HTTP Commander and Windows 2008 R2 Server File Shares

Posted by on

Evaluating HTTP Commander

HTTP Commander and Windows 2008 R2 Server File SharesThis week we have evaluated the HTTP Commander (HTTP Commander) product by Element-IT product as a solution to a web-based file manager project. Our evaluation found many things to like about this product including the ability to use Active Directory authentication. Via impersonation, the application also honors NTFS permissions on remote file shares. This item was what really sells HTTP Commander as the right solution in our case.

During our testing, we ran across an interesting problem. When using HTTP Commander as a less privileged user, we could navigate to folders that we should not be able to on remote folders. Now, we were denied access to download files, but being able to navigate folders you don’t have rights to seemed wrong. A quick email to Element-IT support and we began troubleshooting the issue with them.

After a few remote sessions of troubleshooting, we arrived at a point where the application was indeed doing what it was supposed. The problem was that Windows was granting access when it should not. Thanks be to God for a good nights sleep and some time to dig. The solution was found.

The Solution – Access-Based Enumeration

HTTP Commander and Windows 2008 R2 Server File SharesWhen creating file shares on a Windows 2008 R2 Server, you will most likely be doing so via the File Server role. In this file server role, there is a file share management console used for creating and managing file shares. In this tool, there is a setting that is off by default that is labeled “Enable access-based enumeration“.

According to Microsoft

Access-based enumeration displays only the files and folders that a user has permissions to access. If a user does not have Read (or equivalent) permissions for a folder, Windows hides the folder from the user’s view. This feature is active only when viewing files and folders in a shared folder; it is not active when viewing files and folders in the local file system.

Reading this description makes perfect sense. The funny thing is that this setting is not turned on by default. Is there a reason why administrators would not want to default to this setting so that users don’t see things they do not have access too?

Thankfully, for us this allows us to move forward with final evaluation of HTTP Commander and the potential purchase and implementation. As an aside, I was extremely pleased with the remote support offered by Element-IT and Sergey. Twice I ended a remote support session suggesting it was probably something on our end and I would let them know if we found the problem. On both occasions, I arrived at the office with an email in my inbox from Sergey with another idea and offer to do another support session. Keep in mind that this level of support was all offered prior to our purchase of the product. Kudos to Sergey and the team!


Posted in Articles, General | Tagged , , , , | 8 Replies

About Tom

Christ follower, husband, father, technology and photography enthusiast. Attempting to live life out as a light in this world and stumbling at times in this fallen world. I wear many hats but like to work in open source, web development (anything web related) and systems. The #nptech (nonprofit technology) arena is an important part of what we are involved in. Got a topic you want to have me look into? Did I miss something in a post? Let me know. Just add a comment below.

8 thoughts on “HTTP Commander and Windows 2008 R2 Server File Shares

  1. Jason Davis on said:

    I’m curious to know how you have your instance of HTTP Commander setup. Are you using windows authentication or forms with windows authentication?

  3. Jason on said:

    I’ve noticed when using the windows authentication, especially with Safari, when you select log out, you can hit the back button and regain access without entering a password. Are you experiencing this?

  4. Jason on said:

    I’m getting the following message, have you had any experience with this, I feel that it is some permission error or something to deal with UAC. I get this error when I try to log on to my IIS application with a non-administrator user account. However, if I log on with an administrative account, I don’t get the message, and for about 15 minutes afterwards, a regular user can log on without getting the error. Then after about 15 minutes, a regular user will start back getting the error.

    -

    2012-12-16T22:57:54

    https://website.com/web/Handlers/Config.ashx

    Access is denied. (Exception from HRESULT: 0×80070005 (E_ACCESSDENIED))

    - at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)

    at Microsoft.Win32.Fusion.ReadCache(ArrayList alAssems, String name, UInt32 nFlag)

    at System.Reflection.Assembly.EnumerateCache(AssemblyName partialName)

    at System.Reflection.Assembly.LoadWithPartialNameInternal(String partialName, Evidence securityEvidence, StackCrawlMark& stackMark)

    at System.Reflection.Assembly.LoadWithPartialName(String partialName, Evidence securityEvidence)

    at System.Xml.Serialization.TempAssembly.LoadGeneratedAssembly(Type type, String defaultNamespace, XmlSerializerImplementation& contract)

    at System.Xml.Serialization.XmlSerializer..ctor(Type type, String defaultNamespace)

    at HttpCommander.PropertyManager..ctor(String dataFilePath)

    at HttpCommander.Utils.get_PropertiesManager()

    at HttpCommander.Config.ProcessRequest(HttpContext context)

  5. Sergey Prunsky on said:

    Hello Tom, thank you for your review. It was really strange problem on your server. Our developer, Sergey, said that the same thing with NTFS rights then Windows explorer used. Yes, “enable ABE” checkbox helped to hide files. We have many clients, some of them don’t use ABE or don’t enabled it but they don’t have the situation then users can download files if NTFS rights prohibits that. It is really strange situation.

  6. Sergey Prunsky on said:

    2Jason Davis,
    It is great to see you inside our customers. I don’t see if you asked us about these problems so I hope you fixed the problem. Related to logout: Yes, this problem was in old release of HTTP Commander becouse some of browser’s like Firefox and Chrome don’t provide solution to clear(terminate) Windows authentication and users should close their browser to terminate authentication. Later we found solution to clear authentication then user go to logout page: we send wrong user name and password via JavaScript to another page that sends reply 200 OK. After that browser remember wrong autentication info but application don’t works becouse wrong user not exists at server OS.

  7. Tom on said:

    Hi Sergey, Yes indeed it was strange. However, as I said in the article, I was extremely pleased with how you all worked to try to understand the problem and resolve it. My dealings with you and your staff were great. Keep up the great work.

  8. Raoul Teeuwen on said:

    Hi Tom. Thanks for the review & post. At the end of the post you state “this allows us to move forward with final evaluation of HTTP Commander and the potential purchase and implementation”. Have you already been able to do that or when do you expect to be able? What, if any, other solutions besides HTTP Commander did you consider?

Leave a Reply

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">