跳转到主内容

NetApp_Insight_2020.png 

How does Access Based Enumeration (ABE) work?

Views:
10
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

ONTAP 9

Answer

When creating a (CIFS) share, for example TEST, with the accessbasedenum option, the CIFS share TEST is not hidden.

According to the Access Based Enumeration documentation, when access-based enumeration (ABE) is enabled on a CIFS share, users who do not have permission to access a shared folder or file underneath it (whether through individual or group permission restrictions), do not see that shared resource displayed in their environment.

Local administrators still have unrestricted enumeration. Members of the BUILTIN\Administrators group are granted unrestricted access to the local system. Thus, an account in this group would be able to enumerate the entire directory.By default, ABE is disabled.

7-mode:
  • To enable ABE
    • cifs shares -change sharename -accessbasedenum
  • To disable ABE
    • cifs shares -change sharename -noaccessbasedenum
Clustered ONTAP:

::> cifs share properties add -vserver [vserver name] -share-name [share] -share-properties access-based-enumeration

::> cifs share properties remove -vserver [vserver name] -share-name [share] -share-properties access-based-enumeration

Additional Information

For Example:

If creating a CIFS share TEST with the accessbasedenum option.

The share \FILERTEST is mapped with the user DOMAINuserA. A folder called PROVA is created with the permissions Owner/ Full Control for the DOMAINuserA.

Another user, such as DOMAINuserB, will be able to see the share TEST, but will not see the folder PROVA under the share \FILERTEST. This is the expected behavior.

There are some options to hide the cifs share TEST, such as:

Disabling the CIFS shares browsing with the -nobrowse option
Creating a share and appending the $ symbol to the end of the name.