|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
RE: Bypass Traverse Checking?
Date: Wed Jan 29 2003 - 00:01:43 EST
Even though Laura hates me I have to agree with her. Although you can take
that permission away if you give absolute permissions to everything that
particular account (whatever the account may be) needs access to. You
decide which is easier for the said account.
In the case of the IUSR_ account you can remove that permission as long as give the explicit permissions to the needed files for it to operate. And easy tool to do that with is the IISlockdown.
It 1. Removes the IUSR from the guest group. 2. puts it in its own group. 3. Goes through and gives and denies permissions from that group.
Sample:
IUSER=501,5000000,15,1a028a35,70294ee,5fc894f0,3f7,
IWAM=501,5000000,15,1a028a35,70294ee,5fc894f0,3f8,
Backed up metabase
DenyACE<0(0 20),,>C:\WINNT\System32\inetsrv\httpext.dll
ACE C:\WINNT\System32\inetsrv\httpext.dll
DenyACE<0(0 20),,>C:\WINNT\System32\idq.dll
ACE C:\WINNT\System32\idq.dll
Disabled Internet Printing
/LM/W3SVC/
/LM/W3SVC/6/Root/
DenyACE<0,(0 1f01ff),(0
1f01ff)>C:\WINNT\$NtServicePackUninstall$\command.com
DenyACE<0,(0 1f01ff),(0
1f01ff)>C:\WINNT\$NtServicePackUninstall$\diskcomp.com
DenyACE<0,(0 1f01ff),(0
1f01ff)>C:\WINNT\$NtServicePackUninstall$\diskcopy.com
DenyACE<0,(0 1f01ff),(0 1f01ff)>C:\WINNT\$NtServicePackUninstall$\format.com
DenyACE<0,(0 1f01ff),(0
1f01ff)>C:\WINNT\$NtServicePackUninstall$\ntdetect.com
DenyACE<0,(0 1f01ff),(0 1f01ff)>C:\WINNT\ServicePackFiles\i386\command.com DenyACE<0,(0 1f01ff),(0 1f01ff)>C:\WINNT\ServicePackFiles\i386\diskcomp.com DenyACE<0,(0 1f01ff),(0 1f01ff)>C:\WINNT\ServicePackFiles\i386\diskcopy.com DenyACE<0,(0 1f01ff),(0 1f01ff)>C:\WINNT\ServicePackFiles\i386\format.com DenyACE<0,(0 1f01ff),(0 1f01ff)>C:\WINNT\ServicePackFiles\i386\ntdetect.com DenyACE<0,(0 1f01ff),(0 1f01ff)>C:\WINNT\ServicePackFiles\i386\startrom.com DenyACE<0,(0 1f01ff),(0 1f01ff)>C:\WINNT\system32\chcp.com DenyACE<0,(0 1f01ff),(0 1f01ff)>C:\WINNT\system32\command.com DenyACE<0,(0 1f01ff),(0 1f01ff)>C:\WINNT\system32\DISKCOMP.COM DenyACE<0,(0 1f01ff),(0 1f01ff)>C:\WINNT\system32\DISKCOPY.COM DenyACE<0,(0 1f01ff),(0 1f01ff)>C:\WINNT\system32\edit.com DenyACE<0,(0 1f01ff),(0 1f01ff)>C:\WINNT\system32\FORMAT.COM DenyACE<0,(0 1f01ff),(0 1f01ff)>C:\WINNT\system32\graftabl.com
Etc....
Does a lot more as well.
Once again the answer to the original question. I f I actually remember the original question.
No you do not have to leave "everyone" in "Bypass Traverse Checking" for IIS to work.
Dave Kleiman
dave@netmedic.net
www.netmedic.net
-----Original Message-----
From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
Sent: Monday, January 27, 2003 18:55
To: 'matthew patton'; focus-ms@securityfocus.com
Subject: RE: Bypass Traverse Checking?
Not a good idea as a rule of thumb. Giving _nobody_ this right will cause problems. For example:
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B290647 If you want Group Policy to work, this is a big one.
And this, again GP related:
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B319808
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B272142 This is pretty significant if you use terminal services.
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B324333 This one affects IIS.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn ol/windowsnetserver/proddocs/datacenter/cluad_pr_59.asp Clusters.
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B243813
So, while you may remove the right for some, removing it across the board may not be wise.
Laura
> -----Original Message-----
http://mailplus.yahoo.com
Received on Wed Jan 29 10:27:25 2003
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:26 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |