Access-based Enumeration (ABE) allows objects (files, folders) on local resources to be hidden from users who do not have permission to access them. Why is this important? Take the lady in our header image, for instance. Let’s call her Ms. McNosy. If ABE is not activated, Ms. McNosy might not be able to view the contents of the folder “Facility_NJ_jobcuts” (because she does not have the required permissions to do so), but she can still seethat the folder is there. The result: Even without knowing what’s inside, the name of the folder could be enough to inspire Ms. McNosy to get the rumor mill churning.
Access-based Enumeration was designed to cut the grapevine before it can even grow. The function ensures Ms. McNosy does not even see the objects she has no permissions for in the first place. In this article, we are going to explain how to set up ABE correctly and how it works on different Windows drives.
Every company has different types of data: confidential, secret and top secret. Because this data is usually kept on file servers shared by many people, NTFS permissions are used to ensure that only the right people have access to this information. NTFS, short for New Technology File System, gives you granular options for setting access rights in Microsoft Windows (eg.: List folder contents, Read & Execute, Modify).
This ensures that employees accessing the file server via network are only able to see the information they are supposed to see. More information: Our article on the subject outlines the best practices for setting NTFS permissions.
Why Use Access-Based Enumeration?
Up until Windows Server 2008, admins had to pay extra attention to how and especially WHERE they set up newfolder structures. Users with access to folder X were automatically able to see all of its subfolders, even if they did not have the necessary permissions to access those folders.
Example: While Ms. McNosy can see all subfolders of folder X, she cannot access all of them. This scenario was quite common and led to all kinds of problems:
The folder name itself might contain confidential information (e.g. “Facility_NJ_jobcuts“).
Users might assume there is a mistake and bombard admins with e-mails like, “Why can I not access this folder?!”
File server structures became cluttered and confusing.
The reason why file server structures became so confusing is because admins had to find ways to hide certain objects from unauthorized users. One way of doing this was to move objects to deeper levels on the file server – the result being that nobody really knew what was going on anymore. Access-based enumeration puts an end to this challenge.
What Does Access-Based Enumeration Do?
Access-based enumeration was introduced with Windows Server 2003 R2. Since Windows Server 2012, ABE is available as an option in the server manager console. It is installed using the file and storage services role in the server manager. When enabled, ABE ensures that any files and folders users do not have privileges for are not shown to them in the directory tree.
How to Enable Access-Based Enumeration
ABE must be explicitly enabled. Read this article to find out how to do this on Windows Server 2016. The feature is also available for NetApp, where ABE is activated via the ONTAP Command Line. For access-based enumeration to work correctly, NTFS permissions must also be set correctly.
ABE in DSF
Since Windows 2008 R2, access-based enumeration also works in the Distributed File System (DFS). It must also be explicitly activated using DFS management. Learn more about enabling ABE for DFS namespaces here.
Does ABE Affect Performance?
Access-based Enumeration affects how and whether information on shares is displayed. For instance, to determine which objects need to be hidden from Ms. McNosy as she clicks her way through folder X, Windows has to read allpermissions for all files and folders contained within folder X and then evaluate them.
Back in 2003, when ABE was introduced, this process required considerable amounts of CPU power, which in turn led to a loss in performance and thus to an increase in costs. Learn more about this technical phenomenon here.
Nowadays, performance loss due to ABE is no longer an issue. Even for very larger environments, Microsoft currently cites that the additional CPU power required is at around 2-3 percent. For shares containing a max. of 15,000 files, no differences in performance could be observed at all.
Best Practices: ABE and List Rights
As indicated above, enabling ABE alone is not enough. In order for access-based enumeration to work, list permissions (NTFS permissions) must also be set correctly.
Example: If a user has the permission “Modify” for a folder located on level 2, this does not automatically give the user the right to browse level 1. To browse level 1, the appropriate list right must also explicitly be set on level 1. Ideally, this would be done using a specifically designated list group.
The subordinate permission group for level 2 must become a member of the list group for level 1. If you want to set permissions on deeper levels, the procedure is the same: there are list groups for levels 1 and 2, the permission group level 3 must be a member of the list groups for level 1 and level 2. See image below:
Access Control Listsuse the concept of inheritance, which means that access rights are automatically passed on from parent folders or files to subordinate (child) folders/files. To ensure ABE works correctly, it is very important to control (i.e. limit) inheritance when assigning list rights.
Failing to do so means users will be able to browse all folders on the file server because the list rights on level 1 are propagated to all subordinate files and folders. To learn how to deactivate the inheritance function in Windows 10, click here.
Access-Based Enumeration Increases Data Security
Access-based enumeration is an important aspect ofdata protection. While ABE cannot replace firewalls or virus scanners, it plays a major part in improving data security on the inside. As an admin, your mantra will always be: better safe than sorry. Assume the worst, which is that users will inevitably click their way through shared objects in the company network if they can.
A folder named after to its purpose (e.g. “Restructuring_Fall_2021”) may stir up uncertainties and/or questions among users, even if they cannot access to the folder’s contents.
However, data theft from within is not the only issue we must consider; social engineering or other types of information misuse may also lead to significant problems.
ABE Not Entirely Automated
In the best-case scenario, access-based enumeration works as follows:
With a combination of appropriate list groups and ABE enabled, you can ensure that users are only able to browse folders on the file server which they have the necessary permissions for.
Nesting list groups with other permission groups makes the process of assigning folder permissions quite straightforward because the user simply has to be added to the relevant permission group to receive access.
The user automatically receives the list rights needed to browse any superior folders simply by being a member of the necessary parent list groups.
As you can see: Access-based enumeration works – but only if the admin configures all settings in accordance with best practices. If a share or its subfolders are not configured correctly or if you accidentally apply the unaltered default settings, the domain user will be able to see the entire directory list, even with ABE active.
[FREE WHITE PAPER]
Best practices for access management in Microsoft® environments.
Read our white paper to learn how to best handle access rights in Microsoft® environments.
Apply an Access Management Strategy to Put Things Right
Once your company reaches a certain size and you have a large number of users accessing many shared objects on the file server, the time and effort required by admins in order to stay on top of permissions virtually explode. Managing numerous folders on levels 2, 3 or even deeper within the folder structure, means hundreds or even thousands of groups need to be kept track of and managed. Not only is this a lot of work, but it also increases the risk of errors significantly.
For businesses with 100 users or more, it is therefore recommended to invest in an access management solution to simplify these processes.
tenfold creates and manages list groups automatically, sets permissions for folders on the basis of configurable rules and always uses best practice compliant groups. Learn more about file server access management with tenfold.
Automated Access Management
In businesses that do not yet employ dedicated Identity & Access Management software, you will inevitably come across users who hold outdated and/or superfluous permissions. A common practice that contributes to this kind of Privilege Creep is the use of reference users.
The good news is, not only does tenfold create and manage list groups automatically to ensure the access-based enumerationworks smoothly, it also removes any outdated permissions found when it is first installed.
How does it do this? tenfold uses role-based access control through a profile system. The profile system must be configured one time when tenfold is initially installed. Once that is done, tenfold is able to assign default rightsautomatically, based on certain userattributes (such as department, location or role) and across systems (Active Directory®, SAP ERP, etc.).
Of course, it is not enough to match up and sort permissions just one time upon installation. Users change departments, they go on parental leave, they resign. And with each change, the permissions they need change, too. To stay on top of that, tenfold conducts automatic user access reviews. In this process, data owners are sent periodic reminders to confirm permissions they granted are still in use. With this approach, outdated privileges can be removed with just one click!