RE: Bypass Traverse Checking?

An excellent answer, but there is one thing I'd point out- you state: "(Note that "Authenticated Users" can still include Guests - because Guests can be logged in with a valid username and password - but "Users" is a fixed-membership group and DOES NOT include Guests.)"

This is actually not the case. "Users" is a local or domain local group that, by default, contains Domain Users and Authenticated Users in any domain environment (as well as the Interactive account; more on that later). Therefore, if Authenticated Users includes Guests and Users includes Authenticated Users...

For more information (see table 7-12):

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn ol/windows2000serv/evaluate/featfunc/07w2kadc.asp

or

http://tinyurl.com/4ucv

[There are some ambiguous statements in the above reference (the "tip" sections) that, if read exactly as written, are incorrect, but that aside...where those tips read "Administrator", substitute "Administrator account in the domain/forest root domain" and the statements become correct.]

Additional information:
http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/windo ws2000/en/advanced/help/sag_SEconceptsImpGroups.htm

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Also, the IUSR_ and IWAM_ accounts are members of Guests and *Domain Users* by default, not Guests and Authenticated Users, although the act of the account being used would then make it a member of Authenticated Users for the time that the account was active.

Authenticated Users is a system group whose membership is determined by the activities of security principals. You cannot explicitly populate Authenticated Users; you can only use it in ACLs. You'll notice that you don't see it in AD Users and Computers, for example, but you'll see it when you add security principals to an ACL on a file system or AD object. The Interactive and Anonymous Logon accounts are similar to Authenticated Users in that you cannot see them listed in AD, but can see them in ACLs and can assign permissions to them. They are system accounts, and like system groups, are "owned" by NT AUTHORITY, or the operating system itself.

Authenticated Users includes any authenticated security principal from the local domain or any trusted domain. This includes guest accounts.

Domain Users includes any authenticated security principal from only the local domain, not any trusted domains. This includes guest accounts.

Authenticated Users was added around SP4 for NT4 to separate unauthenticated connections (null connections) from authenticated connections.

Everyone, another system group, in Windows 2000 and earlier includes all authenticated security principals, guests *and* Anonymous logon. In Windows Server 2003, Everyone does not include Anonymous logon unless you explicitly configure this to occur. The ADPrep /forestprep process separates Anonymous from Everyone as part of the schema upgrade process.

Users is not a fixed-membership group. On a non-DC, it is a local group, and on DCs, it is a domain local group- both of which can be populated directly. You can edit the membership of Users, Domain Users, Guests and Domain Guests, but not Authenticated Users, Everyone or Anonymous logon.

As you mention, Authenticated Users can (and, in fact, does) include Guest/Guests/Domain Guests. The act of providing identifiable credentials for an account, even a guest account, makes that security principal an Authenticated User.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The Guest account and Anonymous Logon are very different things.

So, to summarize, here is the difference between Everyone and Authenticated Users:

Everyone includes any security principal from the local domain, including guest accounts; any security principal from any trusted domain, including guest accounts, and the Anonymous logon system account.

Authenticated Users includes any security principal from the local domain, including guest accounts; any security principal from any trusted domain, including guest accounts, and does _not_ include the Anonymous logon system account.

As I mentioned before, Windows Server 2003 (and Windows XP, as well) separates the Anonymous Logon system account from the Everyone group.

And one last link, just to make this even wordier. <G>

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn ol/windowsnetserver/proddocs/datacenter/windows_security_differences.asp

So, have I pounded on the whole
"difference_between_Everyone_and_Authenticated_Users_is_the_**Anonymous_Logo n**_account_and_not_the_guest_account" thing enough yet?

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Laura

> -----Original Message-----
> From: Kolde, Jennifer E. [mailto:jkolde@nosc.mil]
Received on Fri Jan 24 10:28:47 2003