RE: [ActiveDir] Access Based Enumeration in W2K3 SP1

joe Mon, 04 Apr 2005 06:59:24 -0700

Title: RE: [ActiveDir] Access Based Enumeration in W2K3 SP1

Absolutely, that is what I mean. Very disappointing that the functionality isn't in the OS to enable it but at least the functionality is there. MS has always been poor with tools though, this isn't any new stellar news. It is why joeware exists at all, it all goes back to two main apps, an app to allow net send message receiving functionality on Windows 9x that didn't allow sending messages (this is a nightmare in large orgs) and local group enumeration on member machines without having to use the GUI or log on to the console of the remote machine to do so. The net localgroup and other net commands should have had the ability to specify remote machine forever ago since the API allowed it, not sure why MS never exposed it other than the MS internal folks really don't use much command line either.

On the positive side they give lots of interfaces to do things that they don't allow you to do in the GUI and through their command line tools.

Another couple of benefits of shflgs

1. Lets you view current flag settings

2. Lets you set/clear the flags for all shares at once on a machine. So if you have 50 shares, instead of running the MS tool 50 times, you run shrflgs once.

3. I think the parameter system is more intuitive

4. Had Jorge mentioned, sets other flags other than the ABE flag.

5. Some built in protections for some key shares like sysvol,netlogon, and admin shares.

6. Enumerates the SDDL of the SD of the share.

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto
Sent: Monday, April 04, 2005 5:40 AM
To: joe; [email protected]
Subject: RE: [ActiveDir] Access Based Enumeration in W2K3 SP1

IN THE OS I can't find any way (GUI or tool) to enable/disable it. I searched the internet and ended up in some blogs. You'll have to download the util separately. This is what I have found so far:

####### (http://blogs.technet.com/windowsserver/archive/2005/03/24/401840.aspx)
SP1 and x64 address these concerns by making inacessible files and folders invisible to users through a neat little feature called Access-Based Enumeration (ABE). ABE in SP1/x64 can be used with the command-line (abetool.exe) and through a fairly robust API (NetShareSetInfo). FYI - There is a GUI on the way.

Command Line Sytax: abetool [ShareName] [1=on/0=off] [ServerName]

Command Line Example: abetool "Personal Folders" 1 FileSrvr1

There is a whitepaper on ABE that should hit the streets fairly soon
#######

I also found the following (funny that a MS tool to enable a certain functionality in the OS is unsupported):
####### (http://blogs.technet.com/jhoward/archive/2005/02/22/378033.aspx)
Access Based Directory Enumeration - markshareforABDE.exe utility download (http://itpro.members.winisp.net/download/markshareforabde.exe)

Following the myriad of emails I received, here's a link to markshareforABDE.exe as used in my blogcast about Access Based Directory Enumeration a few days ago. Many thanks to DuWayne Harrison at Microsoft in the US, the author of this tool for giving his permission to make this available. Please be aware that there is absolutely no support from PSS and all standard disclaimers apply as per resource kit tools. In other words, any use you make of this utility is entirely at your own risk.

Usage is straightforward: markshareforABDE <sharename> 0|1 [servername] where 0=off and 1=on
#######

I still prefer to use the JOEWARE tool as it provides the possibilities configure OTHER share flags where the above mentioned tool can't do

Jorge

-----Original Message-----
From: joe [mailto:[EMAIL PROTECTED]]
Sent: maandag 4 april 2005 3:17
To: 'Jorge de Almeida Pinto'; [email protected]
Subject: RE: [ActiveDir] Access Based Enumeration in W2K3 SP1

It should be available with the OS.

I am glad they finally did this. I could have used it 10 years ago when moving a company from OS/2 servers to NT4 Servers.

-----Original Message-----
From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED]]
Sent: Sunday, April 03, 2005 5:15 PM
To: 'joe '; '[EMAIL PROTECTED] '; '[email protected] '
Subject: RE: [ActiveDir] Access Based Enumeration in W2K3 SP1

Joe,

what do you mean with "That tool shouldn't even be necessary"?

Jorge

-----Original Message-----
From: [EMAIL PROTECTED]
To: [email protected]
Sent: 4/3/2005 10:29 PM
Subject: RE: [ActiveDir] Access Based Enumeration in W2K3 SP1

LOL. That tool shouldn't even be necessary. But in the meanwhile, it is available for use. Enjoy!

joe

_____

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Jorge de Almeida Pinto
Sent: Friday, April 01, 2005 6:11 AM
To: [email protected]
Subject: [ActiveDir] Access Based Enumeration in W2K3 SP1

Hi,

I installed it today on a VM guest (DC) and it installed OK.
However, configuring the ABE feature is not possible through the GUI. I wonder why they don't provide some checkbox to configure this as I think this is one of the features people have been waiting for!

However you can use the SHAREFLGS tool from JOEWARE to configure ABE

Joe: like the other tools, the SHAREFLGS tool will be famous for its possibilities! ;-))

Cheers
Jorge

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

RE: [ActiveDir] Access Based Enumeration in W2K3 SP1

Reply via email to