ABE

From Help
Jump to: navigation, search

Return to Main Page

Enabling Access-based Enumeration

Would you like for your users to only be able to see the files and folders they actual have access to? Then ABE (access based enumeration) is for you! Before we jump in, however, there are a few things you need to have set up first.

VERY IMPORTANT: “Sharing” is a separate thing from Permissions (commonly called NTFS permissions, for New Technology File System introduced with Windows NT). Sharing determines who has Read, Change, or Full Control over the contents of a Share. Permissions is far more granular, and can be set on individual files and folders within a Share. Windows will use the idea of “most restrictive permissions”. Without an EXPLICIT Permission set, even users and groups with a “Full Control” on the Share will be unable to access. It is “best practices” to give Full Control on the Share, and then allow specific types of access with Permissions. For example, a “Share Full Control” combined with “NTFS Read” will only result in Read.

One, you need to have your users sorted out into the proper security groups for your over-all organization. In this scenario, we are using five different AD Organizations for our fictional ACME Company, and have a total of 16 Security Groups. Your mileage may vary.

Return to Top

The back-end

Organizations

HR

Marketing

Accounting

Engineering

Corp

Return to Top

Our Security Groups:

HR RW

HR read write

HR Training

Required training

ACCT RW

Accounting Read Write

ACCT Corp

Corporate Accounting

ACCT HR

HR Accounting

ACCT Marketing

Marketing Accounting

ACCT ENG

Engineering Accounting

ENG

Engineering

ENG Managers

Engineering Managers

Marketing

Marketing

Marketing Managers

Marketing Managers

Sales

Marketing Sales

PR

Marketing PR

Public RW

Public Read Write

Public RO

Public Read Only

Audit All RO

External auditing read only

Return to Top

Inclusive Security Groups

Certain groups are also made members of other groups. This is so a user, such as a supervisor, doesn’t need to be added into both the base group AND the Manager group:

ACCT Manager

ACCT Corp

ENG Managers

ENG

ACCT ENG

ACCT ENG

ACCT HR

ACCT Marketing

Marketing Managers

Marketing

ACCT RW

ACCT Marketing

PR

Sales

Return to Top

Folder Structure

Next up is the folder structure. Each Organization has their own Share, with folders underneath:

HR

Training

Accounting

Budget

Corporate

Training working

HR

Testing

Marketing

Insurance

Engineering

Statements

Engineering

Visio

Drawings

Marketing

Sales

Finalized

PR

Meetings

Public

Return to Top

Access Permissions

   In this, we want specific groups to have access to certain folders:

</p>

Directory

Subdir

Subdir

Access

Group

HR

Full

HR RW

\Training

Read

All domain users

\Insurance

Read

ACCT Corp

Accounting

Full

ACCT Managers

Read

Audit All RO

\Budget

\Corporate

Full

ACCT Corp

\HR

Full

ACCT HR

\Marketing

Full

ACCT Marketing

\Engineering

Full

ACCT ENG

\Statements

Full

ACCT RW

Read

ACCT Corp

Engineering

Full

ENG

\Visio

\Drawings

\Finalized

Read

Sales

Read

Marketing

Marketing

Full

Marketing Management

\Sales

Full

Sales

Read

PR

Read

ENG Management

\PR

Full

PR

Read

Sales

\Meetings

Read

PR

Full

Sales

This scenario assumes you already have this set up to something resembling the above. Now, down to the actual ABE implementation:

Return to Top

Implementation:

Per top-level Share

  • In Server Manager, go into ‘File and Storage Services’, select ‘Shares’.
  • Go down to the share, and right-click into Properties.
  • Go to ‘Settings’, ensure ‘Enable access-based enumeration’ is checked.
  • You must do this for EACH SHARE you want ABE on.
  • Now, go into File Explorer.
  • Go to the share’s top directory (like HR) and bring up Properties.
  • Go to the Sharing Tab, and click “Advanced Sharing”.
  • Next click Permissions. Make sure you have “Everyone” with ‘Full Control’. Without this, no one will be able to access anything in the share. You will be further restricting access after this.
  • Click OK until your back at the ‘Main Properties” window.
  • Next, click on the ‘Security’ tab, and click “Advanced”. This will bring up the “Advanced Security Settings”, the meat of how we allow users into the folders.
  • First, click “Disable inheritance”, and choose “Convert inherited permissions…”
  • Next, remove and entries that have ‘Users’ like (Server\users).
  • Next, click Add.
  • Click the link ‘Select a principal’
  • Enter the name of the Security Group you want to give access to, click ‘Check Names’, select the right group, and click OK.


Return to Top

TO GIVE READ/WRITE:

  • Check-box “Modify”. This will also auto-check “Write”.
  • Click OK.


Return to Top

TO GIVE READ-ONLY:

  • Check-box “Read and execute”, “List folder contents”, and “Read”
  • Normally, these are already checked by default.
  • Click OK.

Return to Top

Sub-subfolder access

Now, here is the fancy trick…If you want a user to be able to get to an underlying folder, but not see ANYTHING but that lower folder, you need to make multiple changes. For example, we are giving All users access to required training materials that is under HR\Training, but we don’t want them to even see anything else in HR.

In the HR folder:

  • Part I, allow users to see only folders
    • Add HR Training.
    • In the ‘Applies to”, choose “This folder only”.
    • Click “Show advanced permissions”
    • Select “List folder / read data”, “Read attributes”, “Read permissions”, and “Read extended attributes”
    • Click OK
  • Part II, remove their abilities to see any files:
    • Add another HR Training permission
    • In “Applies to”, choose “Files only”
    • Click “Show advanced permissions”
    • Only select “Read attributes”, “Read permissions”, and “Read extended attributes”
    • Click OK
  • Part III, give permission to see the Training folder
    • Bring up the “Advanced Security Properties” of the Training Folder.
    • Click “Disable inheritance”, and choose “Convert inherited permissions…”
    • Add HR Training.
    • Check-box “Read and execute”, “List folder contents”, and “Read”
    • Click OK
    • Now click apply.


When a non-HR user goes into HR, they will now ONLY see the Training folder. Once in there, they will ONLY be able to read the files in there, not change, save, or make new files.

Return to Top

References