What is Access Based Enumeration (ABE)?
Initially developed for and available in Windows Server 2008, ABE enhances the set of tools that system administrators can use to secure data on file servers. Earlier, it was provided in Windows Server 2003 as a separate add-on, and in Windows Server 2008, it has been integrated as a standard feature called ‘Access Based Enumeration’. This is especially helpful where folder names contain information or if you require to safely keep the location of certain information. Also, it can enhance the quality of the user interface by enriching the options of the view of the folder hierarchy.
It would be pertinent to mention here that ABE is only applicable to shared folders but does not operate with local file browsing. It is important to note that shares created using the File Sharing feature in Windows Explorer are said to be ABE-enabled by default whereas those shares created otherwise are not. By design, most of the administrative shares like the C$ and shared volumes are not enabled by ABE.
While ABE prevents any unauthorized files and folders from being accessed by a user each time and may add to the CPU load on the server, Microsoft advises that ABE should only be enabled where necessary. Occasionally, ABE is also used in the Distributed File System (DFS) domain Namespace to enhance scalability in the event of a need for additional computational capabilities.
What is the Use of Access-Based Enumeration (ABE)
The Access-based enumeration (ABE) is best suited where you want to secure a folder or file name that contains sensitive information or the location of the file. It also assists in enhancing the usability, in that its view of a folder structure is cleaner and only shows, what accessible to the current user is within the folder. However, ABE is not secure, and it does not deny users any access to the files and folders; it only conceals them from the end users. Both ABE and ACL should be incorporated, to protect the information that is categorized as restricted access.
How to Enable Access-Based Enumeration
Access-based enumeration (ABE) can be enabled using:
- Server Manager
- PowerShell
- Group Policy Object (GPO)
1. Using Server Manager
Follow below steps:
- Log in to the server with local administrator permission
- Open Server Manager using the icon on the desktop taskbar.
- Click File and Storage Services in the list of options on the left of Server Manager.
- Right click the share you want to manage in the list of available shares on the right, and select Properties from the menu.
- In the Properties dialog, click Settings in the list of options on the left.
- Enable or disable ABE by toggling Enable access-based enumeration.
- Click OK to save your changes.
2. Using PowerShell
You can also enable ABE using PowerShell with the following command:
Set-SmbShare -Name "YourShareName" -FolderEnumerationMode AccessBased
Replace ‘YourShareName’ with the name of your shared folder.
3. Using Group Policy Object (GPO)
Steps to enable ABE via GPO:
- Open the Group Policy Management Console (GPMC).
- Create a new GPO or edit an existing one that targets the necessary computers.
- Navigate to Computer Configuration > Policies > Administrative Templates > Network > Offline Files.
- Enable the policy named ‘Configure Offline Files (ABE)’.
- Apply the GPO to the necessary organizational unit (OU) or domain.
Conclusion
While a useful addition to Windows Server, ABE isn’t a security feature because it doesn’t stop users from accessing files and folders; that is the job of access control lists (ACLs), so you shouldn’t rely on ABE alone to protect sensitive information. To get a better insight into how your file servers a being used, Lepide File Server Auditor provides detailed auditing of Windows file servers, with reports showing how files are being accessed and modified, including permissions, with the ability to set up real-time alerts.