How to Map a Network Drive and Enable Access Based Enumeration
Drive mapping is a technique that is used to simplify the process of accessing shared folders from a local computer. In mapping, a drive letter is assigned to a shared folder, letting the folder be accessed as though it were a local drive.
However, in an organization, there may be instances where the users might need to view only the folders to which they have access. For example, if a shared folder consists of drives for every department such as Sales, IT, HR, and so on, an employee belonging to the Sales department does not need to view or access the IT folder. This is applicable for both security and usability reasons.
This article explains how to map a network drive using Access Based Enumeration, which can be configured using the Server Manager and by using PowerShell scripting.
What is Access Based Enumeration (ABE)?
Access Based Enumeration (ABE) displays only the files and folders to which the user has access permissions. The folder is hidden from the user’s view if they do not possess the Read or equivalent permissions for the same. This feature is applicable only for shared folders and not available for viewing files and folders in the local drive or file system. The main advantages provided by this feature are increased confidentiality and usability.
As folders can be hidden from users who do not access them, there is an additional level of security. Employees are given access to only the folders that are required for work and not any other folders or files. Besides an increase in security, the user experience is also improved. By not displaying the files and folders the user does not have access to, there is no distraction while searching for specific data. This also helps avoid confusions regarding which folders the user has access to. When all the folders on the shared drive are visible, the user tends to get confused as to which folders they can and cannot access, which ultimately has to be resolved by the IT administrators.
Mapping a Network Drive and Enabling Access Based Enumeration
Mapping a Network Drive
The drive mapping can be performed using the following steps and then Access Based Enumeration can be enabled to show only the folders to which the user has access.
- Create a top-level folder that is going to be shared.
- Create sub-folders within the folder which will be shared with different users. For example, sub-folders for each department such as Sales, IT and HR can be created.
- Open the Server Manager and select the Properties of the top-level folder and navigate to the Advanced Sharing tab. Select the Share this folder option and enter the Share name.
- Navigate to Permissions and set the required permissions and save changes.
- In the Permissions tab, click on Add Select Principal and select This folder only from the Applies to drop-down list. Click on Show Advanced Permissions and select the required options and click OK > Apply.
- Create security groups that will be delegated the Read/ Write access to each folder.
- Delegate access to the folders and add the user to a security group that was granted modifies access.
- Enabling Access Based Enumeration
- Access Based Enumeration can be enabled by following the instructions given below.
- Open the Server Manager on the server containing the shared folder. This can be done by typing ServerManager on the Command Prompt or by launching it from the Start menu.
- Click on File and Storage Services from the left pane of the Server Manager console.
- Next click on Share from the left pane of the console.
- From the list, choose a network folder for which Access Based Enumeration needs to be enabled.
- Right-click on the chosen folder and select the Properties option.
- In the Share Properties dialog box, switch to the Settings tab.
- Select the Enable Access-based Enumeration option.
Access Based Enumeration using PowerShell
1. Access Based Enumeration can be configured using the following PowerShell command.
Set-SmbShare -Name "Share" -FolderEnumerationMode AccessBased
2. The settings can be verified using the following command.
Set-SmbShare -Name "Share" -FolderEnumerationMode AccessBased
3. All the local shares can be checked using the following command.
Get-SmbShare | Select-Object Name,FolderEnumerationMode
In conclusion, Access Based Enumeration can be used to make the process of drive mapping more efficient by restricting access to users based on their access permissions. This helps both the users as well as administrators. However, the major drawback of this method is that it creates an additional load on the server which in turn impacts the performance of the server. Hence, this method must be employed after considering its capabilities and potential limitations.