How to hide folders from local Administrators using Access-based Enumeration?

0

1

We are using now Access-based Enumeration inside our AD server. It is very cool: share ONE folder and set the permissions and "BOOM!" works. But I have noticed that local Administators are seeing the folders that they don't have access to. How can I avoid that?

Local administrators, in our case, are privileges just given to certain people (ordinary users non-IT like managers and our IT trainees). Even they not having access to the contents, the list of folders is big and some users get confused.

I running Windows Server 2012 R2.

msmafra

Posted 2017-04-09T00:08:25.783

Reputation: 231

With ABE enabled, users will only see folders they at least have Read permissions to. Are these users Administrators on the server hosting the share, or on the client computers connecting to the server? – I say Reinstate Monica – 2017-04-09T00:45:30.367

Hi. For those users we give local administrator privileges inserting in the local group. – msmafra – 2017-04-09T00:50:15.277

yes, but on which machine(s)? It makes a huge difference. – I say Reinstate Monica – 2017-04-09T00:52:21.663

Inserted in each user's computer bu GPO or by hand. These users are limited to logon on their sector computers also. – msmafra – 2017-04-09T01:01:39.970

On the server, view the Security properties page of one of the folders, and in the Advanced button look at the Effective Access tab. There, put in one of these users and see what access they have. Post a screen shot please. – I say Reinstate Monica – 2017-04-09T01:03:21.527

Two problems:

  1. I'll only be able to use the server on monday;
  2. Our Windows Server is in portuguese.
    3. < – msmafra – 2017-04-09T01:06:10.207

Is there a merge of privileges? All users limitations summing with the local administrators privileges. – msmafra – 2017-04-09T01:07:32.920

Yes, privileges assigned at the root of a folder will be added to those assigned lower I the folders. Post the information whenever you can. I don't think the language will be a problem. – I say Reinstate Monica – 2017-04-09T01:09:44.500

I find it odd. the users are limited to their groups accesses in other words each sector has its group like finances, accountants, buyers etc. so, the folder finances is only visible and accessible by Domain Admins and the finances group and so on. Local administrators should not see it unless it is considering that the local Administrators group is the same as the local Administrators group inside each AD server. – msmafra – 2017-04-09T01:22:38.090

Viewing the Effective Access screen should clarify what permissions they actually have. – I say Reinstate Monica – 2017-04-09T01:23:46.603

Answers

0

Access-based enumeration works as follows as explained on TechNet:

Access-based enumeration displays only the files and folders that a user has permissions to access. If a user does not have Read (or equivalent) permissions for a folder, Windows hides the folder from the user’s view. This feature is active only when viewing files and folders in a shared folder; it is not active when viewing files and folders in the local file system.

You can view the effective access of those users that you don't want to be able to see certain folders by doing the following on the server hosting the shared folder containing the folders which you want to hide using Access-based enumeration:

  1. Right-click the folder that should not be visible to the user and choose Properties
  2. On the Security tab click Advanced
  3. Go to the Effective Access tab
  4. Click Select a user then type the name of the user in the dialog box and click OK
  5. Click View effective access. If the user has the **List folder / read data ** permission, then they will be able to see the folder even with ABE enabled: enter image description here

If the user(s) in question do have unwanted access to the folder, review their permissions for the folder to determine how the user is getting them.

I say Reinstate Monica

Posted 2017-04-09T00:08:25.783

Reputation: 21 477

HI! Thanks for the answer. I will test it. I totally forgot the Effective Access existed. As soon as I discover what happened with our DFS Replication I will test it. Thanks very much! – msmafra – 2017-04-10T22:57:17.623

@tenshimsm Do you mean to say the share you've got ABE enabled on is actually pointing at a DFS namespace? – I say Reinstate Monica – 2017-04-10T23:09:23.350

Yes, also that. – msmafra – 2017-04-11T02:17:00.577

@tenshimsm Well....DFS-N doesn't play nice with ABE. See what you find but I'm thinking you'll be faced with having to fiddle with the DFS folders if you really want ABE to work. – I say Reinstate Monica – 2017-04-11T02:35:23.327

ABE is working fine, even in DFS. Just the full list of folders to the local administrators is annoying. Just the replication decide that doesn't want to ... replicate. says is running/working/doing its thing but doesn't sync the servers. – msmafra – 2017-04-11T02:39:06.127

@tenshimsm The replication is certainly a separate issue from ABE. – I say Reinstate Monica – 2017-04-11T03:20:21.107

Asked: 2017-04-09T00:08:25.783

Viewed: 1 103 times

Active: 2017-04-09T13:08:56.933