Another access based enumeration mention.....

  • Article

WS2003 Service Pack 1 brings with it all sorts of goodies. I’ll try and mention many of the AD ones over the next few weeks, but one I can’t help but mention sooner rather than later is access based enumeration.

Rather than digging in to the feature, let’s instead start with a scenario.

Assume you have some server, and on that folder you have a share named ‘Users’. In the Users folder is a subfolder for each user that uses this particular server. Each user’s folder is ACL’d such that no one can get in to it but the user in question. From a security perspective, this is pretty safe.

That said, some customers wanted more. They wanted to be able to actually prevent one user from seeing another user’s folder. This way, you wouldn’t even know what other users had a folder on the given server. Enter access based enumeration.

From an implementation perspective, what access based enumeration does is pretty simple: when a user enumerates the parent folder (as the case may be, \\MyServer\Users) it will do an extra check for each subfolder before returning that folder to the user. Before access based enumeration, we would see if you had the appropriate perms on the Users folder, and if so return all contents. With access based enumeration enabled, we further check each folder in the share, to ensure you have the required perms on that folder itself, and only for those folders that you have permissions to do we return the folder in the list.

Simple, yet we didn’t do it in the past. We’ll, you have it now. :)
That said, there are a few things to keep in mind here.

First, it is independent of the client. This is entirely server-side. This is nice, as who knows what OS / SP your client is running. So don’t worry, it’s just a server side service pack you need to apply.

Second, there is a performance hit here. Perhaps not huge, but some. We used to have to check one ACL (the parent folder, aka the \Users share) before returning the list. Now we have to actually walk each subfolder as well, and check those ACLs too. Probably not terrible, but it is worth keeping in mind, especially on heavily loaded servers where you plan to do this on some folder with many thousands of folders in a given parent folder. One thing that helps from a performance perspective, though, is that once we talk the list once, you do have the file system cache to help you.

Third, this is unfortunately not manageable from the UI. There are tools around that let you set this special ACL, but the object picker UI (object picker is the name of the ACL UI you see when you decide to set an ACL on a folder) itself won’t let you do this. Perhaps one day. :)

That’s all on that. While written about here and there, I thought I’d raise further awareness as to the presence of this new feature. It’s a good one.

Update (4/19/05) - We have a tool that controls ABE on the web: https://www.microsoft.com/downloads/details.aspx?FamilyID=04A563D9-78D9-4342-A485-B030AC442084&displaylang=en