Scott's Weblog The weblog of an IT pro focusing on cloud computing, Kubernetes, Linux, containers, and networking

Follow Up on Access-Based Enumeration

As a follow-up to this posting on access-based enumeration, I wanted to post information from some testing I performed earlier this week. I installed access-based enumeration (ABE) on a server running Windows Server 2003 SP1 (the only version of Windows on which it is supported). It does what it advertises; when a non-administrative user connects to a shared folder on which ABE is enabled, they see only those folders to which he or she has permission.

There are some limitations. Administrative users are not affected in any way. ABE only works for network access; users accessing the filesystem locally are not affected. This makes ABE unsuitable for use on terminal servers. Additionally, ABE is enabled or disabled on a share-by-share basis, and while it is possible to turn ABE on or off for all shares at a time there is no provision for setting ABE on by default for new shares. Finally, ABE can negatively impact performance, especially for shared folders with large numbers of files.

I’m kind of split on this one. On the one hand, it’s really good functionality that will dramatically change the way system administrators approach Windows-based file servers. On the other hand, the potential performance drawbacks of ABE are concerning.

If you are running file servers on Windows Server 2003 with Service Pack 1 installed, you owe it to yourself to at least evaluate ABE. You may find that it doesn’t work for your network, but then again you may find that you don’t want to go on without the added functionality that ABE brings to the table.

Metadata and Navigation

Be social and share this post!