Friday, March 25, 2005

Access-based Enumeration in Windows Server 2003 SP1

Hide folders underneath a share where the user has no permissions

"Now the word is spread, so I can blog that as well: Windows Server 2003 SP1 (and the x64 Version) will finally introduce the feature that folders underneath a share can be hidden when the user browsing the parent folder or share has no read-permissions on that folder. It's been requested for years, and finally made it's way to Windows Server. This feature is called Access-based Enumeration.

You can switch this on and off for every share with a commandline-tool (abetool.exe) and in the final version this is supposed to be supported by the GUI as well. ..."


Very nice. I'm a believer that if you can't access something you shouldn't see it to begin with. And it's bugged me that folder enum/listing didn't support this.

I've written tools that wrapped folder listings with an initial "can this user read+ this folder" check and if not, not list it. Mostly done to avoid social engineering ("Why I can access folder XYZ?" "Who is BlaBla and what do they have in their Folder..." "I'm So And So and I don't have access to folder ABC [when the person is really Am Not So And So]" etc, etc, etc.). Security by obscurity, but also least privilege. If you don't have access, why should you even see it?

Now it looks like the OS will support this natively, which is pretty cool...

No comments: