Re: Bypass Traverse Checking?

From: Shane Brooks (shane@floridacomputerservices.com)
Date: 01/21/03

  • Next message: Dozal, Tim: "Has this been exploited in a known virus yet?" 
    From: "Shane Brooks" <shane@floridacomputerservices.com>
To: "Williamson, Scott" <scott.williamson@htcinc.net>, <focus-ms@securityfocus.com>
Date: Mon, 20 Jan 2003 19:10:32 -0500

    You should definately make this change. If anything, the other admin is
    confusing Anonymous access of web-pages by the IUSR_[computername] account.
    However, IIS manages the password of this account automatically and the
    account is therefore a member of "Authenticated Users", since IIS
    authenticates every page as IUSR automatically if Anonymous access is
    enabled. The only account that is affected by Everyone is the guest account
    which is disabled by default.
    Hope this helps,
    Shane
    ----- Original Message -----
    From: "Williamson, Scott" <scott.williamson@htcinc.net>
    To: <focus-ms@securityfocus.com>
    Sent: Wednesday, January 15, 2003 1:10 PM
    Subject: Bypass Traverse Checking?

    > I'm working on procedures for servers in our organization. I keep coming
    > across the recommendation to set the following on a Windows 2000 Server.
    My
    > problem is I have another administrator who believes this could cause
    > problems in IIS. What are the lists opinions? Anyone heard of this
    causing
    > problems?
    >
    > User Rights Assignment - Set "Bypass Traverse Checking" - Remove Everyone
    > and Replace with Authenticated Users.
    >
    > Thanks in advance for your time,
    >
    > Michael Scott Williamson
    > Systems Administrator

    Relevant Pages

    • RE: Bypass Traverse Checking?
      ... For anonymous access to be available for Internet users, ... note that Authenticated users does _not_ include anonymous. ... > IUSR_account. ... However, IIS manages the ...
      (Focus-Microsoft)
    • Re: iis 6.0
      ... How IIS Authenticates Browser Clients ... >>An IIS account for anonymous access to IIS. ... >>will be the process identity, ...
      (microsoft.public.inetserver.iis.security)
    • Re: 401.1 Error w/ Anonymous Access
      ... > - I've set up a local account on the machine (Win2000 Professional, ... > - In the local machine's Local Security Policy I've allowed SiteUser to ... I am under the impression that if Anonymous Access is ... IIS will treat the request as if it is coming from the user ...
      (microsoft.public.inetserver.iis.security)
    • Re: HTTP/1.1 401 Access Denied - when trying to access a .jsp page
      ... local system account which has full priviledges. ... If your upgrade was to IIS ... The jsp page fails now because of some tightened security that happened ... Even though it is 'configured for anonymous access' ...
      (microsoft.public.inetserver.iis.security)
    • Re: Cant make a domain user the "anonymous access" user
      ... I do not think this is an IIS issue. ... IIS just uses the username/password you set and call LogonUser with it -- ... domain user account is used for anonymous access, ...
      (microsoft.public.inetserver.iis.security)