Solved

Access-Base Enumeration ABE with Distributed File System DFS 2003 not working

Posted on 2010-08-30
31
1,037 Views
Last Modified: 2012-05-10
Hi all, I have a Windows Server 2003 R2 server with DFS and ABE on it. I installed ABE and set the appropriate rights on the DFS share. But when normal domain users logon they can see all the shares. I checked that the users are not member of Domain Admins. I checked that the security is set the right way.

What could be the problem?

thank u
0
Comment
Question by:LeonesIT
  • 14
  • 13
  • 4
31 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
Are you sure that folder do not have listed Domain Users group?
Did you enable ABE on share?
0
 

Author Comment

by:LeonesIT
Comment Utility
Yes: no Domain users are listed on the folder. And ABE is enabled on the share.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
So, check in advanced options of security tab in effective permissions for that user if he/she has at least read permissions.
0
 
LVL 82

Expert Comment

by:oBdA
Comment Utility
Follow this article to hide the DFS links:
How to implement Windows Server 2003 Access-based Enumeration in a DFS environment
http://support.microsoft.com/kb/907458
0
 

Author Comment

by:LeonesIT
Comment Utility
nope, no read permissions for the users/group in the folder(s).
0
 

Author Comment

by:LeonesIT
Comment Utility
it seems that ABE is not working at all.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
OK, please describe me which steps did you do.
0
 

Author Comment

by:LeonesIT
Comment Utility
Ok. I've got 2 DFS servers: DFS01 and DFS02. The DFS01 was the main DFS server. And DFS02 is the DFS server where all data is copied to. Because of performance issues the DFS02 server is now the main server. Everything, ABE, was already installed, configured and working. But all of the sudden not anymore.


0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
Try to re-install ABE on DFS02. It should solve your problem. But before check event logs maybe there is something interesting (hints?)
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
OK, it looks like ABE was installed only on DFS01? Install it also on DFS02.
0
 

Author Comment

by:LeonesIT
Comment Utility
It is installed on the DFS02, when the server got installed.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
OK, but where those folders are store physically (on which server DFS02)? If so, try to re-install ABE.
0
 

Author Comment

by:LeonesIT
Comment Utility
Found something out:

when I access the share on the DFS as follows: \\DFS02\[sharename] it works. I cannot see the folders. But when I access it through the Domain based namespace as follows: \\[domain]\[DFSnamespace] it is not working.

It seems it is a combination of DFS and ABE.
0
 

Author Comment

by:LeonesIT
Comment Utility
yes the folders and files are stored physically on the DFS02
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
Check folder content. It should be invisible. ABE hides shares and data within it. DFS namespaces are not affected by ABE at all.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:LeonesIT
Comment Utility
I can see the folders. But I am not able to access them. The problem is that the folders are visible.

0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
Folders are visible or DFS links?
0
 

Author Comment

by:LeonesIT
Comment Utility
The DFS links
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
So, that's the problem. You cannot enable ABE on DFS links, only on shares.

I will try to test some configuration and I will let you know in few minutes :) about results
0
 

Author Comment

by:LeonesIT
Comment Utility
thanks.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
OK, you cannot use it for DFS links at all. I wanted to check something but it didn't solve your problem. Only shares can be used in ABE
0
 
LVL 82

Expert Comment

by:oBdA
Comment Utility
You *can* hide the DFS links, provided you follow the instructions in the link I posted in http:#a33556597
You *will* need to set permissions on the (replicated) DFS *links* (not the DFS share), matching the DFS target, using the command line.
0
 

Author Comment

by:LeonesIT
Comment Utility
oBdA, your link is not working.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
This link is for home folders and it works fine. Because it is the only one root from one share with many folders. But when you modify permissions on DFS links you will only receive access denied to that link, it won't be hidden :) You need the enable ABE on virtual folder's shares but I don't know how it would work :]
0
 
LVL 82

Expert Comment

by:oBdA
Comment Utility
I can open the link just fine from this page; what exactly is the error message?
If you can access Google, search for "907458" and "Access Based Enumeration"; should be the first link showing up.
0
 

Author Comment

by:LeonesIT
Comment Utility
Sorry, I get it. But which CACLs command should be used then for the links?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
it looks like it works, but question. Is it worth doing this? A lot of work if something would change in the environment :/

use

cacls <foldername> /t /g:<list of users and their permissions> /c
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
sorry <foldername> I meant <DFS link name>
0
 
LVL 82

Accepted Solution

by:
oBdA earned 500 total points
Comment Utility
As described in the article: "For example, make the ACL on the link the same as the ACL on the target of the link. Therefore, if \\dfs-share\users\johndoe links to a target named \\server1\share1\johndoe, make the ACL on \\dfs-share\users\johndoe the same as the ACL on \\server1\share1\johndoe."
Try the following: on the DFS root, disable inheritance, remove all non-administrative groups. Then add the group "Users" back with Read permissions, but in the Advanced permissions, change the scope to "Apply to this folder only". This can still be done in the GUI.
Create the links, wait for replication.
Then on each DFS server, run
cacls.exe "T:\he\physical\path\to\the\DFSRoot\SomeDFSLink" /e /g "SomeDomain\SomeGroupWithAccessToTheDFSLink":R
0
 

Author Closing Comment

by:LeonesIT
Comment Utility
Thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
Remember to document this action for future troubleshooting. You won't remember in few months that you did something like that :)
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

I have never ceased to be amazed how many problems you can encounter on a fresh install of a Windows operating system.  This is certainly case in point& Unable to complete ANY MSI installation.  This means Windows Updates are failing and I can't …
The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
This video discusses moving either the default database or any database to a new volume.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now