Access Based Enumeration: How to Enable ABE for Windows Server
Access Based Enumeration (ABE) allows you to hide objects (files, folders) on local resources from users who do not have the permissions needed to access them. Limiting visibility makes it easier for employees to navigate the file server, while also preventing speculation about the contents of folders with evocative names. Even if they can’t get inside, just seeing a folder labelled “2023_Restructuring” could get people spreading rumors.
Access-based Enumeration was designed to stop the rumor mill from churning. It ensures that nosy employees do not even see objects they have no permissions for. In this article, we are going to explain how to set up ABE correctly and how it works on different Windows drives.
What Is Access Based Enumeration?
Every company has different types of data: confidential, secret and top secret. Because this data is usually kept on file servers shared by many people, NTFS permissions are used to ensure that only the right people have access to this information. NTFS, short for New Technology File System, gives you granular options for setting access rights in Windows and Windows Server environments (List folder contents, Read & Execute, Modify etc).
This ensures that your staff’s file server access is limited to intended assets and intended actions. For more information on the topic of NTFS permissions, our article on the subject outlines NTFS Best Practices and common mistakes.
Why Use Access Based Enumeration?
Up until Windows Server 2008, admins had to pay extra attention to how and especially WHERE they set up new folder structures. Users with access to a particular folder were automatically able to see all of its subfolders, even if they did not have the necessary permissions to open those folders. This scenario was quite common and led to all kinds of problems:
The folder name itself might contain confidential information (e.g. “Facility_NJ_jobcuts“).
Users might assume there is a mistake and bombard admins with e-mails like, “Why can’t I open this folder?!”
File server structures became cluttered and confusing.
The reason why file server structures became so confusing is because admins had to find ways to hide certain objects from unauthorized users. One way of doing this was to move objects to deeper levels on the file server – which meant that shared files might be buried under layers and layers of different folders. Access-based enumeration put an end to this challenge.
What Does Access Based Enumeration Do?
Access-based enumeration was introduced with Windows Server 2003 R2. Since Windows Server 2012, ABE is available as an option in the server manager console. It is set up using the file and storage services role in the server manager. When enabled, ABE ensures that any files and folders users do not have privileges for are not shown to them in the directory tree.
How to Enable Access Based Enumeration
ABE must be explicitly enabled. Read this article to find out how to do this on Windows Server 2016. The feature is also available for NetApp, where ABE is activated via the ONTAP Command Line. For access-based enumeration to work correctly, NTFS permissions must also be set correctly.
ABE in DFS
Since Windows 2008 R2, access-based enumeration also works in the Distributed File System (DFS). It must also be explicitly activated using DFS management. More information on how to enable ABE for a DFS namespace.
Does ABE Affect Performance?
Access Based enumeration affects how and whether information on file shares is displayed. For instance, to determine which objects need to be hidden from an employee as they click their way through shared resources, Windows has to check all permissions for all files and folders contained within these folders.
Back in 2003, when ABE was first introduced, this process required considerable amounts of CPU power, which in turn led to a loss in performance and thus to an increase in costs. Learn more about this technical phenomenon here.
Nowadays, performance loss when you enable ABE is no longer an issue. Even for very large environments, Microsoft currently cites that the additional CPU power required is at around 2-3 percent. For shares containing a max. of 15,000 files, no differences in performance could be observed at all.
Best Practices: ABE and NTFS Permissions
As indicated above, enabling ABE alone is not enough. In order for access-based enumeration to work, users must also have the correct NTFS permissions needed to navigate to any subfolders they do have permissions for (List Folder Contents).
Example: If a user has the permission “Modify” for a folder located on level 2, this does not automatically give the user the right to browse level 1. To browse level 1, they must be given the List Folder Contents permission for level 1. Ideally, this would be done using a specifically designated list group.
Here is the recommended approach: The security groups that contain the different permissions for a folder on level 2 are added to a different security group that holds the List Folder Contents permission for the superordinate folder (in this case, level 1). This way, any users that are assigned read or write privileges via the corresponding permission groups automatically receive the necessary list rights in order to navigate to the folder in question.
If you want to set permissions on deeper levels, the procedure is the same: there are list groups for levels 1 and 2, so permission groups on level 3 are added to list groups on level 2, which are themselves members of list groups on level 1. See our infographic below for context:
This approach is an extension of the AGDLP principle, Microsoft’s recommended approach for implementing role-based access control in Windows environments, which relies on nested groups.
Access Control Lists use the concept of inheritance, which means that access rights are automatically passed on from parent folders or files to subordinate (child) folders/files. To ensure ABE works correctly, it is very important to restrict inheritance when assigning these permissions.
If you enable inheritance for the “list contents” permission, users will be able to browse all folders on the file server because the permission needed to browse level 1 would propagate to all subordinate files and folders. To learn how to deactivate the inheritance function in Windows 10, click here.
Access Based Enumeration Increases Data Security
Access Based enumeration is an important aspect of data protection. While ABE cannot replace firewalls or virus scanners, it plays a major part in improving data security on the inside. As an admin, your mantra will always be: better safe than sorry. Assume the worst, which is that users will inevitably click their way through file shares in the company network if they can.
A folder named after to its purpose (e.g. “Restructuring_Fall_2022”) may stir up uncertainties and/or questions among users, even if they cannot access to the folder’s contents.
However, employee data theft is not the only issue we must consider; social engineering or other types of information misuse may also lead to significant problems.
You can find more tips and best practices for protecting critical data in our guide to Active Directory security.
ABE: Not Entirely Automated
In the best-case scenario, Access Based Enumeration works as follows:
With a combination of appropriate list groups and ABE enabled, you can ensure that users are only able to browse folders on the file server which they have the necessary permissions for.
Nesting list groups with other permission groups makes the process of assigning folder permissions quite straightforward because the user simply has to be added to the relevant permission group to receive access.
The user automatically receives the list rights needed to browse any superior folders simply by being a member of the necessary parent list groups.
As you can see: Access Based Enumeration works – but only if admins configure all settings and properties in accordance with best practices. If a share or its subfolders are not configured correctly or if you accidentally apply the unaltered default settings, users will be able to see the entire directory list, even with ABE active.
Best Practices for Access Management In Microsoft® Environments
An in-depth manual on how to set up access structures correctly, including technical details. Also includes information on reporting and tips for implementation.
Apply an Access Management Strategy to Put Things Right
Once your company reaches a certain size and you have a large number of users accessing many shared objects on the file server, the time and effort it takes admins to manually manage all these settings and permission groups grows out of control. Managing numerous folders on levels 2, 3 or even deeper within the folder structure, means tracking hundreds or even thousands of nested groups. Not only is this a lot of work, but it also increases the risk of errors significantly.
For businesses with 100 users or more, it is therefore recommended to invest in an access management solution to simplify these processes.
tenfold creates and manages list groups automatically, sets permissions for folders on the basis of configurable rules and always uses best practice compliant groups. Learn more about file server access management with tenfold.
Automated Access Management
In businesses that do not yet employ dedicated Identity & Access Management software, you will inevitably come across users who hold outdated and/or superfluous permissions. A common practice that contributes to this kind of privilege creep is the practice of copying existing reference users to create accounts for new hires.
The good news is, not only does tenfold create and manage list groups automatically to ensure the access-based enumeration works smoothly, it also removes any outdated permissions found when it is first installed.
How does it do this? tenfold uses role-based access control through a profile system. The profile system must be configured one time when tenfold is initially installed. Once that is done, tenfold is able to assign default rights automatically, based on certain user attributes (such as department, location or role) and across systems (Active Directory®, SAP ERP, etc.).
Of course, it is not enough to match up and sort permissions just one time upon installation. Users change departments, they go on parental leave, they resign. And with each change, the permissions they need change, too. To stay on top of that, tenfold conducts automatic user access reviews. In this process, data owners are sent periodic reminders to confirm permissions they granted are still in use. With this approach, outdated privileges can be removed with just one click!