Windows Server 2003 Access-based Enumeration
Quote:
ABE is the technology built into Windows Server 2003 Service Pack 1 that provides the administrator of a resource control over who can see shared folders and files. In essence, the goal of ABE is to keep users from seeing the files and folders to which they don't have access.
This is ideal for any organization that wants to hide files or folders under share points. If the user is omitted from the access control list (ACL) or is specifically denied the ability to read or list the resource, the file or folder will not be visible when browsing the shared folder resources in Windows Explorer. For HR-related resources, medical organizations, highly secure organizations or any organization that benefits from denying visible access to resources based on the ACL, ABE is an ideal solution.
How many of you use this?
Re: Windows Server 2003 Access-based Enumeration
I do, we have a shared areas folder for students of all years to access, inside that folder is one for a each year group I set permissions on these folders for the year group and set ABE on the shared areas. When a student access the shared areas folder all they see is the year 7 folder and so on.
I find it useful to tidy up areas for users as there a so many folders around on the network that they only need to see the ones that they can access. If they can't see them they can't make attempts to access them either by other means.
I like it and use it quite a lot.
Chris
Re: Windows Server 2003 Access-based Enumeration
I have been using it for sometime and it works well. I use it, for example, to hide staff only folders from pupils on our common shared folder we have. I also use it on our common desktop folders to assign shortcuts to users.
Re: Windows Server 2003 Access-based Enumeration
Heh, I haven't really noticed this, but it is used in Sharepoint Server as the students don't see the tab for the Facility E-portal or the Staff Site or anything they are not allowed to so those that don't do a subject don't see that subject etc.
Re: Windows Server 2003 Access-based Enumeration
I like the sound of this, a bit of reading to be done i think.
Re: Windows Server 2003 Access-based Enumeration
Re: Windows Server 2003 Access-based Enumeration
Did not even realise this existed. Thanks tons :D
I am playing with it all right now.
Any caveats?
Re: Windows Server 2003 Access-based Enumeration
Anyone get any errors installing? I get an error saying its missing a cabinet file.
Re: Windows Server 2003 Access-based Enumeration
Nevermind, would seem that my first download didnt complete properly as it installed fine after i downloaded it again.
Re: Windows Server 2003 Access-based Enumeration
We seem to have share problems when the students use the Up key in Explorer to get to the "main server" level share. (Where all un hidden shares and printers live.) Would ABE allow me to restrict them from accessing that main level? This would be fantastic as our current solution is to take it off the image.
Re: Windows Server 2003 Access-based Enumeration
Correct, if they don't have read access to the share and/or folder then it doesn't exist as far as they are concerned.
Re: Windows Server 2003 Access-based Enumeration
I have installed and setup ABE on a test environment, and it doesnt work exactly as I want. It does work slick for making folders within a share invisible, however the shares themselves if not hidden with a $ still show up. I suppose I could make every share hidden but that seems like a lot of trouble for the staff when I just want to keep students from hitting up and seeing all shares and printers at the main level. Do I have something misconfigured or missed.
Re: Windows Server 2003 Access-based Enumeration
You could use DFS and use separate DFS trees for staff and pupils?
Re: Windows Server 2003 Access-based Enumeration
DFS doesn't seem to do a whole lot for me that I cant do with permissions and groups on normal shares? I have never used DFS for this reason, so maybe I don't understand how I could better implement it. Here is my situation and my imagined way of stopping it.
Student logs in; using a share they are allowed in they open said share in an explorer window; they then use the up arrow to go to the \\%servername% area where they can see unhidden shares and printers; they can hit up once again to "browse" through all computers on the network to look for some teacher who got a share created and left it wide open.
This is what I want to stop; I want to "corral" students and keep them from browsing around servers or clients not specifically shared to them.
Re: Windows Server 2003 Access-based Enumeration
Quote:
Originally Posted by Bestbett
I have installed and setup ABE on a test environment, and it doesnt work exactly as I want. It does work slick for making folders within a share invisible, however the shares themselves if not hidden with a $ still show up. I suppose I could make every share hidden but that seems like a lot of trouble for the staff when I just want to keep students from hitting up and seeing all shares and printers at the main level. Do I have something misconfigured or missed.
Sounds like your permissions are not configured correctly and students have some read access still in place.
