How does Access Based Enumeration (ABE) work?
Applies to
- ONTAP 9
- Data ONTAP 8 7-Mode
Answer
- When access-based enumeration (ABE) is enabled on a CIFS share, users who do not have permission to access a shared folder or file underneath it (whether through individual or group permission restrictions), do not see that shared resource displayed in their environment.
- There is no global option per-SVM, each share must have ABE enabled on it if required
| ABE does not hide the share, it only hides the folders/files created under it, based on the access permissions. |
- Local administrators still have unrestricted enumeration
- Members of the BUILTIN\Administrators group are granted unrestricted access to the local system
- Thus, an account in this group would be able to enumerate the entire directory
- By default, ABE is disabled
- Enabling ABE
- For Data ONTAP 8 7-Mode
cifs shares -change sharename -accessbasedenum
- For Data ONTAP 9
::> cifs share properties add -vserver <vserver> -share-name <share> -share-properties access-based-enumeration
- For Data ONTAP 8 7-Mode
- Disabling ABE
- For Data ONTAP 8 7-Mode
cifs shares -change sharename -noaccessbasedenum
- For Data ONTAP 9
::> cifs share properties remove -vserver <vserver> -share-name <share> -share-properties access-based-enumeration
- For Data ONTAP 8 7-Mode
Additional Information
- If creating a CIFS share TEST with the
accessbasedenumoption - The share
\FILERTESTis mapped with the user DOMAINuserA- A folder called PROVA is created with the permissions Owner/ Full Control for the DOMAINuserA.
- Another user, such as DOMAINuserB, will be able to see the share TEST, but will not see the folder PROVA under the share
\FILERTEST. This is the expected behavior - There are some options to hide the cifs share TEST, such as:
- Disabling the CIFS shares browsing with the
-nobrowseoption- Creating a share and appending the $ symbol to the end of the name.
- Disabling the CIFS shares browsing with the
- Starting ONTAP 9.9.1 a cifs option was introduced that enumerates shared based on share-level permissions
-is-share-enum-permission-check-enabled(privilege: advanced)- If this parameter is set to true, the NetShareEnum call will only respond with the shares the user has access to. The default value is false which means it will respond with all shares.
- Enabling or disabling access-based enumeration on SMB shares (ONTAP 9+)
- Providing folder security on shares with access-based enumeration (Clustered ONTAP 8.3.1)
- Data ONTAP 7.3 File Access and Protocols
- na_cifs_shares Man page
- Provide folder security on shares with access-based enumeration overview (netapp.com)