Utility Spotlight: Access-Based Enumeration

United States - English

Argentina (Español)

Australia (English)

Deutschland (Deutsch)

United Kingdom (English)

United States (English)

More...

Welcome Sign in

TechNet Magazine

Printer Friendly Version

Send

Utility Spotlight: Access-Based Enu...

Share this Page

	Live Favorites
	DotNet Kicks
	Digg
	Slashdot
	del.icio.us
	Yahoo!
	Technorati
	ma.gnolia
	reddit

ISA Server: A Guide to Securing ISA Server 2006

Many organizations rely on ISA Server 2006 to secure their environment, but few take the important step of securing ISA Server itself. Here’s a guide to using the Security Configuration Wizard and Administrative roles to limit its attack surface and secure your ISA Server 2006 implementation.

By Alan Maddison (September 2008)

ISA Server: Enhance TS Gateway Security with ISA Server 2006

Using the new TS Gateway feature, Windows Server 2008 enables users to access their desktops from anywhere, without using a VPN. Find out how you can publish the TS Gateway through ISA Server 2006 and extend the ISA Server 2006 publishing scenario to include client health enforcement.

By Dr. Thomas W. Shinder and Yuri Diogenes (September 2008)

Security: Understanding Shared Account Password Management

Shared and privileged account passwords are commonplace, but far too many organizations fail to adequately manage these shared passwords. This creates a serious security issue. Explore the risks involved with shared and privileged accounts, and discover better approaches to managing more secure passwords.

By Chris Stoneff (September 2008)

Utility Spotlight: Windows Memory Diagnostic

See how this free utility can help you determine whether problems you are experiencing while running Windows are caused by faulty memory.

By Lance Whitney (September 2008)

More ...

Articles by this Author

Online Extra: Deploy the 2007 Office System with Terminal Services

The 2007 Microsoft Office system includes design changes you must be aware of before deploying it in your Terminal Services server farm. This article gives you an overview of the changes.

By James D. Silliman (February 2008)

Windows Administration: A Guide to Deploying Terminal Services

There are numerous advantages to running your organization’s applications centrally, and getting started is now surprisingly easy. Here’s what you need to know in order to enable Terminal Services on Windows Server 2003 and implement Terminal Services throughout your organization.

By James D. Silliman (May 2007)

More ...

Popular Articles

Windows Administration: Taking Your Server’s Pulse

Your users are complaining that a server is running poorly—do you know where to look to diagnose the problem? PerfMon can be an indispensible tool for this as it has numerous diagnostic capabilities. Get an overview of the key indicators you should use to diagnose a variety of common bottlenecks that can slow down your servers.

By Steven Choy (August 2008)

Windows Administration: Introducing Windows Server 2008 Failover Clustering

Users have complained for years that clustering in Windows Server is too complicated. With the release of Windows Server 2008, clustering received a complete facelift. Explore some of the most significant advancements found in the new Failover Clustering, and see how this new implementation makes clusters much easier to set up and maintain.

By Chuck Timon (July 2008)

Security: Secure E-Mail Using Digital Certificates

Secure Multi-Purpose Internet Mail Extensions let you hide information in transit, validate senders, and authenticate messages. Learn how to secure e-mail using digital certificates and how to troubleshoot problems you may encounter on your S/MIME system.

By Matt Clapham and Blake Hutchinson (June 2008)

SQL Server 2008: Security

Security continues to be an area of deliberate improvement for SQL Server. Explore some of the most important security-related changes you’ll find in SQL Server 2008, from encryption and authentication enhancements to Policy-Based Management and the new auditing system that will help with regulatory requirements.

By Rick Byham (April 2008)

More ...

Read the Blog

Mark Russinovich On Security, The Future of Windows, and Joining Microsoft

David Tesar recently posted an interview with Mark Russinovich. In the interview, Mark discusses joining ...
Read more!

The Desktop Files: Advanced Functionality in WDS

In his third installment on Windows Deployment Services, Wes Miller explores features that enhance performance and scalability, logging, and command-line automation. Notable in this column are the powerful new command-line utility for management, WDSUtil.exe, and the WDS Image ...
Read more!

Windows Confidential: Windows 95 Unplugged

In the September 2008 issue of TechNet Magazine, Raymond Chen reflects on how some left over diagnostic code unexpectedly Read more!

Hey, Scripting Guy!: Stay Connected with Your Toaster

As the Scripting Guy notes, the old phrase "you can run but you can't hide" was never more true than it is today— when even your toaster can be Internet-enabled. But disconnection happens, and then what do you do? We—or rather the scripting guys—are ...
Read more!

Inside SharePoint: SharePoint Directory Integration

Pav Cherny discusses the limitations of the built-in Directory Management Service in SharePoint and explains how you can replace this component with a custom solution that lets you synchronize SharePoint recipient information with other directory solutions. In particular, he ...
Read more!

Security: Understanding Shared Account Password Management

"One of the common things that administrators must deal with on an ever-increasing basis is the regular changing of the password for shared and privileged accounts, such as the built-in administrator or root account, a firecall account, or perhaps even a process account." In the Read more!

More ...

Utility Spotlight Access-Based Enumeration

James D. Silliman

As a systems administrator, you've probably had users complain that they can't access certain folders they see in Windows® Explorer. The cause is often simple: the user doesn't have permission to open those resources. That's probably as it should be, but the result is often a frustrated user.

This is a problem that shouldn't exist—you should be able to hide shares the user doesn't have permission to access. Since the release of an add-in called Access-Based Enumeration (ABE) for Windows Server® 2003 (SP1), you can do just that.

ABE also provides better security by preventing users from navigating folders that might contain confidential information and provides increased productivity by directing users to the information they need and filtering out what's irrelevant. Plus you'll receive fewer support calls when users can't try to access files for which they don't have permissions.

How ABE Works

How does ABE perform its magic? Every file share has flags that control its visibility. Windows Server 2003 SP1 includes a new flag called ENFORCE_NAMESPACE_ACCESS, located within the SHARE_INFO_1005 flag. When the flag is set, users see files and folders under a share only if they have proper NTFS rights. (By the way, this process is completely independent of and different from the Hidden File attribute.)

The installation of ABE is straightforward. After downloading and launching the ABEUI.msi file on the target machine running Windows Server 2003 SP1, you'll be presented with a dialog that lets you choose to enable Windows Server 2003 Access-based Enumeration either on all existing shared folders on this computer or manually on individual shared folders. Enabling ABE on individual shared folders is the default during installation. If you choose the default route you'll have to access the server console and enable individual shares one by one. To do so, after the installation completes, navigate to the server shares where filtering is desired. You'll notice a new tab has been added to the properties dialog of a shared folder in Windows Explorer (see Figure 1). You can choose the global or individual ABE setting here and it will be applied to the folder in question.

Figure 1 Choosing ABE Settings

It would be a good idea to test the server-wide, global setting in a lab environment first, or after hours. At a minimum, make sure all your data is backed up before you start. However, enabling ABE on one network share is really simple.

If you want to enable ABE through Group Policy so you can manage it globally on many servers at once, there are a number of third-party extensions that enable this functionality.

There are three different versions of ABE, for the x86, x64, and ia64 platforms. You can choose either a graphical or command-line interface, plus there is a Windows API for customizing it further. Downloads for all versions of ABE are available at the Microsoft® Download URL that I mentioned earlier. For detailed information on ABE, read abewhitepaper.doc, which is included with the download.

James D. Silliman, a Senior Systems Engineer at DirectApps, specializes in terminal servers deployments. DirectApps architects .NET solutions for small to medium businesses, and is an Application Service Provider. He holds an MA from Colorado University. All he really needs to know about PCs he learned from Erector sets. You can reach him at jsilliman@ieee.org.

Product Families

Resources

About Microsoft

Popular Places

Popular Searches

Popular Downloads