DFS and Access Based Enumeration (how to hide folders from prying eyes)

I was chatting online the other week with Brian - an IT Pro friend of mine here in Ottawa. Brian is the president of TechDelta - a consulting company that has been delivering Microsoft solutions (technical architectures, implementations, migrations, etc.) for the past 15 years. He was working for a large government agency that wanted the abstraction of DFS for shares while also enabling the Access Based Enumeration featureset of Windows Server 2003 Service Pack 1.  He was complaining to me about the lack of clear and concise directions on the Internet on how to implement such a beast - so I challenged him to write up a post on the subject. 

While I was in Ottawa earlier in the week - this Guest Blog Post came in. Have a Read...

----------

There seems to be a lot of confusion about how this actually works. Rest assured, it does work. Hopefully, these steps will guide you through the whole process. If you want the short version, skip to the end. The steps below will take you from file share creation, to DFS Configuration, and finally ABE Configuration.

*** Create Your File Shares ***

First of all, you must setup your regular file shares as you normally would. You must set the permissions on the share, and the NTFS permissions on the file system. Take note of the NTFS permissions - you will need these later. These will indicate who gets to see the share in DFS once the configuration is complete.

Lets assume you make a folder called D:\Users. Underneath D:\Users, you create a few home directories: johndoe and janedoe.
D:\Users\johndoe is shared as "johndoe", and D:\Users\janedoe is shared as janedoe. Set NTFS permissions on each to grant the userID Full Control access to that folder (and Administrators:Full, Creator Owner:Full, and System:Full -- In fact, it would be this way if you setup the home directory when you create the user account).

At this point, you should have the following shares:
\\server-name\johndoe ( = D:\Users\johndoe ) \\server-name\janedoe ( = D:\Users\janedoe )

*** DFS Configuration ***

Next, you setup your DFS environment. For now, just work with one target per link. Lets assume you want a Domain based DFS Root. Create your Root Share (for redundancy, you will want to have another target root server on your network so that this DFS Root can still be accessed if this server is not available). In this case, we will use Users. As you create this, you are asked for a folder to share. What you are doing here is creating a placeholder for the share to exist. This defaults to something like C:\DFSRoot\[new root name]. The DFS Root in this example now is:
\\Domain.com\Users

Now create your DFS Link. This is going to be the share name that your users actually map to. This share is then re-directed to the most appropriate target on the network. Create a link for each share you want to appear under Users (in our example, create one for janedoe, and one for johndoe). The DFS tool will prompt you for the server and share that exists on the network that this DFS link points to. The redundancy factor in DFS begins when you have multiple copies of the share on various servers that this DFS link can point to.

Now DFS is configured. The shares should be accessible by their DFS name now. You should be able to see all shares regardless of permissions; however, you should only be able to access those with permissions granted though.

If you look at the placeholder structure, you will see that the folders janedoe and johndoe have been created under C:\DFSRoot\Users but if you try to access these folders, you will get a message indicating that the network location cannot be reached. These folders exist on your file system, but are not accessible. I call these folders "Ghost folders".

*** ABE Configuration ***

So this is where it gets interesting. Now we want to remove visibility of those shares for users that don't have permissions granted. These following steps are for implementing Access Based Enumeration.

1) Download the ABEGUI add-on.
https://www.microsoft.com/downloads/details.aspx?FamilyId=04A563D9-78D9-4342-A485-B030AC442084&displaylang=en

Install this ABEGUI on ALL servers that host shares in the DFS.

2) Using Windows Explorer, view the properties of the DFS root share (i.e. C:\DFSRoot\Users). You will have an extra tab now for Access Based Enumeration. This tab is only visible after a SERVER share has been created. Fill the top checkbox to turn on ABE for this share. Alternatively, you can turn on ABE for all shares on this server by using the bottom checkbox. To enable ABE on DFS, you only need to turn on ABE at the DFS Root(s) you have created.

Now in order to access the share \\Domain-name\Users, we need to grant NTFS permissions to allow users to see that folder. While you are still in Windows Explorer and viewing the properties of the DFS Root folder name (i.e. C:\DFSRoot\Users), view the NTFS Permissions using the Security tab. Click Advanced, then click Add, and enter a group name (example Domain users). Click OK. Be sure to use the drop list at the top so that we are applying permissions to "This Folder Only". Fill the check box for the following permissions:

• List Folder / Read Data
• Read Attributes
• Read Extended Attributes

Click OK, and close the properties for the DFS Root folder.

3) Now you need to set ACLs on the DFS structure. Remember those ghost folders (C:\DFSRoot\Users\johndoe). This is the target for the ACL that needs to be set. Open a command prompt and using CACLS, get the ACL for the target folder.

i.e. CACLS D:\Users\johndoe

What you want to do now is apply the required ACL to the ghost folder now. For homedrives, it is most likely an individual account that needs the necessary ACL applied. Group shares will usually have a group name used to apply the ACL. The ACLs you viewed on the target folder are the ACLs that need to be applied to the ghost folder.

To apply the ACL to the ghost folder use CACLS again and grant the permission to the necessary AD object(s).

i.e. CACLS C:\DFSRoot\Users\johndoe /E /G DOMAIN-NAME\johndoe:C (or F for Full Control... use CACLS /? for syntax explanation)

Do the same for all of those ghost folders, and apply the necessary ACL.

And now, ABE for DFS should be configured. Test it out... login as johndoe, and view the share \\Domain-Name\Users. Only the johndoe link should be visible. To test ABE, go back to the File Server, and turn off ABE at C:\DFSRoot\Users. A refresh by johndoe should make the janedoe link visible as well.

As you add more Root targets and link targets, the above 3 steps need to be repeated after replication has occurred on the new DFS targets.

Lets recap the steps.

SUMMARY OF CONFIGURING ABE FOR DFS:

1. Create Server Shares. Set share and NTFS permissions as per your environment.
2. Create DFS Root and DFS Links
3. Install ABEGUI on all target servers in the DFS
4. Use CACLS to obtain the ACL on the share target (the actual shared folder)
5. Use CACLS to apply the ACL on the ghost folder (typically under C:\DFSRoot\[Root-name]\[Link-name] )
6. Apply the necessary NTFS permissions on the DFSRoot folder (typically C:\DFSRoot\[Root-name] )
7. Turn on ABE on the DFS Root folder (typically C:\DFSRoot\[Root-name] )
8. Map your users to \\DFS-Share-Name\Root-Name and they will only see the links that they have been granted permissions to access.
9. Repeat steps 4-7 on other DFS target servers in your environment. (Let replication complete after additional link targets have been added)

Brian Bowering, MCSE, MCNE
brian @ techdelta.com
TechDelta (www.techdelta.com)

Some of the technologies that Brian has deployed for his customer base include:
* Microsoft Windows 2000/2003
* Microsoft Exchange 2000/2003
* Microsoft SQL
* Microsoft Clustering
* Storage Area Networks (EMC, HP)
* Multi-site DFS
* Automated Desktop Deployment
* Global Address List Synchronization between Email systems
* Backup/Restore solutions