Access-Based Enumeration (ABE)

Access-Based Enumeration (ABE), a new technology included in Windows Server 2003 R2. (ABE was actually first included in Service Pack 1 for Windows Server 2003, but this service pack forms the basis of the R2 version of the platform.) What ABE does is just what Windows admins have always been wishing Windows file servers would do—hide files and folders from users who don't have access to them.


First u should download a component that provides a user interface (both graphical and command-line) that allows you to enable and configure ABE on your server. You can download this component here from the Microsoft Download Center, but make sure you download the correct version depending upon your processor platform (x86, AMD64 or IA64). Once you've downloaded the appropriate Windows Installer package, install it on all R2/SP1 file servers you want to enable ABE functionality on.

Limitations of ABE

There are a few limitations of ABE:
-You need Windows Server 2003 R2 or SP1 in order to be able to use it.
Users who are administrators will be able to see every file and folder in a share even with ABE enabled and even when they have Deny ACE on these items.
-ABE does not apply to users who can log on interactively to the server, regardless of whether they are administrators or not. This means ABE isn't really suitable for Terminal Services environments.
-You can't configure ABE so that a newly created share is automatically ABE-enabled.
-Finally, ABE adds a few percentage points processing overhead to the file server, and this must be taken into account in heavy-load situations.

The good news however is that ABE is built into the new Windows Vista and Longhorn Server platforms and is enabled by default and needs absolutely no configuration on those platforms. So a folder shared on a Vista machine will only show its contents to users who have permissions to access items within it.

Last word on the subject

ABE is a good thing, especially if your company stores sensitive business information on file servers on your network. Remember that a malicious (or merely curious) user can sometimes find out a lot about your business merely by viewing the names of documents stored in shared folders on your file servers. What would an employee do if they nosed around and found a document named OurCEOwillretiretomorrow.doc? Probably sell his shares fast and tell his friends as well, and soon your company will have the SEC or some other regulatory agency breathing down your neck for insider trading!