Windows fileserver and ABE

ntfs windows-server-2008-r2 network-share file-server

I am in the process of creating a new Windows 2008R2 file server and have some issues with Access Based Enumaration.

I don't just want to migrate all data and permissions as our structure is grown over the course of the past ~15 years and to be honest it's a mess. So I am trying to put as much effort into this as possible.

I set up a domain based DFS-N (Data) where shares for each department (dept1 to dept 4) are published. While testing (yes, we have a test environment! Lucky us!) I stumbled across a bug(?) regarding Access Based Emuneration. Permission will be handled through nesting of different permissive groups. My problem is that adding a user to a specific group for a subdirectory does not enable him to see/traverse the parent directories.

ABE is enabled on both the fileshare and DFS-N.

I have created following directory structure:

\\DFSRoot\Data\
+---dept1
|   +---dir1
|   |   +---sub1
|   |   \---sub2
|   +---dir2
|   +---dir3
|   |   +---sub1
|   |   \---sub2
|   \---dir4
+---dept2
|   +---dir1
|   +---dir2
|   +---dir3
|   \---dir4
+---dept3
|   +---dir1
|   +---dir2
|   +---dir3
|   \---dir4
+---dept4
|   +---dir1
|   +---dir2
|   +---dir3
|   \---dir4
\---dept5
    +---dir1
    |   +---sub1
    |   \---sub2
    +---dir2
    +---dir3
    \---dir4
        +---sub1
        \---sub2

For each directory I created 3 groups:

So for \\DFSroot\Data\dept1 this would be

dl-dept1-list
dl-dept1-ro
dl-dept1-rw

For \\DFSroot\Data\dept1\dir1

dl-dept1-dir1-list
dl-dept1-dir1-ro
dl-dept1-dir1-rw

And for \\DFSroot\Data\dept1\dir1\sub1

dl-dept1-dir1-sub1-list
dl-dept1-dir1-sub1-ro
dl-dept1-dir1-sub1-rw

For everything else this scheme applies, too.

For each directory the corresponding groups are member of the list group of to next upper level directory. So 

dl-dept1-dir1-sub1-list
dl-dept1-dir1-sub1-ro
dl-dept1-dir1-sub1-rw

are member of dl-dept1-dir1-list

Inheritance is not broken. Those RO/RW groups have their respective permission to their folder and every subdirectory within.

List groups have special permissions --> ListDirectory,ReadAttributes,ReadPermissions,Traverse --> This folder only

If I add $User to dl-dept1-dir1-sub1-rw to grant R/W permission to \\DFSroot\Data\dept1\dir1\sub1 the user is able to access the share dept1 (members of dl-dept1-list) but does not see any directories. $User cannot access dir1 via UNC path. $User can access sub1 via UNC path.

If ABE is disabled on share $user can traverse directories without problems.

At this point I'm stuck and don't see what I am missing.

Maybe one of you can help. Thanks in advance.


I figured it out. My problem was a missing special permission. The LIST groups need read extended attributes for ABE to work.

Related

Windows Filtering Platform dropping SQL Server connections
Is delayed restarting a security issue after updating a Windows Production Webserver?
Reset Search Index in Exchange 2013
Copying large file to remote server causes it to run out of physical memory
SVN Commit Error
DNS settings on managed switches in LAN
Connect to a Tomcat Server from nginx as reverse proxy
How to add a web folder via command line (Windows)
FreeIPA : Installer not resolving domain name from hosts file
apparmor not working ubuntu 11.04 insize OpenVZ
How do i view / enable kernel logs on an ec2 instance (amazon linux)?
Yum doesn't update httpd past version 2.2.3 on centos