Solved

Access Based Enumeration (ABE) Wont Work

Posted on 2010-08-17
11
2,694 Views
Last Modified: 2012-08-14
Hi All,

I'm trying to implement access based enumeration on our server (2008) to make things a little simpler for our users

Basically every user has a shared folder and there is also a public share that is available to all users

i need to get it to the point where each user sees only 2 shares "Their own" and the "public volume"

in "Shares and Storage management" ive enabled ABE on every share (most were enabled by default)

ive also set the "share" permissions but not the "ntfs" permissions (no user will ever access the server from console)

but every user can still see everybodys share, even though they cannot access them

Have i missed something????
0
Comment
Question by:Chrissalter
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 3
11 Comments
 
LVL 4

Expert Comment

by:ericnils
ID: 33455842
I'm not sure about 2008, but under 2003 you had to issue this command every time you made a change to a drive or share.  I have this in a batch file on our file server cluster because it has to run every time we switch nodes:

abecmd /enable /server . /all
pause
0
 
LVL 7

Author Comment

by:Chrissalter
ID: 33455971
its not recognising the command

"'abecmd' is not recognized as an internal or external command"
0
 
LVL 7

Author Comment

by:Chrissalter
ID: 33456518
I'm either really missing something or ABE doesnt work at all

just tried it on a win 2k3 server and it doesnt work on that either, can still see every shared folder

can anybody actually verify that "ABE" can work??? i'm losing faith.....
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 84

Expert Comment

by:oBdA
ID: 33456719
You'll never get this to work with *share* permissions; how could you? If access is controlled by share permissions only, and the user has to have permissions to connect to the share to start with, how could there be folders to which he does NOT have permissions?
Set *share* permissions to Everyone:Full (there is no security gain in using both share and NTFS permissions), and control access with NTFS.
Share permissions are a leftover from OSs and file systems without access control, to provide a bare minimum of access control. Compare the access options you get in share permissions to those available in NTFS.
0
 
LVL 4

Expert Comment

by:ericnils
ID: 33456745
For windows 2003 I can verify it does work, but it is not included with the OS by default.  You have to download it here:
http://www.microsoft.com/downloads/details.aspx?FamilyId=04A563D9-78D9-4342-A485-B030AC442084&displaylang=en

For 2008 it looks like it is included and activated by default, but it doesn't work with DFS without configuration.  If you are using DFS take a look at this article:

http://support.microsoft.com/kb/961658
0
 
LVL 4

Expert Comment

by:ericnils
ID: 33456770
oBdA is right.  ABE filters viewing of folders within shares based on NTFS permissions, not the shares themselves.  Everyone will still see all root shares even if they can't access them unless they are hidden shares.  Then no one will see them by browsing.
0
 
LVL 7

Author Comment

by:Chrissalter
ID: 33457445
Thankyou, will give it a shot and report back
0
 
LVL 7

Author Comment

by:Chrissalter
ID: 33457633
Have tried setting the security permissions to the point where the user is the only account with access and also the owner

but its still showing up in the shared folder list

might sound a little clueless but just to elaborate "NTFS Permissions" are the ones on the tab labeled "Security"?
0
 
LVL 84

Accepted Solution

by:
oBdA earned 500 total points
ID: 33457710
Just in case: you can NOT test ABE with an account that has Administrator permissions on the host server. ABE is not applied to Administrators ever.
That said: what exactly do you mean with "still showing up in shared folder list"?  ABE hides only the directory listings, NOT any shares seen through the network with "net view \\server" or Explorer or whatever.
If you want to hide the shares, you need to add a $ at the end of the share name (and connect accordingly to \\server\share$).
0
 
LVL 7

Author Closing Comment

by:Chrissalter
ID: 33457774
I was under the impression that abe made \\server\share invisible, should have done my homework before tinkering, thankyou for the help
0
 
LVL 84

Expert Comment

by:oBdA
ID: 33457847
Please note that hiding a share by adding a $ is NO SECURITY MEASURE. The "$" tells the CLIENT(!) software, not the server, to "please, if you feel like it," not show this share. The share itself will remain visible for all kinds of tools, it's just hidden in Explorer or "net view".
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How are passwords stored in Active Directory 25 306
rds question 5 58
another domain controller shut down question 2 45
msiexec won't run 4 33
If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question