RE: Bypass Traverse Checking?

From: dave (dave@netmedic.net)
Date: 01/21/03

  • Next message: The Blueberry: "Re: Bypass Traverse Checking?" 
    From: "dave" <dave@netmedic.net>
To: "'Williamson, Scott'" <scott.williamson@htcinc.net>, <focus-ms@securityfocus.com>
Date: Mon, 20 Jan 2003 22:25:04 -0500

    Michael,

    Either one will satisfy your needs for your server, and IIS. Remember IIS
    uses the anonymous account IUSR_COMPNAME and is a member of the Guest Group.
    (which it really should not be but that is another subject). Now since The
    IUSER "authenticates" it is a member of Authenticated Users, therefore it
    will still work no problem.

    Now Bypass Traverse Checking "SeChangeNotifyPrivilege" simply means, the
    user can traverse a directory tree even if the user has no other rights to
    access that directory. Since you should be specifically giving permissions
    "ACL's" to your IUSR account it should not need this privilege.

    My standard setup of a standalone IIS system is: Make a group for your web
    accounts.

    Like Web Users and Web Apps, make IUSR a member of users and IWAM a member
    of Apps remove them from any other group association especially guest.

    For the Bypass Traverse Checking I leave it on Admins and Users.

    The only specific permissions your IUSR account needs is "Log on locally".
    It will put itself there.

    Hope this helps,
     

    Dave Kleiman
    dave@netmedic.net
    www.netmedic.net

     

    -----Original Message-----
    From: Williamson, Scott [mailto:scott.williamson@htcinc.net]
    Sent: Wednesday, January 15, 2003 13:11
    To: focus-ms@securityfocus.com
    Subject: Bypass Traverse Checking?

    I'm working on procedures for servers in our organization. I keep coming
    across the recommendation to set the following on a Windows 2000 Server. My
    problem is I have another administrator who believes this could cause
    problems in IIS. What are the lists opinions? Anyone heard of this causing
    problems?

    User Rights Assignment - Set "Bypass Traverse Checking" - Remove Everyone
    and Replace with Authenticated Users.

    Thanks in advance for your time,

    Michael Scott Williamson
    Systems Administrator

    Relevant Pages

    • RE: SOME Users cannot access OWA others do, error HTTP 500
      ... I understand that some account access OWA ... IIS 6.0 compression corruption causes access violations ... compressed copy of the affected files on the SBS server: ...
      (microsoft.public.windows.server.sbs)
    • Re: Virtual Directory - Permission Denied with fso CopyFile
      ... TestUser (normal user account with same credentials on all machines). ... I logged into the IIS server as vdirUser and simply typed ... open and I had read and write permissions to the share. ... I logged off and back into the IIS server as the administrator and deleted ...
      (microsoft.public.inetserver.iis)
    • RE: SBS 2003/member Web Server and ISUR access
      ... NTFS permissions for the directories and files ... the IIS content directories have the following permissions. ... Server Extensions, ASPNET, SQL Server and other software is installed. ... The IUSR_MachineName account has the following permissions. ...
      (microsoft.public.windows.server.sbs)
    • RE: Anybody seen this error?
      ... This error is caused when the IIS common files fail when making ADSI calls ... account doesn't have the correct access to the IIS metabase. ... I (Admin) have a separate administrative account with all rights. ... | Active Directory Services cannot find the web server. ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: Anonymous Account not working
      ... the Iusr_ you are using may have been defined before the final ... IIS install on that box. ... I think the problem may be with the local account. ... built the server there was another server that was named WEB02, ...
      (microsoft.public.inetserver.iis.security)