Cloud-Buddy

One thing I love about windows is the fact that there is still a whole lot left for me to learn about windows. Not just big infra services that windows provides but little additions that have come about in the recent windows versions. Now I know what I am about to talk about is not exactly new, it was first introduced in Windows 2003 SP1. But this was something that fell off my radar and I didn’t really notice it until recently. So, I will try and publicize this in case it fell off your radar also.

So let’s say you have a share that users access. The share resides on a file server that runs Windows 2003. The share has 50 folders and not all users have access to all folders. When a user tries to access a folder to which access is denied, an access denied message appears. Awesome! Now you decide to take advantage of a newer OS and we will use Win 2008 R2 as an example. So you migrate the data over to the 2008 R2 file server and enable the share. Suddenly pigs starts flying,  your wife starts agreeing with you and Patriots start beating the Giants in the Super Bowl game. What happend?

So you start hearing things like, “Hey, I can only see 20 folders, before I was able to see 50″. You have people throw out all kinds of different numbers and your initial reaction is what in the world! Of course the folders are all there and you can confirm that when you login to the server yourself with your Administrative access. So what happened? Why are users not able to view all folders in the share? Well, your windows server just got a little more secure.

What you will start noticing is users are only able to see folders they have access to. So, if a user only has access to the “Finance” folder in the share, when this user accesses the share the only folder that will appear out of the 50 folders this share has is the “Finance” folder. Pretty nifty aye! So, if one doesn’t have access to a folder, the folder will be invisible. This is happening due to a feature called “Access-based Enumeration”. You can read more about it in this article. And yes, this is enabled by default. 

So the obvious question is, can this be disabled? Well without getting into why would you want to do this and all, the simple answer is YES. On the 2008 R2 file server, you will basically go to the properties of the share using the “Share and Storage Management” console.

Once there click the “Advanced” button in the “Sharing” tab and there it is. Unchecking the checkbox will disable this feature and your environment will be vulnerable once again. Your users will start seeing folders they dont have access to. My advise, leave it enabled. Why tease them when they can’t access it?