- ONTAP 9
- Data ONTAP 8 7-Mode
- When creating a (CIFS) share, for example TEST, with the
accessbasedenumoption, the CIFS share TEST is not hidden.
- According to the Access Based Enumeration documentation, when access-based enumeration (ABE) is enabled on a CIFS share, users who do not have permission to access a shared folder or file underneath it (whether through individual or group permission restrictions), do not see that shared resource displayed in their environment.
- Local administrators still have unrestricted enumeration. Members of the BUILTIN\Administrators group are granted unrestricted access to the local system. Thus, an account in this group would be able to enumerate the entire directory.By default, ABE is disabled.
Data ONTAP 8 7-Mode:
- To enable ABE
cifs shares -change sharename -accessbasedenum
- To disable ABE
cifs shares -change sharename -noaccessbasedenum
- To enable ABE
ONTAP 9 :
::> cifs share properties add -vserver [vserver name] -share-name [share] -share-properties access-based-enumeration
::> cifs share properties remove -vserver [vserver name] -share-name [share] -share-properties access-based-enumeration
- If creating a CIFS share TEST with the
- The share
\FILERTESTis mapped with the user DOMAINuserA. A folder called PROVA is created with the permissions Owner/ Full Control for the DOMAINuserA.
- Another user, such as DOMAINuserB, will be able to see the share TEST, but will not see the folder PROVA under the share
\FILERTEST. This is the expected behavior.
- There are some options to hide the cifs share TEST, such as:
- Disabling the CIFS shares browsing with the
- Creating a share and appending the $ symbol to the end of the name.
- Enabling or disabling access-based enumeration on SMB shares (ONTAP 9+)
- Providing folder security on shares with access-based enumeration (Clustered ONTAP 8.3.1)
- Data ONTAP 7.3 File Access and Protocols
- na_cifs_shares Man page