Windows Tip Sheet

Welcome to Win2003 SP1, Part 3

Share and share alike? Configure ABE so not everyone has access to everything.

• By Don Jones
• 05/18/2005

If you ever worked on a NetWare server—and I mean going way back to NetWare 2.x or 3.x—you know that users who didn’t have access to volumes or folders couldn’t see them when browsing the network. Third-party tools such as ScriptLogic’s Cloak provide similar capabilities on Windows, but it wasn’t until Win2003 SP1 that Microsoft finally provided it built-in. Called ABE, or Access-Based Enumeration, the feature allows users browsing network shares to only see those shares they have access to. If they have access to the share but not one of its sub-folders, they won’t be able to see that sub-folder.

Of course, ABE isn’t turned on by default so you might not even be aware of its presence. Irritatingly, you have to configure it on a per-share basis. Even more irritatingly, there’s no GUI-based way to enable it. Jeez, guys. I recommend grabbing a command-line utility called Shrflgs.exe from JoeWare.net. Run Shrflgs \\Server\Share /abe true /forreal to enable ABE on the share \\Server\Share.

My recommendation? Write a batch file that runs this puppy against every share you’ve got. Sure, security through obscurity is no security at all, but if you’ve already got permissions in place, then hiding things users shouldn’t access will help prevent them from even trying.

More Resources:

• Get the Shrflgs utility. Thanks, Joe.
• Check out Cloak from ScriptLogic.
• Read Professor Windows pontificate on ABE.
• Read everything Microsoft’s written to date on SP1 here.
• Access updated Win2003 help (including SP1-related changes) here.
• Read more about ABE in Bill Boswell's column "The Enforcer."