Tagged: Access-based Enumeration
September 8, 2017 at 3:15 pm #2183
Applies To:Windows Server 2003 with SP1
Access-based Enumeration is a new featureincluded with Windows Server 2003 Service Pack 1.This featureallows users of
Windows Server 2003–based fileservers to list only thefiles and folders to which they haveaccess when browsing content on
thefileserver.This eliminates user confusion that can becaused when users connect to a fileserver and encounter a large
number of files and folders that they cannotaccess.
What does Access-based Enumeration do?
Access-based Enumeration filters thelist of availablefiles and folders on a server to include only thosethat therequesting user
has access to.
Who does this feature apply to?
This featureapplies to:
IT professionals who want to control the user’s experience.
Access-based Enumeration allows users to see only files and folders that they haveaccess to on a fileserver.This featureis not
enabled by default.
To enablethis feature,a property must beset on a fileshareto allow access-based enumeration.To enablethis feature on your
server,you can download a shell extension that provides both a graphical user interfacefor enabling access-based
enumeration and a command-lineinterfacefor managing this feature.When this download is installed,a wizard will run that
can automatically enable Access-based Enumeration on theshared folders on your computer.This download includes a
whitepaper that provides further details about theshell extension,command lineinterface,and the NetShareSetInfo
application programming interface(API).This download is available on the Microsoft Download Center at
If you want to develop a tool yourself,you can usethe NetShareSetInfo API.This property is an attribute of the
NetShareSetInfo (API).For moreinformation about the NetShareSetInfo API, seethe Platform SDK and the MSDN Web siteat
http://go.microsoft.com/fwlink/?LinkId=46511.To enable Access-based Enumeration,you need to seta flag that points to the
SHARE_INFO_1005 structure.For moreinformation about the SHARE_INFO_1005 structure, seethe Platform SDK and the MSDN
Web siteat http://go.microsoft.com/fwlink/?LinkId=45504.
The new flag to enable Access-based Enumeration is
#define SHI1005_FLAGS_ENFORCE_NAMESPACE_ACCESS 0x0800
This flag is only applicableto Windows Server 2003 Service Pack 1 and will have no effect on other versions of the Windows
After thefeatureis enabled,a listing of thecontent in that share will present thecontent that the user has access to.
Why is this change important?
This changeis important becausethis allows users to see only thosefiles and directories that they haveaccess to and nothing
else.This mitigates thescenario where unauthorized users might otherwise beableto seethecontents of a directory even
though they don’t haveaccess to it.
What settings are added or changed in Windows Server 2003 Service Pack 1?
The SHI1005_FLAGS_ENFORCE_NAMESPACE_ACCESS flag has been added to the NetShareSetInfo API.Theflag enables you to turn
on the Access-based Enumeration feature.
You must be logged in to reply to this topic.