Access-based Enumeration (ABE) allows objects (files, folders) on local resources to be hidden from users who do not have permission for those objects. Access-based Enumeration was designed to cut the grapevine before it can even grow.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform related Windows servers queries.
Here, let us see how to configure and use of ABE in various Windows versions.
How does access to shared folders work in Windows ?
By enabling ABE on a shared folder, we can ensure that different users see a different list of folders and files in the same network share based on the user’s individual access permissions (ACL).
Let us see how the interaction between the client and the server occurs when accessing a shared folder over the SMB:
According to this scheme, the server firstly shows the entire contents of the folder to the user.
Then, when the user tries to open a specific file or folder the NTFS permissions are checked.
If we need to hide a shared folder from a user, we have to add a $ symbol at the end of the share name.
We can manage ABE from the command prompt (abecmd.exe utility), from the GUI, PowerShell or a special API.
Access-based Enumeration on Windows does not work in the following cases:
To enable Access-based Enumeration for a certain folder in Windows Server 2008/2008 R2, follow the steps given below:
To enable ABE in Windows Server 2012, follow the steps given below:
In Windows Server 2003 (not supported now), ABE became supported starting from Service Pack 1.
To enable Access-based Enumeration in Windows Server 2003 SP1 (or later), follow the steps given below:
1. Firstly, download and install a package following this link:
https://www.microsoft.com/en-us/download/details.aspx?id=15656
2. Then during installation, we have to specify whether ABE will be enabled for all shared folders on the server or we will configure it manually. If we choose the second option, a new tab, Access-based Enumeration, will appear in the network share properties after the installation.
3. Finally, to activate ABE for a certain folder, check the option "Enable access-based enumeration on this shared folder" in its properties.
We can manage Access-based Enumeration settings from the command prompt using Abecmd.exe utility.
This tool is a part of Access-based Enumeration package for Windows Server 2003 SP1.
Abecmd.exe allows to activate ABE for all directories at once or only for some of them. The next command enables Access-Based Enumeration for all shares:
abecmd /enable /all
This one is for a certain folder (for example, a network shared folder with the name Docs):
abecmd /enable Docs
We can use the SMBShare PowerShell module (installed by default in Windows 10/8.1 and Windows Server 2016/2012 R2) to manage the settings of Access Based Enumeration for specific folders.
To list the properties of a specific shared folder:
Get-SmbShare Install|fl
Note the value of the FolderEnumerationMode attribute. In our case, its value is Unrestricted. This means that ABE is disabled for this folder.
Then, we can check the status of ABE for all shared folders of the server:
Get-SmbShare | Select-Object Name,FolderEnumerationMode
To enable ABE for a specific folder:
Get-SmbShare Install | Set-SmbShare -FolderEnumerationMode AccessBased
We can enable Access Based Enumeration for all published network folders (including administrative shares ADMIN$, C$, E$, IPC$,…) by running the command:
Get-SmbShare | Set-SmbShare -FolderEnumerationMode AccessBased
To disable ABE use the command:
Get-SmbShare Install | Set-SmbShare -FolderEnumerationMode Unrestricted
In Windows 10 (Server 2016) and Windows 8.1 (Server 2012R2), we can use PowerShell to manage Access-based Enumeration.
In older versions of Windows, we need to install the latest version of PowerShell (>= 5.0) or use the abecmd.exe utility from the Windows Server 2003 package, it works fine on client OSs.
Since the Windows Server 2003 Access-based Enumeration package is not installed on Windows 10, 8.1 or 7, we have to install it first on Windows Server 2003 and then copy it from the C:\windows\system32 directory to the same folder on the client. After that, we can enable ABE.
We can enable ABE in DFS using DFS Management or dfsutil.exe:
dfsutil property abde enable \\namespace_root
In addition, we can enable ABE on computers in the AD domain using GPO. This can be done using GPP in the section:
Computer Configuration -> Preferences -> Windows Settings -> Network Shares
In the properties of the network folder there is an Access-Based Enumeration option, if we change the value to Enable, ABE mode will be enabled for all shared folders created using this GPO.
This article covers how to Enable ABE on Windows Server. By default, when a user opens some shared network folder, SMB displays a full list of files and folders on it. Of course, it happens only if the user has permission to access the share. Access Based Enumeration (ABE) allows hiding the specific files and folders for a user who don’t have access permission.
Access Based Enumeration is available on the Windows platform since Windows Server 2003 SP1, and helps to prevent users from seeing files and folders.
ABE is enabled for each folder individually. To configure ABE, open Server Manager console, and select role File and Storage Services.
Main ABE features:
1. ABE controls only the list of the contents in a shared folder. It does not hide the list of shared folders from the users. Therefore, when a user connects to the server, he will see all shared folders. If you need to create a hidden share, you can simply add the character $ to its name, for example, ShareName$;
2. ABE doesn't work when the user logged locally or when connecting via RDP;
3. Members of the local Administrators group always see the full list of the folder contents.