Access Based Enumeration: How to Enable ABE for Windows Server

Access-based Enumeration was designed to stop the rumor mill from churning. It ensures that nosy employees do not even see objects they have no permissions for. In this article, we are going to explain how to set up ABE correctly and how it works on different Windows drives.

Every company has different types of data: confidential, secret and top secret. Because this data is usually kept on file servers shared by many people, NTFS permissions are used to ensure that only the right people have access to this information. NTFS, short for New Technology File System, gives you granular options for setting access rights in Windows and Windows Server environments (List folder contents, Read & Execute, Modify etc).

This ensures that your staff’s file server access is limited to intended assets and intended actions. For more information on the topic of NTFS permissions, our article on the subject outlines NTFS Best Practices and common mistakes.

Up until Windows Server 2008, admins had to pay extra attention to how and especially WHERE they set up new folder structures. Users with access to a particular folder were automatically able to see all of its subfolders, even if they did not have the necessary permissions to open those folders. This scenario was quite common and led to all kinds of problems:

The reason why file server structures became so confusing is because admins had to find ways to hide certain objects from unauthorized users. One way of doing this was to move objects to deeper levels on the file server – which meant that shared files might be buried under layers and layers of different folders. Access-based enumeration put an end to this challenge.

Access-based enumeration was introduced with Windows Server 2003 R2. Since Windows Server 2012, ABE is available as an option in the server manager console. It is set up using the file and storage services role in the server manager. When enabled, ABE ensures that any files and folders users do not have privileges for are not shown to them in the directory tree.

ABE must be explicitly enabled. Read this article to find out how to do this on Windows Server 2016. The feature is also available for NetApp, where ABE is activated via the ONTAP Command Line. For access-based enumeration to work correctly, NTFS permissions must also be set correctly.

Since Windows 2008 R2, access-based enumeration also works in the Distributed File System (DFS). It must also be explicitly activated using DFS management. More information on how to enable ABE for a DFS namespace.

Access Based enumeration affects how and whether information on file shares is displayed. For instance, to determine which objects need to be hidden from an employee as they click their way through shared resources, Windows has to check all permissions for all files and folders contained within these folders.

Back in 2003, when ABE was first introduced, this process required considerable amounts of CPU power, which in turn led to a loss in performance and thus to an increase in costs. Learn more about this technical phenomenon here.

Nowadays, performance loss when you enable ABE is no longer an issue. Even for very large environments, Microsoft currently cites that the additional CPU power required is at around 2-3 percent. For shares containing a max. of 15,000 files, no differences in performance could be observed at all.

As indicated above, enabling ABE alone is not enough. In order for access-based enumeration to work, users must also have the correct NTFS permissions needed to navigate to any subfolders they do have permissions for (List Folder Contents).

Example: If a user has the permission “Modify” for a folder located on level 2, this does not automatically give the user the right to browse level 1. To browse level 1, they must be given the List Folder Contents permission for level 1. Ideally, this would be done using a specifically designated list group.

Here is the recommended approach: The security groups that contain the different permissions for a folder on level 2 are added to a different security group that holds the List Folder Contents permission for the superordinate folder (in this case, level 1). This way, any users that are assigned read or write privileges via the corresponding permission groups automatically receive the necessary list rights in order to navigate to the folder in question.

If you want to set permissions on deeper levels, the procedure is the same: there are list groups for levels 1 and 2, so permission groups on level 3 are added to list groups on level 2, which are themselves members of list groups on level 1. See our infographic below for context:

Access Control Lists use the concept of inheritance, which means that access rights are automatically passed on from parent folders or files to subordinate (child) folders/files. To ensure ABE works correctly, it is very important to restrict inheritance when assigning these permissions.

If you enable inheritance for the “list contents” permission, users will be able to browse all folders on the file server because the permission needed to browse level 1 would propagate to all subordinate files and folders. To learn how to deactivate the inheritance function in Windows 10, click here.

Access Based enumeration is an important aspect of data protection. While ABE cannot replace firewalls or virus scanners, it plays a major part in improving data security on the inside. As an admin, your mantra will always be: better safe than sorry. Assume the worst, which is that users will inevitably click their way through file shares in the company network if they can.

A folder named after to its purpose (e.g. “Restructuring_Fall_2022”) may stir up uncertainties and/or questions among users, even if they cannot access to the folder’s contents.

However, employee data theft is not the only issue we must consider; social engineering or other types of information misuse may also lead to significant problems.

In the best-case scenario, Access Based Enumeration works as follows:

As you can see: Access Based Enumeration works – but only if admins configure all settings and properties in accordance with best practices. If a share or its subfolders are not configured correctly or if you accidentally apply the unaltered default settings, users will be able to see the entire directory list, even with ABE active.

Once your company reaches a certain size and you have a large number of users accessing many shared objects on the file server, the time and effort it takes admins to manually manage all these settings and permission groups grows out of control. Managing numerous folders on levels 2, 3 or even deeper within the folder structure, means tracking hundreds or even thousands of nested groups. Not only is this a lot of work, but it also increases the risk of errors significantly.

tenfold creates and manages list groups automatically, sets permissions for folders on the basis of configurable rules and always uses best practice compliant groups. Learn more about file server access management with tenfold.

In businesses that do not yet employ dedicated Identity & Access Management software, you will inevitably come across users who hold outdated and/or superfluous permissions. A common practice that contributes to this kind of privilege creep is the practice of copying existing reference users to create accounts for new hires.

The good news is, not only does tenfold create and manage list groups automatically to ensure the access-based enumeration works smoothly, it also removes any outdated permissions found when it is first installed.

How does it do this? tenfold uses role-based access control through a profile system. The profile system must be configured one time when tenfold is initially installed. Once that is done, tenfold is able to assign default rights automatically, based on certain user attributes (such as department, location or role) and across systems (Active Directory®, SAP ERP, etc.).

Of course, it is not enough to match up and sort permissions just one time upon installation. Users change departments, they go on parental leave, they resign. And with each change, the permissions they need change, too. To stay on top of that, tenfold conducts automatic user access reviews. In this process, data owners are sent periodic reminders to confirm permissions they granted are still in use. With this approach, outdated privileges can be removed with just one click!

Sources:

http://woshub.com/enable-access-based-enumeration-in-windows-server/

https://docs.microsoft.com/en-US/windows-server/storage/dfs-namespaces/enable-access-based-enumeration-on-a-namespace