RE: Bypass Traverse Checking?
From: dave (dave@netmedic.net)
Date: 01/29/03
- Previous message: Davide Grangia: "Problems with Pwdump3e"
- In reply to: Laura A. Robinson: "RE: Bypass Traverse Checking?"
- Next in thread: Laura A. Robinson: "RE: Bypass Traverse Checking?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "dave" <dave@netmedic.net> To: <larobins@bellatlantic.net>, "'matthew patton'" <pattonme@yahoo.com>, <focus-ms@securityfocus.com> Date: Wed, 29 Jan 2003 00:01:43 -0500
Even though Laura hates me I have to agree with her. Although you can take
that permission away if you give absolute permissions to everything that
particular account (whatever the account may be) needs access to. You
decide which is easier for the said account.
In the case of the IUSR_ account you can remove that permission as long as
give the explicit permissions to the needed files for it to operate. And
easy tool to do that with is the IISlockdown.
It 1. Removes the IUSR from the guest group. 2. puts it in its own group.
3. Goes through and gives and denies permissions from that group.
Sample:
IUSER=501,5000000,15,1a028a35,70294ee,5fc894f0,3f7,
IWAM=501,5000000,15,1a028a35,70294ee,5fc894f0,3f8,
Backed up metabase
DenyACE<0(0 20),,>C:\WINNT\System32\inetsrv\httpext.dll
ACE C:\WINNT\System32\inetsrv\httpext.dll
DenyACE<0(0 20),,>C:\WINNT\System32\idq.dll
ACE C:\WINNT\System32\idq.dll
Disabled Internet Printing
/LM/W3SVC/
/LM/W3SVC/6/Root/
DenyACE<0,(0 1f01ff),(0
1f01ff)>C:\WINNT\$NtServicePackUninstall$\command.com
DenyACE<0,(0 1f01ff),(0
1f01ff)>C:\WINNT\$NtServicePackUninstall$\diskcomp.com
DenyACE<0,(0 1f01ff),(0
1f01ff)>C:\WINNT\$NtServicePackUninstall$\diskcopy.com
DenyACE<0,(0 1f01ff),(0 1f01ff)>C:\WINNT\$NtServicePackUninstall$\format.com
DenyACE<0,(0 1f01ff),(0
1f01ff)>C:\WINNT\$NtServicePackUninstall$\ntdetect.com
DenyACE<0,(0 1f01ff),(0 1f01ff)>C:\WINNT\ServicePackFiles\i386\command.com
DenyACE<0,(0 1f01ff),(0 1f01ff)>C:\WINNT\ServicePackFiles\i386\diskcomp.com
DenyACE<0,(0 1f01ff),(0 1f01ff)>C:\WINNT\ServicePackFiles\i386\diskcopy.com
DenyACE<0,(0 1f01ff),(0 1f01ff)>C:\WINNT\ServicePackFiles\i386\format.com
DenyACE<0,(0 1f01ff),(0 1f01ff)>C:\WINNT\ServicePackFiles\i386\ntdetect.com
DenyACE<0,(0 1f01ff),(0 1f01ff)>C:\WINNT\ServicePackFiles\i386\startrom.com
DenyACE<0,(0 1f01ff),(0 1f01ff)>C:\WINNT\system32\chcp.com
DenyACE<0,(0 1f01ff),(0 1f01ff)>C:\WINNT\system32\command.com
DenyACE<0,(0 1f01ff),(0 1f01ff)>C:\WINNT\system32\DISKCOMP.COM
DenyACE<0,(0 1f01ff),(0 1f01ff)>C:\WINNT\system32\DISKCOPY.COM
DenyACE<0,(0 1f01ff),(0 1f01ff)>C:\WINNT\system32\edit.com
DenyACE<0,(0 1f01ff),(0 1f01ff)>C:\WINNT\system32\FORMAT.COM
DenyACE<0,(0 1f01ff),(0 1f01ff)>C:\WINNT\system32\graftabl.com
Etc....
Does a lot more as well.
Once again the answer to the original question. I f I actually remember the
original question.
No you do not have to leave "everyone" in "Bypass Traverse Checking" for IIS
to work.
Dave Kleiman
dave@netmedic.net
www.netmedic.net
-----Original Message-----
From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
Sent: Monday, January 27, 2003 18:55
To: 'matthew patton'; focus-ms@securityfocus.com
Subject: RE: Bypass Traverse Checking?
Not a good idea as a rule of thumb. Giving _nobody_ this right will cause
problems. For example:
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B290647
If you want Group Policy to work, this is a big one.
And this, again GP related:
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B319808
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B272142
This is pretty significant if you use terminal services.
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B324333
This one affects IIS.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/windowsnetserver/proddocs/datacenter/cluad_pr_59.asp
Clusters.
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B243813
So, while you may remove the right for some, removing it across the board
may not be wise.
Laura
> -----Original Message-----
> From: matthew patton [mailto:pattonme@yahoo.com]
> Sent: Friday, January 24, 2003 11:01 AM
> To: focus-ms@securityfocus.com
> Subject: RE: Bypass Traverse Checking?
>
>
> Sorry I'm late in on the conversation. "Bypass Traverse
> checking" as a matter of course needs to be unset for
> everybody (ie. nobody is allowed to do it) if you really care
> about file system security. IMO.
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
- Next message: Arendt, Jordan LRN: "RE: Win2k log management"
- Previous message: Davide Grangia: "Problems with Pwdump3e"
- In reply to: Laura A. Robinson: "RE: Bypass Traverse Checking?"
- Next in thread: Laura A. Robinson: "RE: Bypass Traverse Checking?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
