Enabling Access Based Enumeration -ABE on DFS Namespace-Part II

Nov 20th, 2011

In my previous post on Access Based Enumeration, I outlined procedures for enabling ABE. With Windows server  2008 and 2008 R2, there is an added option to enable ABE  on a DFS Namespace. I will show how to accomplish this on this post.

1- Create a DFS Namespace, in my case,I create a  Domain Namespace call  DFS which can be accessed through \\mydomain.com\dfs

2-Open the DFS Management console, expand namespace, right click on the namespace and choose properties

3-Select the Advanced tab and mark the check box “Enable Access Based Enumeration for this namespace”

This will enable ABE for the root namespace. If you have sub namespaces, that you need to have ABE applied, then you will need to set explicit permissions at that namespace level. For example, by default, my namespace “DFS” have all users as Read. But I also have a sub namespace called “DFS Test” which I don’t want all domain users to see.

I have to go to the properties of that namespace and select the Advanced tab and select the Set Explicit view permissions on the DFS folder.

By default the Use Inherited permissions from local file system is selected. Now, click on the Configure view permissions,

add the user or security group that you need to view this folder.

NB: During my testing only Domain Local and Universal groups worked.

Final Results:

Before ABE enable:

After ABE Enabled:

More References here:

Enable Access-Based Enumeration

 

 

 

 

 

 

Be Sociable, Share!
No comments yet.