Improve File Server Security Using Access-Based Enumeration (ABE)

Russell Smith by   02.22.2017   Data Security

improve-your-privacy1

Introduced in Windows Server 2008, Access-Based Enumeration (ABE) provides system administrators with an additional tool for protecting sensitive information on file servers. First available as an add-on package for Windows Server 2003 before being available out-of-the-box in Windows Server 2008, ABE prevents users from seeing files and folders to which they don’t have access, which might be useful in cases where folder names contain sensitive information, if the location of specific information needs to be protected, or to simply improve the user experience by providing a simplified view of a folder structure.

Only files and folders, on which the currently logged in user has at least Read permission, are displayed by ABE. It’s also worth noting that ABE only works on shared folders, so doesn’t apply to the view users get when locally browsing a file structure. Microsoft changed the default behavior of ABE slightly in Windows Server 2008 so that any shares created using the File Sharing feature in Windows Explorer are automatically enabled for ABE. Shares created in any other way have ABE disabled by default. Administrative shares, such as C$, is not enabled for ABE by default, neither are shared volumes.

ABE filters out the files and folders a user doesn’t have permission to see on each access, so turning it on can increase the CPU load on the server, meaning that before enabling ABE in your environment, you should do some testing to see the effect it will have on server performance. Because of the potential performance hit, Microsoft recommends enabling ABE only when there is a genuine need. ABE is supported on Distributed File System (DFS) Domain Namespaces, which makes scalability easier when extra processing power needs to be added.

Figure1

Managing ABE

Server Manager can be used to manage ABE. Log in to the server with local administrator permission:

  • Open Server Manager using the icon on the desktop taskbar.
  • Click File and Storage Services in the list of options on the left of Server Manager.
  • Right click the share you want to manage in the list of available shares on the right, and select Properties from the menu.
  • In the Properties dialog, click Settings in the list of options on the left.
  • Enable or disable ABE by toggling Enable access-based enumeration.
  • Click OK to save your changes.

While a useful addition to Windows Server, ABE isn’t a security feature because it doesn’t stop users from accessing files and folders; that is the job of access control lists (ACLs), so you shouldn’t rely on ABE alone to protect sensitive information. To get a better insight into how your file servers a being used, Lepide File Server Audit provides detailed auditing of Windows file servers, with reports showing how files are being accessed and modified, including permissions, with the ability to set up real-time alerts.


Lepide® is a Registered Trademarks of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All Trademarks Acknowledged.