Access Based Enumeration with Parks Authorization Manager
by Ute Schwietering
Access to protected resources can be easily controlled with the help of folder and file permissions. However, in some cases this is not enough. The name of a folder can sometimes give too much unwanted information without having to access the files at all. This problem can be solved with the help of access based enumeration – which was supplied as from Windows 2003 – and which is also supported by the same. A user can only see the folders for which he has access, all other folders remain invisible.
A user chooses a departmental folder via a network share and sees there the subfolder “Dismissal Mueller”. Even though he cannot access any of the files contained in the folder, the information gathered out of the folder name is enough to start rumours. Had access based enumeration been activated he would not have been able to see the folder at all.
A corresponding network share property can be easily administered with Parks Authorization Manager (PAM) as from Version 2011.II, I am describing an example explaining the function in this blog article.
We first generate three organisational units "Apples", "Pears" and "Cherries" in the "General" category, e.g. in PAM exemplary company "Acme Inc.". We additionally need an Active Directory test user, who is exclusively a member of the "Domain User" group.
Configuration of Access Based Enumeration
We first generate a PAM base folder (fig. 1). This represents a folder on the hard disk in which the subfolders for the individual organisational units are later generated, and which PAM will equip with separate access rights.
To simplify matters the folder should not yet exist on the hard disk.
When storing the base folder PAM generates the specified folders, sets up the permissions, creates the network share and activates access based enumeration.
Now we need a folder template containing the required folder structure and the permissions to be generated for the organisational unit (fig. 2).
Active Directory groups with reading and writing rights for each organization folder will be generated in the folder.
Fig. 3 shows the group settings with write permission, the place holder "$(OrgUnit)" in the name will be replaced by the name of the organization unit.
Now we set up the three organization folders with PAM (for the new organization units "Apple", "Pear" and "Cherry", fig. 4).
To do so we select the previously defined organization units, the base folder and the matching folder template.
PAM now has set up three new subfolders on the hard disk, generated the new user groups in Active Directory and configured the access control lists in the folder (fig. 5).
Six new groups are now available in Active Directory to be granted to users (chart 1).
|Name of the group||Description|
|Apple_R||read access in directory „Apple“|
|Apple_W||write access in directory „Apple“|
|Pear_R||read access in directory „Pear“|
|Pear_W||write access in directory „Pear“|
|Cherry_R||read access in directory „Cherry“|
|Cherry_W||write access in directory „Cherry“|
Two groups are available for each of the newly set up organizational folders to be granted to the users (fig. 6).
We now log on as a test user and access the folder generated by PAM via the network share (fig. 7).
Even though three subfolders are on the server hard disk (fig. 5), these will not be displayed as we have no permissions for these. A folder will only be displayed when we have at least reading rights.
Had access based enumeration not been active we would have seen all folders, but would have received the error message “access denied” when trying to access.
Now we log on again as domain administrator and give one of the new groups to the test user (fig. 8).
If we now log on again as test user and access the base folder via the network share we can see and access the subfolder “Apple”.
Access based enumeration of folders and files is a useful function to enforce the Need-to-Know-Principle in file systems and - by doing so - to improve security. This should be activated for all departmental and project base folders. The necessary settings can be easily and securely administered with Parks Authorization Manager (PAM).