All Configure Access-Based Enumeration (Server2012)

Configure Access-Based Enumeration (Server2012)

| Written by some jerk | Print | Email | Hits: 301

The following is my How-To on Access-Based Enumeration.

The domain: marvel.local 
The server: deadpool

(Shared Folder) - \\deadpool\userdata

\\deadpool\userdata\Beast 
\\deadpool\userdata\Cyclops 
\\deadpool\userdata\Havok

1.

Create a top-level folder that you will share

Create a folder that you will share. 
My example: userdata

 
9a699066caab3f4865970dc14034e97897a664741f63c36fcd15ac98b2f00153_topfolder_big
2.

Create Sub-folders

Create additional folders under the folder that will eventually be shared.

My example folders: Beast, Cyclops, Havok

 
7c010c2f6fa002d70d10c00d72fd2d3e0bb24a4ffc373dedb14828093ed2f660_subfolders_big
3.

Share out userdata folder

Go to the properties of the userdata folder. 
Sharing Tab 
Advanced Sharing... 
Check "Share this folder" 
Give the share a name 
Go to Permissions and set appropriately (I've changed it to Authenticated Users, Full Control) 
Save changes

 
1c748fe45a6eac521c79242c04625f7db60439d979ff6374a4bdd0f7e80f4f88_shareit_big
4.

Disable Inheritance/Remove default permissions

Go to Properties of userdata 
Security Tab 
Advanced 
Under the permissions tab click 'Disable Inheritance' 
Convert to Explicit permissions 
Now remove the 2 entries for "%servername%\Users" 
(leaving those entries will 'break' Access-based enumeration if not removed due to their read permissions being propagated to sub-folders) 
Click "Apply"

 
0110acaf65dc1bd0f0b8ff37147f8bd0a07be7ed6442b2339f2ecaaf13bb9a97_remove_users_big
5.

Add "List folder / Read Data" permission to Shared folder ONLY

While still in the permissions tab click "Add" 
Select Principal (in this case I chose 'Domain Users') 
In the 'Applies to' drop-down select "This Folder Only" 
Click "Show Advanced Permissions" 
ONLY select "List folder / read data" 
Click OK 
Click Apply

 
79242de27d62ff701bdda48d07b707d40b0be55219ddbeb07d80d27e9a365078_listfolder_big
6.

Create Security Groups

At this point create security groups that will be delegated Read/Write access to each folder.

 

 
3e39018d4bcb8b9ad2d096e7f1f96d5ba7e963800cc3987de11cdd7311eeb892_security_groups_big
7.

Delegate access to folders

My example: Cyclops

Go to the properties of the folder 
Security Tab 
Advanced 
Under Permissions Tab 
Click "add" 
Select Principal "Cyclops Share" security group 
Select 'modify permissions' and leave everything else default 
Apply changes and save

 
Cefc31030ea1aac869d088338a85b3da94cd129e0318f6b84ef894d279306b34_sharepermissions_big
8.

Add user to Security Group

At this point add a user to the security group that was granted modify access in previous step.

 
B020472989b663d38cfd8ddf9dd86d64099efc9d69b4100988a3d5f8e17bd03c_usermembership_big
9.

Turn on Access Based Enumeration

Open Server Manager 
Go to File and Storage Services 
Shares 
Right-click on your userdata share and select 'properties' 
Expand 'Settings' and check "Enable access-based enumeration" 
Click OK

 
F2ffe8b5d1cc86ef88b3fa1024877d6add57dc6732f23928a429b8a937c938e5_enableabe_big
10.

Test Access-based enumeration by logging in

Login as account and access the share. You should only see the folders that you have rights to read (through membership to a security group that has been granted rights to that particular folder)

 
2277c7e77aa533abb9137bbcae1a7d6155d967e2b67f31c1e1bd7ccfec13b463_whologgedin_big

Conclusion

Access-based enumeration is about NTFS permissions that the Share actually cares about.