Access Based Enumeration Traverse Folder Service
Access Based Enumeration (ABE) by Microsoft exists since Windows Server 2003 SP1. On Windows Server 2003 it still had to be installed seperatly. Operating systems starting from Windows Server 2008 have it already included – but it still needs to be activated.
To grant access to a single (deep) subfolder without making the whole path visible, you can set a Traverse Folder permission. The permission must be set to all folders from the parent folder to the target folder.
Together with ABE and Traverse Folder Service of FirstAttribute you can easily build and manage an intuitive folder authorization structure.
ABE is used to hide folders and files to users which do not have an appropriate access permission. The benefits are:
- improved clarity of the directory trees for the user
- enhanced data security
- user can’t see folders without read-permission
- not knowing the name of a folder means not being able to guess the folders content
When ABE is enabled, a file system access is registered by the file server. Whether a user can access or not is based on the security token of the user and the Access Control List (ACL) of each file system object. Therefore, the ABE relates exclusively to the NTFS permissions.
ABE can also be activated for shares and DFS. Therefore, the ABE relates exclusively to the NTFS permissions.
In NTFS, it is possible to authorize a user to a subfolder, even though the user has no access permission to the parent folder.
The user can directory access the desired folder with the full path name. But there is no chance to “walk” through the directory tree step by step or to access a parent folder.
To make that possible each parent folder needs the traverse folder permission for the user. Maintaining these authorizations meeans to check all permission for the parent folders and to adjust them manually. This results in considerable effort for the admin.
The Traverse Folder Service is a service by FirstAttribute. It helps you to manage and monitor access permission for single folders but also for full DFS structures.
The service can build an initial Traverse Folder permission structure in the directory. After that is keeps running in monitor mode. In the case there is a change of any permission the Traverse Folder permissions are adjusted automatically.
For each directory level, a Traverse Folder group is automatically created and authorized. The user is then added to the authorization group. With the withdrawal of permissions the user is also automatically removed from the group. The service also works for DFS.
With the traverse folder service ABE alsways shows the correct directory structure for each suer. Another great benefit is the considerable simplification of the permission assignment because the user (or his role) needs to be assigned to desired folder only.
FirstAttribute will also support you in creating a permission and role concept or with the implementation of a DFS structure.
For further information, please feel free to contact us.