RE: Bypass Traverse Checking?

From: Wilson, Kevin W. (WIL) (wilsonkw@y12.doe.gov)
Date: 01/29/03

Next message: jklemenc@fnal.gov: "Re: Problems with Pwdump3e"

Previous message: Dan Uscatu: "uh, oh (was:Re: w2k server compromised)"
Maybe in reply to: Williamson, Scott: "Bypass Traverse Checking?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Wilson, Kevin W. (WIL) " <wilsonkw@y12.doe.gov>
To: "'larobins@bellatlantic.net'" <larobins@bellatlantic.net>, 'matthew patton' <pattonme@yahoo.com>, focus-ms@securityfocus.com
Date: Wed, 29 Jan 2003 11:19:36 -0500

I also have had this issue and did just as Laura mentioned below that did
provide a fix by
assigning the user the right to bypass traverse checking.

Kevin Wilson
Systems Analyst
WSI-OR/NCI Information Systems Inc.
Phone - (865)574-8017
Pager - 1-877-836-5420
Fax - (865)576-0220

-----Original Message-----
From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
Sent: Monday, January 27, 2003 6:55 PM
To: 'matthew patton'; focus-ms@securityfocus.com
Subject: RE: Bypass Traverse Checking?

Not a good idea as a rule of thumb. Giving _nobody_ this right will cause
problems. For example:

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B290647
If you want Group Policy to work, this is a big one.

And this, again GP related:
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B319808

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B272142
This is pretty significant if you use terminal services.

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B324333
This one affects IIS.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/windowsnetserver/proddocs/datacenter/cluad_pr_59.asp
Clusters.

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B243813

So, while you may remove the right for some, removing it across the board
may not be wise.

Laura

> -----Original Message-----
> From: matthew patton [mailto:pattonme@yahoo.com]
> Sent: Friday, January 24, 2003 11:01 AM
> To: focus-ms@securityfocus.com
> Subject: RE: Bypass Traverse Checking?
>
>
> Sorry I'm late in on the conversation. "Bypass Traverse
> checking" as a matter of course needs to be unset for
> everybody (ie. nobody is allowed to do it) if you really care
> about file system security. IMO.
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

Next message: jklemenc@fnal.gov: "Re: Problems with Pwdump3e"
Previous message: Dan Uscatu: "uh, oh (was:Re: w2k server compromised)"
Maybe in reply to: Williamson, Scott: "Bypass Traverse Checking?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: Bypass Traverse Checking?
... Giving _nobody_ this right will cause ... If you want Group Policy to work, ... "Bypass Traverse ... > Do you Yahoo!? ...
(Focus-Microsoft)
RE: Bypass Traverse Checking?
... if you do not allow the Administrator and System accounts Bypass ... you could wind up with errors out the wazoo propagating ... Subject: Bypass Traverse Checking? ... Do you Yahoo!? ...
(Focus-Microsoft)