TechNet Magazine
Click to Rate and Give Feedback
Tips
The Recovery Console has been deprecated in Windows Vista, so what happened to all those commands? Here's how you can access some of those familiar tools. ...

Read more!

There are nine numeric data types that ship with SQL Server 2008. Here's an overview of the numeric data types along with their range of values and required storage space. ...

Read more!

You can use T-SQL commands to manage access and roles in SQL Server. Here's a summary of the commands you'll use. ...

Read more!

The version of Robocopy included with Windows 7 offers a new switch for performing multi-threaded copies. Here's what you need to know. ...

Read more!

With Windows 7, it's easy to head off potential problems by preventing users from running unauthorized programs and scripts. Find out how. ...

Read more!

Related Articles

To securely extend your OCS 2007 infrastructure to remote users and organizations, you need to deploy one or more Edge Servers and provide reverse proxy access to these servers. Here’s what you need to know to use and configure ISA Server 2006 as a reverse proxy for your OCS deployment.

Alan Maddison

TechNet Magazine March 2009

...

Read more!

Depending on your point of view, cached credentials can be both a blessing and a curse. Raymond Chen explains how they work and how you can control them.

Raymond Chen

TechNet Magazine July 2009

...

Read more!

Discover how you can use the free VMC to Hyper-V Import tool to import and then modify VMC files, easing the process of migrating older virtual machines to Hyper-V.

Matthijs Ten Seldam

TechNet Magazine March 2009

...

Read more!

Windows 7 includes many new features and enhancements to help improve security. Here’s an overview of everything you’ll find, from the new Biometric Framework and AppLocker to improvements for BitLocker and UAC.

Chris Corio

TechNet Magazine May 2009

...

Read more!

In this first part of a two part series, security expert Jesper Johansson delves into the concept of identity - What defines an identity? Who gets to control the information, and how do we ensure it is properly secured?

Jesper M. Johansson

TechNet Magazine June 2009

...

Read more!

Also by this Author

There are numerous advantages to running your organization’s applications centrally, and getting started is now surprisingly easy. Here’s what you need to know in order to enable Terminal Services on Windows Server 2003 and implement Terminal Services throughout your organization.

James D. Silliman

TechNet Magazine May 2007

...

Read more!

The 2007 Microsoft Office system includes design changes you must be aware of before deploying it in your Terminal Services server farm. This article gives you an overview of the changes.

James D. Silliman

TechNet Magazine February 2008

...

Read more!

Popular Articles

Project Server 2007 delivers significant enhancements, not only to the features and functionality for users but also for administrators. Alan Maddison explores some of the most significant new features and walks you through the installation and configuration of Microsoft Office Project Server 2007.

Alan Maddison

TechNet Magazine January 2009

...

Read more!

Windows Vista SP1 and Windows Server 2008 introduce important changes to BitLocker, including support for data volumes and improved protection against cryptographic attacks. Byron Hynes explores the new features, demonstrates how to use BitLocker on a server, and discusses some of the recent media coverage affecting BitLocker.

Byron Hynes

TechNet Magazine June 2008

...

Read more!

Aaron Margosis

TechNet Magazine August 2006

...

Read more!

Without too much effort, you can deploy a terminal server to host the applications you need in your environment. But there are some important decisions you’ll need to make to ensure your implementation meets user expectations. Greg Shields discusses the various options you have and explains how they will affect you.

Greg Shields

TechNet Magazine January 2009

...

Read more!

Consolidating servers onto fewer physical machines has many advantages, but it is extremely important that you plan for your systems to be highly available. Here’s a guide to using Windows Server 2008 Failover Clustering to bring high availability to your Hyper-V virtual machines.

Steven Ekren

TechNet Magazine October 2008

...

Read more!

Our Blog

NAP monitors the health of specified computers when they attempt to connect to a network and includes a number of mechanisms to enforce health requirements. In this article, Geek of All Trades Greg Shields gives readers an overview of these enforcement mechanisms and, as an example, takes a closer look at setting ...

Read more!

Use Windows PowerShell to Manage Virtual Machines Here are a few examples of how you can use Windows PowerShell scripts to manage virtual machines running on a Server Core installation. Note that these scripts are presented as samples and may need to be customized to work in your environment.

Create a New ...

Read more!

Disabling an Unused Part of Group Policy Objects One way to disable a policy is to disable an unused part of the GPO. By disabling part of a policy that isn’t used, the application of GPOs and security will be faster.

Administer Windows Server 2008 Server Core from the Command Prompt ...

Read more!

In the August 2008 issue of TechNet Magazine, Paul Randal wrote an article Top Tips for Effective Database Maintenance.  It was geared toward "involuntary  DBAs" (IT pros who inadvertently wind up responsible for a SQL Server instance).  The article had a great response from our readers so Paul has written another ...

Read more!

Microsoft Forefront is designed to deliver an integrated security solution that makes it much easier to deploy and manage security across an organization’s IT infrastructure. In this, our annual security issue, we feature two articles that describe how Forefront Security protects instant messaging and e-mail.

Protect ...

Read more!
Utility Spotlight Access-Based Enumeration
James D. Silliman


As a systems administrator, you've probably had users complain that they can't access certain folders they see in Windows® Explorer. The cause is often simple: the user doesn't have permission to open those resources. That's probably as it should be, but the result is often a frustrated user.
This is a problem that shouldn't exist—you should be able to hide shares the user doesn't have permission to access. Since the release of an add-in called Access-Based Enumeration (ABE) for Windows Server® 2003 (SP1), you can do just that.
ABE also provides better security by preventing users from navigating folders that might contain confidential information and provides increased productivity by directing users to the information they need and filtering out what's irrelevant. Plus you'll receive fewer support calls when users can't try to access files for which they don't have permissions.

How ABE Works
How does ABE perform its magic? Every file share has flags that control its visibility. Windows Server 2003 SP1 includes a new flag called ENFORCE_NAMESPACE_ACCESS, located within the SHARE_INFO_1005 flag. When the flag is set, users see files and folders under a share only if they have proper NTFS rights. (By the way, this process is completely independent of and different from the Hidden File attribute.)
The installation of ABE is straightforward. After downloading and launching the ABEUI.msi file on the target machine running Windows Server 2003 SP1, you'll be presented with a dialog that lets you choose to enable Windows Server 2003 Access-based Enumeration either on all existing shared folders on this computer or manually on individual shared folders. Enabling ABE on individual shared folders is the default during installation. If you choose the default route you'll have to access the server console and enable individual shares one by one. To do so, after the installation completes, navigate to the server shares where filtering is desired. You'll notice a new tab has been added to the properties dialog of a shared folder in Windows Explorer (see Figure 1). You can choose the global or individual ABE setting here and it will be applied to the folder in question.
Figure 1 Choosing ABE Settings 
It would be a good idea to test the server-wide, global setting in a lab environment first, or after hours. At a minimum, make sure all your data is backed up before you start. However, enabling ABE on one network share is really simple.
If you want to enable ABE through Group Policy so you can manage it globally on many servers at once, there are a number of third-party extensions that enable this functionality.
There are three different versions of ABE, for the x86, x64, and ia64 platforms. You can choose either a graphical or command-line interface, plus there is a Windows API for customizing it further. Downloads for all versions of ABE are available at the Microsoft® Download URL that I mentioned earlier. For detailed information on ABE, read abewhitepaper.doc, which is included with the download.

James D. Silliman, a Senior Systems Engineer at DirectApps, specializes in terminal servers deployments. DirectApps architects .NET solutions for small to medium businesses, and is an Application Service Provider. He holds an MA from Colorado University. All he really needs to know about PCs he learned from Erector sets. You can reach him at jsilliman@ieee.org.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.
Page view tracker