ABE (Access Based Enumeration) WSE2012

Posted on 2014-08-21
Last Modified: 2014-08-23

I have turned on the ABE on a shared folder.
Unfortunately, despite removing the selected user for the security & sharing permissions, the share is still visible to those who shouldn t see it?

Any ideas why?

Question by:defrey
    LVL 23

    Expert Comment

    As far as my understanding goes ABE only works on NTFS permissions not on share permissions. If you don't want users to see a specific share share it hidden (using the $ sign at the end of the share name).

    Also, normally, in basic NTFS security setting, the everyone group has full control on share level (or read/write) and permissions are set on NTFS level, meaning they are able to see the share.
    LVL 8

    Accepted Solution

    Hi defrey,
    ABE is not belonging to the sharing permissions. Only to the NTFS Security.

    Here an example:

    We have a share on a server : \\srv-file01\SHARE
    This share contains some folders

    I apply ABE on \\srv-file01\SHARE and set NTFS permission on each subfolder (USER1 for FOLDER1, USER2 for FOLDER2, ...)

    I log in a client with USER1 and browse \\srv-file01\
    I see  \\srv-file01\SHARE. I enter it and I see only FOLDER1

    Now I share FOLDER3 with everyone full control on share permission.
    I log with USER1 and browse \\srv-file01\
    Now I see 2 shares : \\srv-file01\SHARE and \\srv-file01\FOLDER3
    If I enter in SHARE, I always see only FOLDER1
    If I try to enter in FOLDER3, I have an access denied.

    Now I share FOLDER3 with only administrator full control on share permission.
    I log with USER1 and its the same as previous.

    So we can conclude that Share Permission doesn't have any effects on ABE.
    You can hide a share with ABE if you apply ABE on a top share but the share can still been viewed when browsing the server.
    If you want to hide this sub-share from browsing the server, use SUBSHARE$

    Hope this makes it clear what to do to solve
    LVL 1

    Author Comment

    Wow, thank you so much!

    What do you mean by subshare$?
    LVL 8

    Expert Comment

    That means you should share the subfolders with the $. With that you can remove them from browsing the server view.
    LVL 1

    Author Comment

    Hmmmm not sure if I understand that correctly. Could you please show me an example? Thanks
    LVL 1

    Author Comment

    got it! : - )

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    My GPO's made for 2008 R2 servers were not allowing me to RDP into a new 2012 server by default.  That’s why I tried to allow RDP via Powershell, because I could log into a remote shell without further configuration. Below I will describe how I wen…
    Recently, I was assigned the task of performing a hardware refresh in the datacenter. The previous Windows 2008 systems were connected to the SAN via fiber channel HBA’s and among other thing, had PowerPath installed in order to provide sufficient f…
    In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now