To prevent users from seeing files and folders they cannot access, you can enable the SMB ABE feature. SMB ABE integrates with an Active Directory (AD) domain to provide granular access control for shared resources on NAS file systems that use the SMB protocol.
Background information
Access-based enumeration (ABE) is a feature of the Server Message Block (SMB) protocol and Windows file sharing services that provides more granular access control for shared resources.
If ABE is disabled, users can see all files and folders in a network share, even if they lack permission to access them. This visibility increases the risk of unauthorized access, data breaches, and data tampering.
When ABE is enabled, users can only see the files and folders they have permission to access when browsing shared resources. Content that a user lacks permission to access is hidden, even if it exists in the share. This enhances data security and availability, effectively isolates data, and prevents data breaches and tampering.
How it works
ABE filters the enumeration of files and folders at the file system layer, ensuring that only users with the required NTFS permissions can see the corresponding resources. This method provides granular access control without impacting performance.
Prerequisites
An SMB file system is mounted on a Windows client by an AD domain user.
Enable the ABE feature
-
Log on to the NAS console.
-
In the left-side navigation pane, choose .
In the upper-left corner of the page, select the resource group and region where the target file system is located.

-
Find the target file system and click its file system ID or click Manage.
-
Click the Access Control tab. In the SMB ABE section, click the Disabled switch to enable the ABE feature.
Verification example
This example shows how a host in an AD domain accesses an SMB share.
-
Enable the ABE feature for the target SMB file system. For more information, see Enable the ABE feature.
-
Log on to the AD domain-joined Windows client (for example, smbmock60.com) where the SMB file system is mounted.
-
Navigate to the SMB file system and create a shared file named
alice-only.txtand a folder namedeveryone.Mount the SMB share as the Z: drive using the administrator account and verify the contents of the shared directory:
After mounting the share, you can see the alice-only.txt file and the everyone folder in the Z: drive.net use z: \\nas-mount-target.nas.aliyuncs.com\myshare /user:SMBMOCK60.com\administrator YourPassword The command completed successfully. -
Set access permissions for the
alice-only.txtfile.This topic describes how to configure permissions by using an example in which the domain user alice has full read permissions on the
alice-only.txtfile, and the domain user sam does not have read permissions on thealice-only.txtfile.ImportantYou must also remove the default
Full Controlpermission from the Everyone user group. Otherwise, all users retainFull Controlpermission and can see the file.-
Domain user alice
On the Security tab of the properties for
Z:\alice-only.txt, confirm that the user alice (alice@smbmock60.com) has only the Read & execute and Read permissions selected in the Allow column. -
Domain user sam
On the Security tab of the properties for
Z:\alice-only.txt, view the Permissions for sam section. Confirm that the checkboxes for Full control, Modify, Read & execute, Read, and Special permissions are cleared. Only the checkbox for Write in the Allow column is selected. This indicates that the user sam has only write permissions for the file.
-
-
Set access permissions for the
everyonefolder.Grant the Everyone user group read and write permissions for the
everyonefolder to make it visible to all users.On the Security tab, in the Permissions for Everyone section, select the Read & execute, List folder contents, Read, and Write checkboxes in the Allow column.
-
Access the shared path as the domain users alice and sam to verify the results.
-
Domain user alice
-
Mount the SMB file system as smbmock60\alice.
net use z: \\nas-mount-target.nas.aliyuncs.com\myshare /user:SMBMOCK60.com\alice <Password>Replace
nas-mount-target.nas.aliyuncs.comwith your mount target address. Replace<Password>with the login password for alice. -
View the files in the shared path. Both the
alice-only.txtfile and theeveryonefolder are visible.
-
-
Domain user sam
-
Mount the SMB file system as smbmock60\sam.
net use z: \\nas-mount-target.nas.aliyuncs.com\myshare /user:SMBMOCK60.com\sam <Password>Replace
nas-mount-target.nas.aliyuncs.comwith your mount target address. Replace<Password>with the login password for sam. -
View the files in the shared path. Only the
everyonefolder is visible.
-
The results show that alice can see both the
alice-only.txtfile and theeveryonefolder in the shared directory. However, sam cannot see thealice-only.txtfile and can see only theeveryonefolder. This verifies that the ABE feature is working correctly. -