All organizations rely on file servers to share information among users. But Windows servers, by default, will display any shared folder to end users, no matter what the folder's permissions are.
To ensure that unauthorized users do not have access to shares they are not permitted to see, Windows administrators often have to perform 'magic' feats to prevent these users from viewing sensitive information, such as partner or customer names.
A good example of a folder where users might see information they should not have access to would be a home directory. A home directory can contain a user's files and programs. Access to the home directory is usually assigned to an individual. Home directories collect user files in one location, and make it easy for an administrator to back up user files and delete user accounts. The home directory becomes the default directory for storing files the user creates, the user's command prompt, and for all applications that do not have a working directory defined.
Many administrators opt to use a template account to automatically generate the home directory using the %username% variable. This is an easier route to go when you have to manage several user accounts, each with its own home directory. Simply use the template to create a new account and the home directory is created "automagically." This process automatically assigns Full Control permissions to the user for the new home directory.
IT administrators have other ways to hide shared content from users. One example is the hidden share, where the dollar sign ($) sign is used at the end of the share name to 'hide' the share from prying eyes. Another is the use of custom scripts to redirect user settings to particular shared folders.
But there's a problem with these techniques: They're not foolproof. If a user knows the name of a hidden share, they can use it to go directly to that share and view whatever IT is trying to hide, as shown in the screen below.
Most of us are curious; users are no different. Once a user gets access to something hidden, they will try to see folders they're not supposed to. The result: at best, an error message (shown below); at worst, an access violation due to security permissions that are improperly set.
Now for the big question: How can you balance security, ease of access and file server integrity while truly hiding unauthorized information from prying eyes? The answer: Through the use of Access-based Enumeration (ABE).
Access-based Enumeration
A feature included in Windows Server 2003 (WS03) Service Pack 1, Access-based Enumeration increases file-sharing security. ABE filters the visibility of shared folders based on the user's access rights. It prevents the display of folders or other shared resources users do not have access to. By enabling ABE, IT administrators ensure that users can only see the files and folders they need for their work instead of spending time looking through a list of multiple files and folders they do not have access to.
 |
| Get the ABE enabler |
| Windows Server 2003 Access-based Enumeration setup files can be found here. |
|
|
|
|
Although it is included in WS03 SP1, ABE is not enabled by default. To do so, you need to download the appropriate ABE engine. Each engine comes in the form of a Windows Installer or MSI file. Three are available: x86 for 32-bit systems, x64 for 64-bit systems and ia64 for Itanium systems.
Once you download the proper ABE enabler, just run the MSI and follow the prompts. ABE enablers should be installed on file servers only since it is a file sharing feature. If you run the MSI interactively, you will be prompted to enable ABE on all existing file shares, as shown in the screen below.
You can also deploy the enabler to your file servers. Since it is an MSI, you can deploy it through Active Directory's Group Policy Software Installation. But if you want to automatically enable ABE at installation, you will need to transform the default installation to set the enabling feature.
If you don't have access to a transform creation tool, you can simply deploy the enabler and then enable it afterwards. Access-based enumeration offers both a GUI and a command-line tool to activate this feature on shared resources. Perhaps the easiest way to do this is to run a script using the command-line abecmd tool once the enabler is installed. Use the appropriate syntax, as shown in the table below.
| Parameter | Description |
|---|
| /enable | Turns ABE on to the specified shared resource or on all shared resources. |
| /disable | Turns ABE off from the specified shared resource or all shared resources. |
| /server | Applies the action (turning ABE on or off) for shared resources on a remote server. |
| /all | Apply the action (turning ABE on or off) for all shared resources. |
| <ShareName> | Identifies the shared resource to which ABE will be turned on or off. |
To access the GUI interactively, simply right-click on the shared folder and select Properties. A new ABE tab will be included in the properties sheet, as shown in the screen below.
Just select the box to enable access-based enumeration on this shared folder. By enabling ABE, users now see only the folders that they have access rights to, as shown in the menu below.
|
| Consider your NTFS permissions |
| You should ensure that the service account you use for backup always has the proper access rights to shared folders; if not, your backups may fail. Also ensure you have administrative access to all shared folders; otherwise you may lose this access once ABE is enabled. |
|
|
|
|
Resolve your file share issues
The best solution is this: Do not show users unauthorized information in the first place. Using ABE meets and exceeds this objective, plus it is really easy to put in place. All you have to do is deploy ABE on each file server using your deployment tool, and enable this option when necessary.
And there you are: Another simple way to secure your network.
About the authors: Danielle Ruest and Nelson Ruest are IT professionals specializing in systems administration, migration planning, software management and architecture design. They have written several books and are currently working on the Definitive Guide to Vista Migration for Realtime Publishers as well as the Complete Reference to Windows Server Codenamed "Longhorn" for McGraw-Hill Osborne. They have extensive experience in systems management and operating system migration projects. For more tips, write to them at info@reso-net.com.
More information on this topic:
