Access-based Enumeration (ABE)and DFS:How to hide folders from unauthorized users

Apr 13th, 2009

Access-based enumeration (ABE) allow users to view/list only files and folders that they hace access to. This feature hides other files and folders from prying eyes. It was introduced with windows server 2003. It is not enabled by default. I have put together some detail instructions on how to configure ABE.

1-Create a share¬† on your file server. For demo, we will create a share name “DomainUsers” with the following permissions: Folder Share permission <Authenticated Users>:Read. See image below:abedemo11

NTFS (security) permissions: <Administrator>:Full, <System>:Full, <Creator Owner>:Full, click Advanced tab<Authenticated Users (*This Folder Only*)>:List Folder/Read Data, Read Attributes, Read Extended Attributes. See image below.

2-Create individual folders that are user/group specific that you want to hide from others. In this demo I will create UserA, UserB and UserC folders respectively. Set NTFS permissions so that only users, administrators, creator owner and system have full control on each respective folder. See  image below:


3-Assuming you already have dfs setup, add a link “DomainUsers” with target pointing to \\ServerName\DomainUsers. If any user browse to the dfs share above, they will see all three users folders, but due to ntfs permissions can only access their respective folders.


4-We will apply ACL on the ghost folders (UserA, UserB, UserC) using CACLS to grant necessary permissions to Active Directory objects, in our case that is, UserA, UserB and UserC respectively. Here is the command syntax: CACLS C:\DomainUsers\UserA /E /G MyDomainName\DomainUsers\UserA:C (We will do this for all users\groups). Now we need to make sure UserA is restricted to see only folders that he/she have access to. That is when ABE comes handy. to configure ABE, download and install the ABE-GUI from Microsoft website.

5-We have installed ABE-GUI and ready to configure our DomainUsers share. Right click and select properties, select the access-based enumeration tabe, check the box:”Enabled access-based enumeration on this shared folder” see image below:


Be Sociable, Share!