RE: Bypass Traverse Checking?

Hello Scott,

"Bypass traverse checking" is a right that allows a user to navigate
(traverse, browse) a directory structure, even if they do not have explicit permissions to access that directory.

With IIS 5.0, the IIS accounts (IUSR and IWAM) are part of the Guests standard group by default. IUSR and IWAM are also members of Authenticated Users, which is a special group with a dynamic membership. It's membership consists of anyone who happens to be logged in at the time with a valid userid and password.

So...changing "Bypass traverse checking" from "Everyone" to "Authenticated Uses" should NOT affect IUSR and IWAM. (But I admit that I haven't done this in practice, so YMMV.)

In general, changing from "Everyone" to "Authenticated Users" is done to exclude null session (effectively unauthenticated) users from accessing resources. (Note that "Authenticated Users" can still include Guests - because Guests can be logged in with a valid username and password - but
"Users" is a fixed-membership group and DOES NOT include Guests.)

Regards,
Jennifer

-----Original Message-----
From: Williamson, Scott [mailto:scott.williamson@htcinc.net] Sent: Wednesday, January 15, 2003 10:11 AM To: focus-ms@securityfocus.com
Subject: Bypass Traverse Checking?

I'm working on procedures for servers in our organization. I keep coming across the recommendation to set the following on a Windows 2000 Server. My problem is I have another administrator who believes this could cause problems in IIS. What are the lists opinions? Anyone heard of this causing problems?

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

User Rights Assignment - Set "Bypass Traverse Checking" - Remove Everyone and Replace with Authenticated Users.

Thanks in advance for your time,

Michael Scott Williamson
Systems Administrator Received on Thu Jan 23 11:58:56 2003