Access Based Enumeration Traverse Folder Service
ABE Traverse Folder
Access Based Enumeration (ABE) by
Microsoft exists since Windows Server 2003 SP1. On Windows Server
2003 it still had to be installed seperatly. Operating systems
starting from Windows Server 2008 have it already included - but it
still needs to be activated.
To grant access to a single (deep) subfolder without making the
whole path visible, you can set a Traverse Folder permission. The
permission must be set to all folders from the parent folder to the
Together with ABE and Traverse Folder
Service of FirstAttribute you can
easily build and manage an intuitive folder authorization
Access Based Enumeration (ABE)
ABE is used to hide folders and files to users which do not have
an appropriate access permission. The benefits are:
- improved clarity of the directory trees for
- enhanced data security
- user can't see folders without read-permission
- not knowing the name of a folder means not being able to guess
the folders content
When ABE is enabled, a file system access is registered by the
file server. Whether a user can access or not is based on the
security token of the user and the Access Control List (ACL) of
each file system object. Therefore, the ABE relates exclusively to
the NTFS permissions.
ABE can also be activated for shares and DFS. Therefore, the ABE
relates exclusively to the NTFS permissions.
In NTFS, it is possible to authorize a user to a subfolder, even
though the user has no access permission to the parent folder.
The user can directory access the desired folder with
the full path name. But there is no chance to
"walk" through the directory tree step by step or to
access a parent folder.
To make that possible each parent folder needs the traverse
folder permission for the user. Maintaining these authorizations
meeans to check all permission for the parent folders and to adjust
them manually. This results in considerable effort for the
Traverse Folder Service
The Traverse Folder Service is a service by FirstAttribute. It
helps you to manage and monitor access permission
for single folders but also for full DFS structures.
The service can build an initial Traverse Folder permission
structure in the directory. After that is keeps running in monitor
mode. In the case there is a change of any permission the
Traverse Folder permissions are adjusted
For each directory level, a Traverse Folder group is
automatically created and authorized. The user is then added to the
authorization group. With the withdrawal of permissions the user is
also automatically removed from the group. The service also works
With the traverse folder service ABE alsways shows the correct
directory structure for each suer. Another great benefit is the
considerable simplification of the permission assignment because
the user (or his role) needs to be assigned to desired folder
FirstAttribute will also support you in creating a permission
and role concept or with the implementation of a DFS structure.
For further information, please feel free to contact us.