Introduction
The list based on access , also ABB , concerns the network shares. This functionality of Windows Server allows you to display within a network share, only the folders and files for which the user has at least reading rights. The other folders and files present in this same share and where the user does not have the rights will be hidden.
The first question is: why hidden some folders or files from users in a network share? The answer is relatively simple, it is above all a question of security.
Indeed, a user who does not see the data which does not concern him will not have the temptation to go to see this data .
Or if a Ransomware attack takes place on the file server and the attacker uses the session of a user who does not have rights to all of the folders, he will not be able to encrypt the data entirely.
Now let's get to the heart of the matter, how to set up the ABE !
Access Based Enumeration
Behavior of ABE
We will take the following case: we have a user of the technical service who uses a TSE session on which he has access to a network drive where the Company Documents folder is present.
In this shared Documents folder , our technician can see the following tree structure and have access to the different contents of the folders as well.
We just saw what happens when the EBA is not active on the server where the shared folder is present.
Now here is the view that the same tech user will have once the access-based enumeration is active.
It is imperative for access-based enumeration to work correctly, NTFS rights must be correctly configured on the shared folder. It will be necessary to deactivate inheritance and also to delete the DOMAIN \ Users group in the rights of the folder.
Activation of EBA
Well now that we have just seen the behavior of EBA, we will see how to set it up on our file server.
You have to go to the server where the shared folder is present . Then from the server manager go to: File and storage services :
Once in this menu, right click on the shared folder where you want to set up the EBA and select Properties :
In the new window that opens, go to Settings and check the Enable access-based enumeration box :
You just have to validate with the OK button.
Congratulations! Access-based enumeration is now active on your shared folder! You will now have to configure your rights on the different folders.
NTFS rights
I'm not going to explain to you how to do NTFS rights management on shared folder and subfolders, because that's not the topic in this article.
Nevertheless, here is an overview of the rights in place on my environment where the EBA is active:
Conclusion
Here we are at the end of this article about enabling access-based enumeration in a Windows Server 2019 (or earlier) environment.