Evaluating HTTP Commander
This week we have evaluated the HTTP Commander (HTTP Commander) product by Element-IT product as a solution to a web-based file manager project. Our evaluation found many things to like about this product including the ability to use Active Directory authentication. Via impersonation, the application also honors NTFS permissions on remote file shares. This item was what really sells HTTP Commander as the right solution in our case.
During our testing, we ran across an interesting problem. When using HTTP Commander as a less privileged user, we could navigate to folders that we should not be able to on remote folders. Now, we were denied access to download files, but being able to navigate folders you don’t have rights to seemed wrong. A quick email to Element-IT support and we began troubleshooting the issue with them.
After a few remote sessions of troubleshooting, we arrived at a point where the application was indeed doing what it was supposed. The problem was that Windows was granting access when it should not. Thanks be to God for a good nights sleep and some time to dig. The solution was found.
The Solution – Access-Based Enumeration
When creating file shares on a Windows 2008 R2 Server, you will most likely be doing so via the File Server role. In this file server role, there is a file share management console used for creating and managing file shares. In this tool, there is a setting that is off by default that is labeled “Enable access-based enumeration“.
Access-based enumeration displays only the files and folders that a user has permissions to access. If a user does not have Read (or equivalent) permissions for a folder, Windows hides the folder from the user’s view. This feature is active only when viewing files and folders in a shared folder; it is not active when viewing files and folders in the local file system.
Reading this description makes perfect sense. The funny thing is that this setting is not turned on by default. Is there a reason why administrators would not want to default to this setting so that users don’t see things they do not have access too?
Thankfully, for us this allows us to move forward with final evaluation of HTTP Commander and the potential purchase and implementation. As an aside, I was extremely pleased with the remote support offered by Element-IT and Sergey. Twice I ended a remote support session suggesting it was probably something on our end and I would let them know if we found the problem. On both occasions, I arrived at the office with an email in my inbox from Sergey with another idea and offer to do another support session. Keep in mind that this level of support was all offered prior to our purchase of the product. Kudos to Sergey and the team!