive
Personally, I wouldnt use Everyone. If anyone hacks into you, they have full access to everything and can demolish everything on your raid. I would rather set up accounts and access separately for each person. That way, I know who did all that damage. In the end with a little extra work, I feel more secure by using Authenticated Users.
If this helps.
step 1 create non-microsoft account and without email and address without admin rights
step 2 share a drive or folder to specific user account (if Everyone is listed, remove it)
step 3 set security > add Authenticated Users (if more than 1 account) or add specific users
step 3a remove Everyone from list
step 3b uncheck full control and write for all items listed except SYSTEM and Admin account.
step 4 right click Start > Computer Management > System Tools > Shared Folders > Shares … to verify settings and change anything else. You can also see the number of connections to each share here.
ABE (access based enumeration) on a Windows 10 Share?
-
ABE (access based enumeration) on a Windows 10 Share? — Similar Threads — ABE access based
-
Failed to enumerate objects in the container. Access is denied
in AntiVirus, Firewalls and System Security
Failed to enumerate objects in the container. Access is denied: File serverThe main shared does not allow Full Control as this would allow any users creating a folder to manage their own security because of the access granted from being an owner….and we obviously don’t want thatSo, i’ve created specific Shared folders on the server with… -
Failed to enumerate objects in the container. Access is denied
in Windows 10 Gaming
Failed to enumerate objects in the container. Access is denied: File serverThe main shared does not allow Full Control as this would allow any users creating a folder to manage their own security because of the access granted from being an owner….and we obviously don’t want thatSo, i’ve created specific Shared folders on the server with… -
Failed to enumerate objects in the container. Access is denied
in Windows 10 Software and Apps
Failed to enumerate objects in the container. Access is denied: File serverThe main shared does not allow Full Control as this would allow any users creating a folder to manage their own security because of the access granted from being an owner….and we obviously don’t want thatSo, i’ve created specific Shared folders on the server with… -
Failed to enumerate objects in the container. Access is denied.
in AntiVirus, Firewalls and System Security
Failed to enumerate objects in the container. Access is denied.: Apparently this is long-lasting issue. Ive watched multiple videos on the topic and followed every step going through properties, securitiy, changing the owner and so on the error always remains. Ive read that theres a possibility that the “guest” account on my computer is… -
Windows Defender Could not abe to Turn on
in AntiVirus, Firewalls and System Security
Windows Defender Could not abe to Turn on: I have been trying from past 8 days to turn on windows defender turn on. But I couldn’t do it. I tried all ways to resolve and no one method worked out for me. Kindly help to resolve it… -
Windows 10 share access denied
in Windows 10 Network and Sharing
Windows 10 share access denied: windows 10 1904 in workgroupaccess denied to admin$
Have turned off WFW not service but actual setting in Advanced Firewall
Have ensured Sharing is set to Private and available
Have started service remote registry
What else shall i look at so i can connect from…
-
Failed to enumerate objects in the container. Access is denied.
in Windows 10 Installation and Upgrade
Failed to enumerate objects in the container. Access is denied.: So I did a full «reset» of Windows 10, wiping all data, and I should have thought about this, but was like, «what the heck!» and now my original user account was wiped and my permissions on my internal RAID array has been destroyed. I’ve re-assigned my new account as the… -
failed to enumerate objects in container, access is denied
in User Accounts and Family Safety
failed to enumerate objects in container, access is denied: I’ve gone through the steps that are supposed to allow me to delete a folder but when I get to this step:[img]
The box at the top does not appear on my screen just the one at the bottom. Clicking the bottom box and continuing does not give me the permission I need to…
-
Windows 10 shared drives access
in Windows 10 Network and Sharing
Windows 10 shared drives access: I’m in the early stages of a clean build of Windows 10 x64 on my desktop which has 11 drives that I have shared out however on two of my three laptops I cannot access some of the drives. I’ve tried numerous suggestions and so far none have resolved the issue. My desktop is…
Users found this page by searching for:
-
windows 10 enable access based enumeration
Last Updated on December 11, 2024 by Satyendra
What is Access Based Enumeration (ABE)?
Initially developed for and available in Windows Server 2008, ABE enhances the set of tools that system administrators can use to secure data on file servers. Earlier, it was provided in Windows Server 2003 as a separate add-on, and in Windows Server 2008, it has been integrated as a standard feature called ‘Access Based Enumeration’. This is especially helpful where folder names contain information or if you require to safely keep the location of certain information. Also, it can enhance the quality of the user interface by enriching the options of the view of the folder hierarchy.
It would be pertinent to mention here that ABE is only applicable to shared folders but does not operate with local file browsing. It is important to note that shares created using the File Sharing feature in Windows Explorer are said to be ABE-enabled by default whereas those shares created otherwise are not. By design, most of the administrative shares like the C$ and shared volumes are not enabled by ABE.
While ABE prevents any unauthorized files and folders from being accessed by a user each time and may add to the CPU load on the server, Microsoft advises that ABE should only be enabled where necessary. Occasionally, ABE is also used in the Distributed File System (DFS) domain Namespace to enhance scalability in the event of a need for additional computational capabilities.
What is the Use of Access-Based Enumeration (ABE)
The Access-based enumeration (ABE) is best suited where you want to secure a folder or file name that contains sensitive information or the location of the file. It also assists in enhancing the usability, in that its view of a folder structure is cleaner and only shows, what accessible to the current user is within the folder. However, ABE is not secure, and it does not deny users any access to the files and folders; it only conceals them from the end users. Both ABE and ACL should be incorporated, to protect the information that is categorized as restricted access.
How to Enable Access-Based Enumeration
Access-based enumeration (ABE) can be enabled using:
- Server Manager
- PowerShell
- Group Policy Object (GPO)
1. Using Server Manager
Follow below steps:
- Log in to the server with local administrator permission
- Open Server Manager using the icon on the desktop taskbar.
- Click File and Storage Services in the list of options on the left of Server Manager.
- Right click the share you want to manage in the list of available shares on the right, and select Properties from the menu.
- In the Properties dialog, click Settings in the list of options on the left.
- Enable or disable ABE by toggling Enable access-based enumeration.
- Click OK to save your changes.
2. Using PowerShell
You can also enable ABE using PowerShell with the following command:
Set-SmbShare -Name "YourShareName" -FolderEnumerationMode AccessBased
Replace ‘YourShareName’ with the name of your shared folder.
3. Using Group Policy Object (GPO)
Steps to enable ABE via GPO:
- Open the Group Policy Management Console (GPMC).
- Create a new GPO or edit an existing one that targets the necessary computers.
- Navigate to Computer Configuration > Policies > Administrative Templates > Network > Offline Files.
- Enable the policy named ‘Configure Offline Files (ABE)’.
- Apply the GPO to the necessary organizational unit (OU) or domain.
Conclusion
While a useful addition to Windows Server, ABE isn’t a security feature because it doesn’t stop users from accessing files and folders; that is the job of access control lists (ACLs), so you shouldn’t rely on ABE alone to protect sensitive information. To get a better insight into how your file servers a being used, Lepide File Server Auditor provides detailed auditing of Windows file servers, with reports showing how files are being accessed and modified, including permissions, with the ability to set up real-time alerts.
- GPOGroup PolicyWindows File Server