Blogs

SP1 and X64 little known feature - Access-Based Enumeration (ABE)

  • Comments 9
  • Likes

Have you ever attempted to access a folder that you didnt have permission to?

Are you an administrator who is concerned about security principals without the proper permissions seeing the names of files and folders they dont have permissions to?

SP1 and x64 address these concerns by making inacessible files and folders invisible to users through a neat little feature called Access-Based Enumeration (ABE).  ABE in SP1/x64 can be used with the command-line (abetool.exe) and through a fairly robust API (NetShareSetInfo).  FYI - There is a GUI on the way.

Command Line Sytax:  abetool [ShareName] [1=on/0=off] [ServerName]

Command Line Example: abetool “Personal Folders” 1 FileSrvr1

As an IT Pro for many many years, I was personally surprised that this feature didnt get more attention.  I remember back in my early Novell days thinking how cool it was.  I suppose that leads to neat little trick with ABE - file shares that are migrated from other operating systems will behave the same way they did on the previous OS. (Cool!)

There is a whitepaper on ABE that should hit the streets fairly soon, Ill post a link to it when I hear it is live.

 

- Ward Ralston

 

 

  • possible security concerns? hidden trojan folders?

  • Is this feature only for x64 versions of Windows 2003 or is SP1 for Windows 2003 x32 also going to have this feature?

  • Joe - can you expand on that a little more? People can hide folders now if they have proper permissions to the folder/file.

    Chris - This will be in both SP1(x86) and x64

  • I can't find abetool.exe in RC2 of either the x86 or x64 version of SP1. Where's it hidden? I've been using the Joeware ABE tool.

  • I am not the joe above who asked about security concerns and hidden trojan folders. These aren't hidden folders, they are folders that people don't have access to at all. It is similar to the Novell mechanism so you can have a single shared folder with hundreds or thousands of subfolders and users only seeing the folders they have access to read. <br> <br>BTW, check out <br><a target="_new" href="http://www.joeware.net/win/free/tools/shrflgs.htm">http://www.joeware.net/win/free/tools/shrflgs.htm</a> <br>

  • Sorry I didnt make that a little clearer about ABE and the tools.

    ABE is enabled and ready to go in SP1 via the API. The tool - abetool.exe will be a web download at the same time the whitepaper is released.

    I will post again when the tool and whitepaper is live on the web.....soon.

    -Ward

  • As mentioned in previous posts, the Access-Based Enumeration GUI and Command-Line tools and whitepaper...