October 6, 2016
Use nested traversal groups to allow access to ABE-enabled grandchild folders.
Say you have the following structure:
- \\DOMAIN\DFS\Folder1\ <– UserA can access this folder.
- \\DOMAIN\DFS\Folder1\Folder2 <– UserA has no privileges on this folder.
- \\DOMAIN\DFS\Folder1\Folder2\Folder3 <– UserA has modify access to this folder, subfolders and files.
- \\DOMAIN\DFS\Folder1\Folder2\Folder4 <– UserA has no privileges on this folder.
With ABE, the UserA will not see Folder2 even though Folder3 is something they do have access to. So permissions are added for UserA, but because they were done incorrectly, they can now also enumerate Folder4 which they should not even have been aware of.
This comes up a lot, and there is a good way to handle it:
- Create the ACL Group: ACL_Folder1-Folder2_TRAVERSE and make UserA a member.
- Add the (Advanced) ACL on Folder2: ACL_Folder1-Folder2_TRAVERSE –> Read –> This Folder Only
Now, let’s extend the scenario a level deeper:
- \\DOMAIN\DFS\Folder1\ <– UserA can access this folder.
- \\DOMAIN\DFS\Folder1\Folder2 <– UserA has no privileges on this folder.
- \\DOMAIN\DFS\Folder1\Folder2\Folder3 <– UserA has no privileges on this folder.
- \\DOMAIN\DFS\Folder1\Folder2\Folder4 <– UserA has no privileges on this folder.
- \\DOMAIN\DFS\Folder1\Folder2\Folder3\Folder5 <– UserA has modify rights on this folder, subfolders and files.
So, this is handled in much the same way, but it would be smart in this case to nest the security groups.
- Create the ACL Group: ACL_Folder1-Folder2_TRAVERSE.
- Create the ACL Group: ACL_Folder1-Folder2-Folder3_TRAVERSE.
- Make the Folder3 traverse group a member of the Folder2 group.
- Make UserA a member of the Folder3 traverse group.
- Add the (Advanced) ACL on Folder2: ACL_Folder1-Folder2_TRAVERSE –> Read –> This Folder Only
- Add the (Advanced) ACL on Folder3: ACL_Folder1-Folder2-Folder3_TRAVERSE –> Read –> This Folder Only
This keeps the ACLs clean and lets you attach the most explicit permission needed to the user.