Life Before ABE
Permissions on file servers are necessary because we can use them to control which users have access to which data. To regulate this access granularly, Microsoft distinguishes between different levels of access: List folder contents, Read and Execute, Modify, etc.
Until Windows Server 2008, you had to be very careful about how and where to create a folder structure. If someone had permissions for one folder, they were able to see all of its subfolders as well, even if they did not have explicit permission for them. This meant that, though they were unable to see the contents of the folder on the file server, they were still well aware of its existence. In many cases, this alone may be undesirable because the folder name could reveal confidential information (just think of a folder, for example, named “Factory_Hamburg_Restructure”, which could cause unrest even without knowledge of its exact contents). The solution then was to “hide” folders at lower levels from unauthorized users. Of course, this inevitably lead to deeply nested and confusing structures.
Advantages of ABE
This is where the so-called ABE (Access Based Enumeration) comes into play. To cut a long story short, ABE simply hides all directories a user does not have access to from the directory list.To use ABE, it must be explicitly activated. This article describes how to activate it on Windows Server 2016. This function also exists for NetApp – activation is performed via the ONTAP Command Line. When describing the advantages of the ABE, one should also point out a potential disadvantage: access performance can sometimes suffer greatly from ABE.
ABE and List Rights
ABE unfolds its full potential through correctly set list rights.Because NTFS permissions (e.g. “Modify” permissions) on a level 2 folder do not automatically allow the user to “browse” through the superordinate folder, it is necessary to set list permissions explicitly on level 1. The best way to do this is with a list group specially conceived for this purpose. The subordinate permission group for level 2 must become member of list group level 1. The same applies if you want to set permissions on lower levels: there is a list group for level 1 and level 2 and the permission group on the third level is a member of the list groups for levels 1 and 2.
Notice: Here, it is important to ensure that the list groups are authorized in such a way that the list permissions are not passed on to subordinate folders and files (restriction of so-called “propagation”), as this would inevitably result in the user being able to browse all folders on the file server because the permission of the list group on level 1 is propagated on to the last folders and files.
By setting list groups correctly and in combination with the activated ABE, you can ensure that users are only able to browse paths on the file server that lead to folders which they are actually authorized for. By nesting the list groups with the remaining permission groups, assigning folder permissions becomes very simple because all it takes is to add the user to the corresponding permission group. The user “automatically” receives the list rights required to browse through parent folders via indirect membership in all necessary superordinate list groups.
Even though ABEhas been around for 10 years or so, there are still many businesses out there who do not use ABE, despite the fact that it brings so many advantages to structuring file servers. Admittedly, the described procedure still requires a lot of manual effort where structuring of authorizations is concerned. If many folders need to be authorized, of which many may be on the second or third folder level, it means that hundreds or sometimes thousands of groups need to be managed.
Our software tenfold can provide some significant relief here because it omits all manual activities and instead enables automatic folder authorization according to configurable rules with best practice-compliant groups. Any required list groups are also created and managed automatically in the process. You can find more details about permission management on file servers using tenfold here: https://www.tenfold-security.com/en/fileserver-access-rights/