RE: Bypass Traverse Checking?

"Traverse checking" is comparable to the 'x' bit check on a directory in UNIX systems - that is, it grants access to traverse the given directory. It does not impart permission to enumerate, add, or delete entries to the directory.

Traverse permission checks are disabled for any thread that has enabled the SeChangeNotifyPrivilege. Without this privilege, it requires that NTFS actually perform an ACL check to determine if the FILE_TRAVERSE bit is set within an ACE that applies to the caller. In addition, NTFS must also verify that operation which reveal the structure of the directory hierarchy must be checked (the notable case here is directory change notification, used heavily by IIS and Explorer.) These checks (in particular) are very expensive to perform because they require checking ACLs on all directories in the path (assuming successful access). Of course, if it only applies to unauthenticated users, the cost for the check is immaterial.

IIS does run under an authenticated (albeit minimally privileged) account. So long as that account has SeChangeNotifyPrivilege it seems ridiculous to believe that it would make any difference at all. On the other hand, given that IIS caches everything in memory, the cost of that check on first load of the cache doesn't seem so unreasonable - and then if your IIS server is compromised it would not be able to arbitrarily traverse through other directories - so perhaps NOT granting it this privilege is a good idea.

Provided that you understand the potential risk, I'd set up a test server, configure it this way and verify that IIS works the way you expect. If it does not, you may need to grant it this privilege, or explicitly list it on ACLs for those directories to which you wish to grant it traverse access.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: Williamson, Scott [mailto:scott.williamson@htcinc.net] Sent: Wednesday, January 15, 2003 1:11 PM To: focus-ms@securityfocus.com
Subject: Bypass Traverse Checking?

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

I'm working on procedures for servers in our organization. I keep coming across the recommendation to set the following on a Windows 2000 Server. My problem is I have another administrator who believes this could cause problems in IIS. What are the lists opinions? Anyone heard of this causing problems?

User Rights Assignment - Set "Bypass Traverse Checking" - Remove Everyone and Replace with Authenticated Users.

Thanks in advance for your time,

Michael Scott Williamson
Systems Administrator Received on Wed Jan 22 14:18:06 2003