We have a heavily used Windows File Server which acts as the only way to share files within a department and with other departments in the corporate head office. The folders are all secure with NTFS permissions wherein every user is authorized to access the folders which he/she needs to but would be greeted with an “Access Denied” message if the user tried to access any other folder. Pretty good security by any standards but we started facing a peculiar problem which was not related to technology at all. Some users started requesting rights for folders which they had no business to access, we have a proper authorization policy in place which says that the HOD of a particular department needs to authorize a person wanting to access any folder belonging to that department. But still such requests led to sticky situations when very senior people in the organization requested such rights as it was difficult to tell them to follow the proper process when it’s more than clear that they don’t want to go the proper way. This led to a thought that if users couldn’t see the folders which they had no access to then they won’t ask for it and this problem could be minimized if not eliminated completely. It sounded very cool but I had never heard about any particular way to do it in Windows although I knew that the novell guys could do it with their OS.
That’s when ABE came to the rescue which was released with Microsoft Windows Server 2003 SP1. ABE is a feature of the SERVER service, the windows service that provides file and printer sharing. It works by modifying a feature of the server service called “enumeration”, which basically means how the server service answers the question, “What files and folders exist in a given share?” Windows Explorer does the same thing when you open a folder. That flashlight which shines for a second sometimes when you open a share is the way explorer entertains you while it enumerates the folder contents.
ABE only works on Windows Server 2003 SP1 and higher, it’s not enabled by default and needs another small program to be turned ON or OFF. To be able to see a file/folder when ABE is turned ON, a user will need at least READ permissions on it. ABE works on both files and folders but only when accessed through a share, when someone directly logs on to the computer ABE has no affect on what the user is able to see. Even through a share all files/folders, irrespective of their NTFS permissions, will be visible to anobody who is a member of the administrator’s group on the server hosting the share. This means, if you are an administrator, everything will be visible to you even if you don’t have even READ rights on some or any of the files/folders. This can be particularly tricky while you are testing the affects of ABE after enabling it, you might believe that ABE is not working because you can still see all the files/folders. The tool used to enable/disable ABE is called abeui.msi and is downloadable from microsoft.com, it’s installation is pretty simple and once installed you can turn ABE ON or OFF for all shares or only some particular shares. Although you can do the same during the installation as well when the following dialog box is presented to you.
A new tab is added to the properties dialog box, of every share on the server on which ABEUI is installed, by the name “Access-Based Enumeration” as shown in the image given below.
Checking the first check box enables ABE for that particular share and checking the next one enables ABE for all the shares on that particular server. There is also a CLI for doing the same but since I’m not a big CLI fan, I have never tried that out myself. The installation of ABEUI is necessary even to get the CLI for ABE.
In Windows Server 2008, ABE comes pre-installed and pre-enabled. You can however, disable it for some or all shares if you need to.
If nothing then at least enabling ABE on your shares will reduce the temptation of your users to play internal hacker. And yes I enabled ABE on my File Server and it resulted in reduction of the problem that it was intended to reduce but then as luck would have it, the management decided to give at least READ access of all the folders on the file server to every user in the office 😉