Перечисление на основе доступа windows server — Ваш верный помощник с OS Windows

Access-Based Enumeration (ABE, перечисление на основе доступа) это опция файлового сервера Windows, которая позволяет скрыть от пользователя файлы и папки, к которым у него доступа. Это позволяет скрыть структуру каталогов и имена папок и файлов в общей сетевой папке.

Содержание:

Как включить Access Based Enumeration в Windows Server
Управление Access Based Enumeration из командной строки (PowerShell)

Как включить Access Based Enumeration в Windows Server

Рассмотрим сценарий, когда на файловом сервере Windows есть некая общая сетевая папка с каталогами нескольких отделов. Все пользователи могут просматривать список директорий в этой папке (для этого на корневую папку даны права List folder или Traverse folder для группы Users). Но пользователи могут зайти только в каталоги, в списки доступа NTFS которых они добавлены.

Предположим, пользователь добавлен в группы доступа AD, назначенные на 2 каталога Public и Salary.

Группы безопасности AD добавлены в NTFS разрешения соответствующих подкаталогов в общей папки. Из ACL убраны разрешения, дающие доступ к подпапкам для групп Domain Users или Builtin\Users.

Чтобы включить ABE, откройте консоль Server Manager -> выберите роль File and Storage Services -> Shares. Отройте свойства общей папки и на вкладке Settings включите опцию Enable access-based enumeration.

Включить access based enumeration для сетевой папки на windows server через manager

Обновите содержимое общей папки у пользователя. Теперь пользователеь видит только два каталога, к которым ему предоставлен доступ. Оставшиеся папки скрыты от пользователя.

скрыть папки от пользователя через access based enumeration

Кроме того, вы можете включать ABE на компьютерах домена AD с помощью групповых политик. Для этого используется GPP в секции: Computer Configuration -> Preferences -> Windows Settings -> Network Shares).

Включить Access-Based Enumeration с помощью групповых политик

Если включить опцию Access-Based Enumeration, то для сетевой папки, опубликованной с помощью данной GPO, будет включен режим ABE.

Управление Access Based Enumeration из командной строки (PowerShell)

Можно включить ABE для сетевой папки из командной строки PowerShell.

Это в том числе позволяет включить Access-Based enumeration для сетевых папок, опубликованных на обычных рабочих станциях с десктопными версиями Windows 10 и 11.

Например, чтобы включить режим перечисления для общей папка с именем Docs, выполните команду:

Get-SmbShare Docs | Set-SmbShare -FolderEnumerationMode AccessBased

Вывести список опубликованных сетевых папок (включая общие административные папки Windows) и статус опции ABE:

Get-SmbShare | Select-Object Name,FolderEnumerationMode

Значение FolderEnumerationMode =
AccessBased
указывает, что Access Based-enumeration для них включен.

PowerShell включить FolderEnumerationMode AccessBased для сетевой папки

Отключить ABE для папки:

Get-SmbShare Docs | Set-SmbShare -FolderEnumerationMode Unrestricted

В Samba сервере на Linux для включения Access-based Enumeration нужно добавить в конфигурационный файл
smb.conf
опции:

hide unreadable = Yes
access based share enum = Yes

В корпоративной среде ABE часто применяется для папок DFS, скрывая от пользователей «ненужные» папки и предоставляя более удобную структуру дерева общих папок. Включить ABE на пространстве имен DFS можно с помощью консоли DFS Management или утилиты dfsutil.exe:
dfsutil property abde enable \\<namespace root>

Другие особенности и ограничений Access-based Enumeration в Windows

Включение ABE на файловых серверах может увеличить нагрузку на сервер. Особенно заметна будет задержка отображения списка файлов в каталогах, которые содержат тысячи файлов (например, при наличии 15000 объектов в общей папке, скорость ее открытия замедлится на 1-3 секунды).
ABE не работает при локальном просмотре каталогов на сервере.
Члены локальной группы администраторов файлового сервера всегда видят полный список объектов в сетевой папке.

Источник

По умолчанию, когда пользователь открывает некую общую сетевую папку на сервере (предполагаем, что у пользователя есть право на доступ к сетевой шаре), SMB отображает ему полный список каталогов и файлов, которые находятся в ней. Функционал Windows «перечисление на основе доступа» (Access Based Enumeration – ABE) позволяет в сетевой папке скрыть от пользователя те файлы и папки, на которые у него отсутствуют NTFS разрешения.

Технология Access Based Enumeration впервые появилась еще в Windows Server 2003 SP1 и помогает предотвратить просмотр пользователями списков чужих файлов и папок.

Процесс доступа к сетевой папке в среде Windows выполняется следующим образом:

Пользователь обращается к серверу и запрашивает доступ к общей сетевой папке
Служба LanmanServer на сервере (именно она отвечает за предоставление доступа к файлам по SMB) проверяет, есть ли у пользователя необходимые разрешений на доступ к данной сетевой папке. Если доступ имеется, служба возвращает список пользователю список с содержимым папки
Затем пользователь может выбрать и попытаться открыть необходимый ему файл или папку
Сервер проверяет, имеет ли пользователь необходимые NTFS права на доступ к данному элементу. Если у пользователя есть необходимые разрешения, он открывает нужный объект. Если у пользователя не достаточно прав — возвращается ошибка отказа в доступе.

Согласно этому алгоритму сервер сначала возвращает пользователю список всего содержимого папки, а проверка наличия прав доступа к отдельным файлам и папкам выполняется только при обращении к ним. При включении ABE, служба LanmanServer вернет пользователю не все содержимое папки, а только те объекты файловой системы, на которые у пользователя есть права (Read или List contents).

Некоторые особенности ABE:

ABE управляет только списком содержимого общей папки, но не скрывает сами шары от пользователей. Поэтому, когда пользователь подключается к серверу (\\server-name), он увидит все имеющиеся на нем шары. Чтобы создать скрытую шару, нужно добавить в конец ее имени знак $, например SecretFolder$
При локальном или RDP входе пользователя на сервер, ABE не работает
Члены локальной группы «Администраторы» всегда видят полное содержимое сетевой папки

ABE включается для каждой сетевой папки по отдельности. Чтобы настроить ABE, откройте консоль Server Manager и выберите роль «File and Storage Services» (роль уже должна быть установлена).

Затем перейдите в раздел «Shares» и выберите из списка сетевую папку, для которой необходимо включить ABE. Щелкните правой кнопкой по папке и выберите «Properties».

В окне свойств папки перейдите на вкладку Settings и включите опцию Enable access-based enumeration.

Кроме того, вы можете включить перечисление на основе доступа на сетевом ресурсе с помощью PowerShell командлета Set-SmbShare:

Set-SmbShare -Name "Share" -FolderEnumerationMode AccessBased

В том случае, если вы управляете общими папками централизованно с помощью GPO (секция Computer Configuration -> Preferences -> Windows Settings -> Network Shares), вы можете включить ABE в ее свойствах (скрин ниже).

Preferences -> Windows Settings -> Network Shares» width=»707″ height=»542″ srcset=»https://vmblog.ru/wp-content/uploads/2017/05/word-image-58.png 707w, https://vmblog.ru/wp-content/uploads/2017/05/word-image-58-300×230.png 300w»>

В качестве небольшой иллюстрации работы ABE. На скриншоте ниже показано как выглядит содержимое сетевой папки, для которой включен ABE для системного администратора сервера.

А так в проводнике выглядит та же самая папка для менеджера из отдела управления активами.

Как работает перечисление на основе доступа для сетевой папки файлового сервера

Таким образом, технология ABE облегчает жизнь как пользователям, так и администраторам. Пользователи не видят лишнюю и избыточную информацию в проводнике, а администратору не нужно больше отвечать на вопросы пользователи об отсутствии доступа к той или иной папке.

Однако у технологии Access Based Enumeration есть и небольшой недостаток — дополнительная нагрузка на сервер. Нагрузка зависит от количества пользователей сервера, количества объектов в общих папках и сложности ACL. При высокой загрузке сервера, скорость открытия папок на файловом сервере может значительно снижаться.

Источник

Access-based Enumeration (ABE) allows objects (files, folders) on local resources to be hidden from users who do not have permission for those objects. Access-based Enumeration was designed to cut the grapevine before it can even grow.

Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform related Windows servers queries.

Enable ABE on Windows Server

Here, let us see how to configure and use of ABE in various Windows versions.

How does access to shared folders work in Windows ?

By enabling ABE on a shared folder, we can ensure that different users see a different list of folders and files in the same network share based on the user’s individual access permissions (ACL).

Let us see how the interaction between the client and the server occurs when accessing a shared folder over the SMB:

Firstly, a client requests the server to access a directory in the network shared folder.
Then, the LanmanServer service on the server checks the user permissions to access this folder.
Next, if access is allowed (NTFS permissions: list content, read or write), the user sees the directory contents.
Then, the user requests access to a file or a subfolder in the same way (we can view who opened a specific file in a network folder like this).
Finally, if the access is denied, the user is notified accordingly.

According to this scheme, the server firstly shows the entire contents of the folder to the user.

Then, when the user tries to open a specific file or folder the NTFS permissions are checked.

If we need to hide a shared folder from a user, we have to add a $ symbol at the end of the share name.

We can manage ABE from the command prompt (abecmd.exe utility), from the GUI, PowerShell or a special API.

Access-Based Enumeration Restrictions

Access-based Enumeration on Windows does not work in the following cases:

If we are using Windows XP or Windows Server 2003 without Service Pack 1 as a file server.
Then, if we are viewing directories locally (directly from the server) or connecting via RDP.
For members of the local file server administrators group (they always see the full list of files).

How to use ABE on Windows Server 2008/2008 R2 ?

To enable Access-based Enumeration for a certain folder in Windows Server 2008/2008 R2, follow the steps given below:

Open the MMC management console Share and Storage Management (Start –> Programs –> Administrative Tools -> Share and Storage Management).
Go to the properties of the necessary share.
Then go to the Advanced settings and check Enable access-based enumeration.

How to Configure Access-based Enumeration on Windows Server 2012 R2/2016 ?

To enable ABE in Windows Server 2012, follow the steps given below:

Firstly, we have to install File and Storage Services role.
Then go to the share properties in the Server Manager.
In Settings section, check the option Enable access-based enumeration.

How to Implement Access-Based Enumeration on Windows Server 2003 ?

In Windows Server 2003 (not supported now), ABE became supported starting from Service Pack 1.

To enable Access-based Enumeration in Windows Server 2003 SP1 (or later), follow the steps given below:

1. Firstly, download and install a package following this link:

https://www.microsoft.com/en-us/download/details.aspx?id=15656

2. Then during installation, we have to specify whether ABE will be enabled for all shared folders on the server or we will configure it manually. If we choose the second option, a new tab, Access-based Enumeration, will appear in the network share properties after the installation.

3. Finally, to activate ABE for a certain folder, check the option «Enable access-based enumeration on this shared folder» in its properties.

How to Manage ABE from the Command Prompt ?

We can manage Access-based Enumeration settings from the command prompt using Abecmd.exe utility.

This tool is a part of Access-based Enumeration package for Windows Server 2003 SP1.

Abecmd.exe allows to activate ABE for all directories at once or only for some of them. The next command enables Access-Based Enumeration for all shares:

abecmd /enable /all

This one is for a certain folder (for example, a network shared folder with the name Docs):

abecmd /enable Docs

How to Manage Access Based Enumeration Using PowerShell ?

We can use the SMBShare PowerShell module (installed by default in Windows 10/8.1 and Windows Server 2016/2012 R2) to manage the settings of Access Based Enumeration for specific folders.

To list the properties of a specific shared folder:

Get-SmbShare Install|fl

Note the value of the FolderEnumerationMode attribute. In our case, its value is Unrestricted. This means that ABE is disabled for this folder.

Then, we can check the status of ABE for all shared folders of the server:

Get-SmbShare | Select-Object Name,FolderEnumerationMode

To enable ABE for a specific folder:

Get-SmbShare Install | Set-SmbShare -FolderEnumerationMode AccessBased

We can enable Access Based Enumeration for all published network folders (including administrative shares ADMIN$, C$, E$, IPC$,…) by running the command:

Get-SmbShare | Set-SmbShare -FolderEnumerationMode AccessBased

To disable ABE use the command:

Get-SmbShare Install | Set-SmbShare -FolderEnumerationMode Unrestricted

Access-Based Enumeration in Windows 10/8.1/7

In Windows 10 (Server 2016) and Windows 8.1 (Server 2012R2), we can use PowerShell to manage Access-based Enumeration.

In older versions of Windows, we need to install the latest version of PowerShell (>= 5.0) or use the abecmd.exe utility from the Windows Server 2003 package, it works fine on client OSs.

Since the Windows Server 2003 Access-based Enumeration package is not installed on Windows 10, 8.1 or 7, we have to install it first on Windows Server 2003 and then copy it from the C:\windows\system32 directory to the same folder on the client. After that, we can enable ABE.

We can enable ABE in DFS using DFS Management or dfsutil.exe:

dfsutil property abde enable \\namespace_root

In addition, we can enable ABE on computers in the AD domain using GPO. This can be done using GPP in the section:

Computer Configuration -> Preferences -> Windows Settings -> Network Shares

In the properties of the network folder there is an Access-Based Enumeration option, if we change the value to Enable, ABE mode will be enabled for all shared folders created using this GPO.

[Need assistance in fixing Windows Server errors? We can help you. ]

Источник

Access Based Enumeration (ABE) allows you to hide files and folders from users who do not have the permissions needed to access them. Limiting visibility makes it easier for employees to navigate the file server, while also preventing speculation about the contents of folders with evocative names. Even if they can’t get inside, just seeing a folder labelled “2023_Restructuring” could get people spreading rumors.

Access-based Enumeration was designed to stop the rumor mill from churning. It ensures that nosy employees do not even see objects they have no permissions for. In this article, we are going to explain how to set up ABE correctly and how it works on different Windows drives.

What Is Access Based Enumeration?

Every company has different types of data that different employees need access to based on their business role. Because this data is usually kept on a central file server shared by many people, admins have to set NTFS permissions and share permissions in such a way that each user can only access files and folders they need for their job. Restricting IT privileges to only what is strictly necessary, a.k.a. least privilege access, helps prevent employee data theft and lowers the risk of cyberattacks. It is an essential part of cybersecurity.

However, if you properly restrict permissions in Windows namespaces, you run into a problem: By default, users can still see folders they are not allowed to open, which can expose sensitive directories, makes it confusing to navigate the file server and leads to a lot of support calls by frustrated employees. Access based enumeration allows you to stop these issues by limiting what users can see to what they can actually interact with.

Why use Access Based Enumeration?

Up until Windows Server 2008, admins had to pay extra attention to how and especially where they set up new folder structures. Users with access to a particular folder were automatically able to see all of its subfolders, even if they did not have the necessary permissions to open those folders. This scenario was quite common and led to all kinds of problems:

The folder name itself might give away confidential information (for example, “Facility_NJ_jobcuts”).
Users might assume there is a mistake and bombard admins with emails to request access, like “Why can’t I open this folder?!”.
Showing users all these dead ends makes file server navigation unnecessarily confusing.

Trying to avoid these issues often led to complicated folder structures because admins had to rely on moving folders to deeper levels or new branches of the directory tree to hide them from unauthorized users. Which meant that for employees who did need that data, it was buried under layer after layer of different folders. Access based enumeration put an end to this challenge.

Young woman at the office with unintentional access to top secret file shares because someone forgot to check the properties and enable access-based enumeration.

“Hey, you’ll never guess what I just saw!” With Access Based Enumeration, you can stop rumors before they start. (c) Михаил Решетников

How to Enable Access Based Enumeration

Access based enumeration was introduced with Windows Server 2003 R2. Since it is not active by default, ABE must be explicitly enabled if you want to use the feature. ABE is also available for other data storage systems such as NetApp, where the feature must be activated through the ONTAP Command Line.

Depending on which version of Windows Server you use, there are different ways to enable ABE both through admin consoles and command lines.

Server Manager Console
In Windows Server 2012 or newer versions, you can enable ABE under the File and Storage Services role by right-clicking on a share and going to Properties -> Settings -> Enable access based enumeration.
PowerShell
If the SMBShare module is installed, you can enable access based enumeration through the Cmdlet Set-SmbShare and the parameter -FolderEnumerationMode, which can be set to AccessBased or Unrestricted. To enable ABE for an entire share, use a command like Set-SmbShare -Name “Example” -FolderEnumerationMode AccessBased.
Group Policy Object
Access based enumeration can also be enabled through a GPO. You can find this setting under Computer Configuration -> Preferences -> Windows Settings -> Network Shares.

ABE in DFS

Since Windows 2008 R2, access-based enumeration also works in Distributed File System Namespaces (DFS). As with regular shares, ABE must be actively enabled for DFS namespaces since the setting is not in effect by default. More information on how to enable ABE for a DFS namespace. Again, there are multiple ways to enable ABE in a DFS namespace:

DFS Management: ABE can be enabled through the server manager under Tools -> DFS Management. Right-click on the namespace you want to edit and select Properties -> Advanced -> Enable access based enumeration.
Command Line: Open the command prompt for a server that has the DFS role or DFS tools installed and enter the command “dfsutil property abe enable \\ NamespaceRoot”.
PowerShell: Instead of the command line, you can also enable ABE on DFS namespaces through PowerShell using the Set-DfsnRoot cmdlet to edit the -EnableAccessBasedEnumeration parameter. For example by entering Set-DfsnRoot -Path “NamespaceRoot” -EnableAccessBasedEnumeration $True.

Office building with people using access-based enumeration to control the visibility of file shares.

ABE helps users navigate the file server and protects sensitive data. Adobe Stock, (c) Hero Images

Does ABE Affect Performance?

With ABE enabled, your file server needs to show different information to each user depending on their permissions. This requires checking which folders a user has access to the moment they open a directory, and then filtering out objects they cannot read, open or edit. Checking each object’s access control list to determine if it can be displayed adds extra steps to file server navigation and can affect performance and response times.

At least, ABE did have an effect on performance in the past. Back in 2003, when ABE was first introduced, this process required considerable amounts of CPU power, which in turn led to a loss in performance and thus to an increase in costs. You can learn more about the technical background of this phenomenon in this Microsoft blogpost.

Nowadays, however, performance loss when you enable ABE is no longer an issue. Even for very large environments, Microsoft currently cites that the additional CPU power required is at around 2-3 percent. For shares containing a max. of 15,000 files, no differences in performance could be observed at all.

Best Practices: ABE and NTFS Permissions

Access based enumeration allows you to hide directories a user cannot access. To allow users to navigate to subfolders they have explicit permissions for, you need to make sure they receive the List Folder Contents permission for all directories between root and their target folder. Otherwise, they either cannot see or cannot open directories on the way to their destination.

Example: If a user has the permission “Modify” for a folder located on level 2, this does not automatically give them the right to browse level 1 and reach this folder. They must be given the List Folder Contents permission for level 1. You can automate this process by setting up nested list groups.

Here is the recommended approach: The permission group that grants a user access to a folder on level 2 is itself a member of a list group which holds the List Folder Contents permission for the superordinate folder. This way, any users that are assigned read or write privileges for subfolders automatically receive the necessary list rights to navigate to the folder in question.

For permissions on deeper levels, the procedure is the same, except multiple nested list groups are required: the permission group for level 3 is a member of the list group for level 2, which is itself a member of the list group for level 1. Because the number of required groups grows with each additional level and Windows puts a hard limit on group membership for SIDs, you should avoid setting explicit permissions on deeper levels (max. 2 or 3 levels deep).

Diagram picturing best practices for enabled access-based enumeration

Best practices for enabling access-based enumeration in Microsoft Windows, (c) tenfold Software

Deactivate Inheritance

Access Control Lists use the concept of inheritance, which means that access rights are automatically passed on from parent folders or files to subordinate (child) folders/files. To ensure ABE works correctly, it is very important to restrict inheritance when assigning these permissions.

If you enable inheritance for the “list contents” permission, users will be able to browse all folders on the file server because the permission needed to browse level 1 would propagate to all subordinate files and folders. To learn how to deactivate the inheritance function in Windows 10, click here.

ABE: Not Entirely Automated

In the best-case scenario, Access Based Enumeration works as follows:

With a combination of appropriate list groups and ABE enabled, you can ensure that users are only able to browse folders on the file server which they have the necessary permissions for.
Nesting list groups with permission groups makes assigning explicit permissions on deeper levels easy because the user simply has to be added to the relevant permission group to receive access.
The user automatically receives the list rights needed to browse any superordinate folders simply by being a member of the necessary parent list groups.

As you can see: Access Based Enumeration works – but only if admins configure all settings and properties in accordance with best practices. If a share or its subfolders are not configured correctly or if you accidentally apply the unaltered default settings, users will be able to see the entire directory list, even with ABE active.

White paper

Access Governance Best Practices for Microsoft Environments

Everything you need to know about implementing access control best practices in Active Directory, from implementation tips to common mistakes.

Automate Group Creation and Permission Management

When you are managing hundreds of users and countless directories, the time and effort needed to create and manage the permission/list groups that govern file server access quickly grows out of control. Not only does manual group management waste a lot of valuable time for your IT staff, it also increases the risk of errors that could lead to chaotic structures, overprivileged users and data leaks. I.e. the sort of chaos that leads many organizations to see a file server migration as their only escape.

With tenfold, you won’t have to worry about group creation or user management any longer: Our innovative IAM platform automatically creates all groups and structures required to implement ABE and follow best practices like the AGDLP principle. Thanks to our user lifecycle management, users receive the exact permissions they need for their current role and lose outdated privileges whenever their position changes.

Identity & Access Management: Your Central Solution

Identity access management solutions like tenfold do more than just help you manage file server permissions: Your IAM software acts as your central hub for user and permission management across all connected systems, from local Windows systems to the cloud services of Microsoft 365 and various third-party applications.

Not only does this central platform allow you to automate user provisioning and deprovisioning, its reporting tools also provide you with a clear overview of effective permissions on a user and item level. To make your admins’ lives even easier, tenfold additionally provides a self-service interface for access requests and password resets and can even help you automate user access reviews – the regular permission audits required by many IT security standards. You can learn more about the advantages of tenfold by watching our video overview or signing up for a free trial today!

Why tenfold?

What makes tenfold the leading IAM solution for mid-market organizations?

About the Author: Joe Köller

Joe Köller is tenfold’s Content Manager and responsible for the IAM Blog, where he dives deep into all things Identity & Access Governance. With the help of tenfold’s experienced team of IAM developers, Joe creates helpful and well-researched articles highlighting the security and productivity benefits of IAM. From hands-on guides to compliance breakdowns, his goal is to make complex topics approachable for all.

Источник

By default, when a user opens some shared network folder, SMB displays a full list of files and folders on it. Of course, it happens only if the user has permission to access the share. Access Based Enumeration (ABE) allows hiding the specific files and folders for a user who don’t have access permission on a file server.

Access Based Enumeration is available on the Windows platform since Windows Server 2003 SP1, and helps to prevent users from seeing files and folders using the share and storage management features of Windows Server.

Configure access based enumeration on Windows Server

ABE is enabled for each folder individually. To configure and manage access based enumeration (ABE), open Server Manager console, and select role File and Storage Services.

Note. To enable Access Based Enumeration, File and Storage Services role must be installed on the server.

Картинка с сайта: theitbros.com

Then, go to the Shares section and choose a network folder from the list for which to enable the ABE. Right-click on it, and select its Properties.

Then in the properties of the share switch to the Settings tab. Enabling access based enumeration is as simple as the process to put the check box on Enable access-based enumeration option.

Enable access based enumeration using PowerShell

Also, you can enable the access-based enumeration on a network share using PowerShell cmdlet Set-SmbShare. Use a simple command:

Set-SmbShare -Name "Share" -FolderEnumerationMode AccessBased

How does ABE contribute to maintaining data privacy on a network?

ABE plays a critical role in maintaining data privacy by ensuring that users only see the files and folders for which they have access rights. This reduces the chances of unauthorized access to sensitive data and prevents potential information breaches within shared network environments.

Источник