How does Access Based Enumeration (ABE) work?

Last updated

Jan 23, 2025
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 14,555

Visibility:: Public

Votes:: 9

Category:: ontap-9

Specialty:: nas

Last Updated:: 1/23/2025, 3:41:15 PM

Applies to

ONTAP 9
Data ONTAP 8 7-Mode

Answer

When access-based enumeration (ABE) is enabled on a CIFS share, users who do not have permission to access a folder or file underneath it do not see these displayed in their environment.
- The actual permissions on files and folders do not change, only visibility does.
- ABE does not hide the share itself, it only hides the folders/files created under it, based on the access permissions.
- If users or automated systems rely on the visibility of all files and folders for indexing or management purposes, ABE could disrupt these operations.

Note: There is no global option per-SVM, each share must have ABE enabled on it if required

Local administrators still have unrestricted enumeration
- Members of the BUILTIN\Administrators group are granted unrestricted access to the local system
- Thus, an account in this group would be able to enumerate the entire directory
By default, ABE is disabled
Enabling ABE
- For Data ONTAP 8 7-Mode
  - cifs shares -change sharename -accessbasedenum
- For ONTAP 9
  - ::> cifs share properties add -vserver <vserver> -share-name <share> -share-properties access-based-enumeration
    Copied
Disabling ABE
- For Data ONTAP 8 7-Mode
  - cifs shares -change sharename -noaccessbasedenum
- For ONTAP 9
  - ::> cifs share properties remove -vserver <vserver> -share-name <share> -share-properties access-based-enumeration
    Copied

Additional Information

If creating a CIFS share TEST with the accessbasedenum option
- The share \FILERTEST is mapped with the user DOMAINuserA
  - A folder called PROVA is created with the permissions Owner/ Full Control for the DOMAINuserA.
- Another user, such as DOMAINuserB, will be able to see the share TEST, but will not see the folder PROVA under the share \FILERTEST. This is the expected behavior
- There are some options to hide the cifs share TEST, such as:
  - Disabling the CIFS shares browsing with the -nobrowse option
    - Creating a share and appending the $ symbol to the end of the name.
Starting ONTAP 9.9.1 a cifs option was introduced that enumerates shared based on share-level permissions
- -is-share-enum-permission-check-enabled (privilege: advanced)
- If this parameter is set to true, the NetShareEnum call will only respond with the shares the user has access to. The default value is false which means it will respond with all shares.
Enabling or disabling access-based enumeration on SMB shares (ONTAP 9+)
Providing folder security on shares with access-based enumeration (Clustered ONTAP 8.3.1)
Data ONTAP 7.3 File Access and Protocols
na_cifs_shares Man page
Provide folder security on shares with access-based enumeration overview (netapp.com)
There is no need to have client reconnect to see impact of ABE, on next query dir, if ABE was enabled, the files\folders user does not have access to will no longer be returned in results.
If user is a member of local admin (on SVM) then they will be able to see the shares.