Controlling Access-based Enumeration with Group Policy

The last article I wrote was on Access-based Enumeration (ABE). This is a revolutionary new feature that Microsoft has added to the latest Windows Server 2003 service pack. Although not that revolutionary for network operating systems, this feature shows that Microsoft finally has jumped on the security bandwagon. In this article, I will quickly review what ABE is and why it is so important. I also will go into detail about how you can control ABE -- and the shares it controls -- centrally with Group Policy.

Recap of ABE

ABE is the technology built into Windows Server 2003 Service Pack 1 that provides the administrator of a resource control over who can see shared folders and files. In essence, the goal of ABE is to keep users from seeing the files and folders to which they don't have access.

This is ideal for any organization that wants to hide files or folders under share points. If the user is omitted from the access control list (ACL) or is specifically denied the ability to read or list the resource, the file or folder will not be visible when browsing the shared folder resources in Windows Explorer. For HR-related resources, medical organizations, highly secure organizations or any organization that benefits from denying visible access to resources based on the ACL, ABE is an ideal solution.

Centralizing shares and ABE with Group Policy

For years, the Active Directory community has wondered when there would be additional breakthroughs for controlling server environments using Group Policy. The ability to control User Rights, Services and Local Groups with Group Policy has always been there, but it seemed like other features were missing.

Thanks to DesktopStandard Corp.'s new PolicyMaker Share Manager, the wait is over. Share Manager provid...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Microsoft Active Directory Security What is Next Generation Active Directory? Balancing Windows security with reasonable password policies Cutting the cost of Windows identity and access management Common Active Directory security oversights Taming the LSASS.exe process for Active Directory performance and security Branch office security: Pros and cons of read-only domain controllers Breaking down the RODC with Windows 2008 Mastering account lockout values in Group Policy How to use a GPO to improve Windows folder security Rights management in Windows: Security expert roundup Microsoft Group Policy Management How to use Group Policy to centralize system configurations Group Policy management gets a boost with MDOP 2009 R2 Using software restriction policies in Windows Group Policy makes strides in Windows Server 2008 R2 Using Active Directory to manage Macs in a Windows environment Group Policy Object modeling simplifies network security Microsoft Group Policy Tutorial Is a Group Policy setting changing my user rights? Mastering account lockout values in Group Policy Group Policy Object security in Windows Microsoft Windows Server 2003 Administration How to install Windows Server 2003 patches when offline Validating Windows server clusters with ClusPrep Exploring the Windows Server 2003 Resource Kit: Clusfileport.dll Exploring the Windows Server 2003 Resource Kit: Cmdhere.inf and CMGetCer.inf Windows server security management: Security expert roundup Windows server management with Remote Desktop Avoid DC restoration problems with authoritative restore Exploring the Windows Server 2003 Resource Kit: Confdisk.exe Exploring the Windows Server 2003 Resource Kit: Compress.exe and Expand.exe Exploring the Windows Server 2003 Resource Kit: Clusterrecovery.exe Microsoft Windows Server 2003 Administration Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Group Policy Object  (SearchWindowsServer.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

es a centralized and easy-to-configure policy to control both shared folders and whether or not those shares will be configured with ABE.

PolicyMaker just adds nodes within the Group Policy Object Editor (GPOE) with the new Server Settings|Network Shares node.

The policy is very simple, offering you all of the required settings to control shares on a server, including:

• Share name
• Folder path
• Hidden shares control
• Administrative shares control
• User limits

The creation and control of shares through this policy is very easy to configure. The ABE settings are just as easy.

Remember when using ABE, you must be configuring a Windows Server 2003 Service Pack 1 computer -- this is the only operating system that can provide this access and control. The client or system viewing the share does not matter; it simply depends on the target server.

Summary

ABE seems like a revolutionary technology for Microsoft IT professionals. It has been a long-awaited and needed feature. Now that it is so simple to configure on the share itself, it is also just as simple to configure using Group Policy. With PolicyMaker's Share Manager, you are given control over shares and the share properties such as ABE. With a good Active Directory design, deployment and management of shares has become more than just routine, it has become nearly obsolete. Group Policy is a perfect mechanism to control shares and the shared folder options.