RE: Bypass Traverse Checking?

• Previous message: Scott: "RE: Bypass Traverse Checking?"
• Maybe in reply to: Williamson, Scott: "Bypass Traverse Checking?"
• Next in thread: dave: "RE: Bypass Traverse Checking?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Tony Mason <Mason@osr.com>
To: "'Williamson, Scott'" <scott.williamson@htcinc.net>, focus-ms@securityfocus.com
Date: Mon, 20 Jan 2003 19:20:46 -0500

"Traverse checking" is comparable to the 'x' bit check on a directory in
UNIX systems - that is, it grants access to traverse the given directory.
It does not impart permission to enumerate, add, or delete entries to the
directory.

Traverse permission checks are disabled for any thread that has enabled the
SeChangeNotifyPrivilege. Without this privilege, it requires that NTFS
actually perform an ACL check to determine if the FILE_TRAVERSE bit is set
within an ACE that applies to the caller. In addition, NTFS must also
verify that operation which reveal the structure of the directory hierarchy
must be checked (the notable case here is directory change notification,
used heavily by IIS and Explorer.) These checks (in particular) are very
expensive to perform because they require checking ACLs on all directories
in the path (assuming successful access). Of course, if it only applies to
unauthenticated users, the cost for the check is immaterial.

IIS does run under an authenticated (albeit minimally privileged) account.
So long as that account has SeChangeNotifyPrivilege it seems ridiculous to
believe that it would make any difference at all. On the other hand, given
that IIS caches everything in memory, the cost of that check on first load
of the cache doesn't seem so unreasonable - and then if your IIS server is
compromised it would not be able to arbitrarily traverse through other
directories - so perhaps NOT granting it this privilege is a good idea.

Provided that you understand the potential risk, I'd set up a test server,
configure it this way and verify that IIS works the way you expect. If it
does not, you may need to grant it this privilege, or explicitly list it on
ACLs for those directories to which you wish to grant it traverse access.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: Williamson, Scott [mailto:scott.williamson@htcinc.net]
Sent: Wednesday, January 15, 2003 1:11 PM
To: focus-ms@securityfocus.com
Subject: Bypass Traverse Checking?

I'm working on procedures for servers in our organization. I keep coming
across the recommendation to set the following on a Windows 2000 Server. My
problem is I have another administrator who believes this could cause
problems in IIS. What are the lists opinions? Anyone heard of this causing
problems?

User Rights Assignment - Set "Bypass Traverse Checking" - Remove Everyone
and Replace with Authenticated Users.

Thanks in advance for your time,

Michael Scott Williamson
Systems Administrator

• Next message: dave: "RE: Bypass Traverse Checking?"
• Previous message: Scott: "RE: Bypass Traverse Checking?"
• Maybe in reply to: Williamson, Scott: "Bypass Traverse Checking?"
• Next in thread: dave: "RE: Bypass Traverse Checking?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]