ExtremeZ-IP and Access Based Enumeration

1 Star2 Stars3 Stars4 Stars5 Stars
Loading...
  • Product:
    ExtremeZ-IP
  • Version:
    3.2.2-current
  • Document Type:
    Info
  • Revised:
    3/17/2009
  • Reviewed:
    11/21/2006

Summary:

Access Based Enumeration (ABE) is a new feature in Windows Server 2003 SP1 (and above) that filters the shared folders that are visible to a user based on the user’s access rights. This prevents the display of folders or other shared resources that the user does not have the right to access.

ABE is designed for SMB connections and will not apply to users connecting to the server with any other method. However, Group Logic added an equivalent feature to ExtremeZ-IP long ago. These settings are located in the ExtremeZ-IP administrator or in the registry.

Description:

The two keys below are DWORDs and can be added in the following registry location for ExtremeZ-IP 4:
\HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ExtremeZ-IP\Parameters4\NonRefreshable

ShowInaccessibleFiles
This controls whether users are able to see files for which they do not have at least “read attributes”. The “read attributes” property does not imply the ability to read a file, but only to be able to see what the permissions and other attributes of the file are.
“ShowInaccessibleFiles”=dword:00000001
Default: On (1)
Refreshable: No

ShowInaccessibleFolders
This controls whether users are able to see folders for which they have neither read nor write access.
“ShowInaccessibleFolders”=dword:00000001
Default: On (1)
Refreshable: No

To enable the hiding of folders and files that the user does not have permissions to, save the following 5 lines as a text file with an extension of .reg to create a registry import file:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ExtremeZ-IP\Parameters4\NonRefreshable]
"ShowInaccessibleFiles"=dword:00000000
"ShowInaccessibleFolders"=dword:00000000

**Requires EZIP be restarted from the Sevices Control Panel for the changes to take effect (Start > Administrative Tools > Services).

A similar feature can be enabled within the ExtremeZ-IP administrator to control access for volumes:

Show Only Accessible Volumes
To enable this setting, go to ExtremeZ-IP Administrator > Settings > Security.

Home Directory Filtering
Finally there is also a home directory feature in ExtremeZ-IP that can be enabled on a volume by volume basis, which will only show the client a directory if it matches their username or if it matches the the path defined in their Active Directory profile for their home directory. More information on home directory filtering, can be found in the Knowledge Base article below.

Tags: