I’ve had that a few times (maybe I need to get out more?), and one of those times was a few years ago with a tool from Microsoft, named as only MS can: Windows Server 2003 Access Based Enumeration or ABE. I took it for granted that everyone knew about this great tool, and was using it. That was until I suggested to a client that it may help his corporate share restructering project, and he looked at me blankly. In fact the more people I’ve mentioned this to, the more blank looks I’ve got. So, if you’ve not heard of it you’re probably asking what the damned thing does?

ABE, is a very small download from Microsoft, that provides a piece of functionality everyone has been wishing for since, well NT4 in my case. Basically when you have a user connect to a shared folder, and they are browsing within that folder structure, if they don’t have permission to a folder/file then they just don’t see it. Gone are the previous issues of getting access denied messages, followed by helpdesk calls to clarify if they should be allowed in to Folder Y. Great huh?

As part of installing ABEUI.msiyou have the following options:

Configuration choice during installation

Post installation changes can be made through CLI using abecmd.exe or through a tab on the share’s property dialog:

Options for configuration ABE on the Property sheet of the share folder

Acess Based Enumeration requires Windows Server 2003 with Service Pack 1. It’s not required on Windows Server 2008, because the behaviour is already included, but is not configurable. Finally ;)

Now it appears that there’s a much easier work around, leveraging what seems to be a design choice in activation for some of the large OEM’s.

The article explaining this issue can be found on the Australian PC Mag website.

In short, it would appear Microsoft provided an offline activation mechanism dependent on:

It allows the “Royalty OEMs” to embed specific licensing information into the operating system which Vista can activate without having to go back to Microsoft for verification. The licensing components include the OEM’s hardware-embedded BIOS ACPI_SLIC (which has been signed by Microsoft), an XML certificate file which corresponds to this ACPI_SLIC and a specific OEM product key.

I agree with the author of the article, in that I really thought MS might have made some serious inroads into halting the widespread Windows piracy. However, by providing an offline solution, have they opened the stable door?

As usual it goes to show, that your security is only as strong as your weakest link ….

As Microsoft’s 3rd Law of security states, if you have physical access, then it’s not your box anymore. And this is just another good reason why physical security is one layer in your security policy. You do have a multi-layered security policy don’t you?

Really, this comes down to, why MS:

1. Give an anonymous console user the ability to kick of a SYSTEM level process. DOH!
2. Not having the GINA validate what it is launching.
3. Having this as the default and not an option. DOH! Again!
4. SYSTEM Full Control over the Active Directory – Priceless!

Windows Server 2008 is moving in the right direction, they are reducing attack surfaces out-of-the-box and producing a more secure, leaner OS, which is great. I guess they missed this one ….

The post is well worth a read, cheers Dean :)