Re: Bypass Traverse Checking

From: Colin Nash [MVP] (x_at_x)
Date: 10/23/04

• Next message: Colin Nash [MVP]: "Re: Many ANONYMOUS LOGON in Security Event Log"
• Previous message: Carey Frisch [MVP]: "Re: Many ANONYMOUS LOGON in Security Event Log"
• In reply to: biz: "Bypass Traverse Checking"
• Next in thread: biz: "Re: Bypass Traverse Checking"
• Reply: biz: "Re: Bypass Traverse Checking"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 22 Oct 2004 19:00:11 -0400

"biz" <biz@discussions.microsoft.com> wrote in message
news:3CD9CD9F-DE66-4A83-A5C8-6F5A9B22C92B@microsoft.com...
>I know that bypass traverse checking is granted to Everyone by default.
>
> The odd thing is in my Event log, I see an entry granting it to a specific
> user:
>
> Special privileges assigned to new logon:
> User Name:
> Domain:
> Logon ID: (0x0,0x553939)
> Privileges: SeChangeNotifyPrivilege
>
> It happens several times for the same user - a user that never accesses my
> box. Any ideas?

What kind of security auditing do you have turned on? Do you have anything
special being audited for that user?

(This privilege is being granted to everyone, but as I understand your
question, you are wondering why only this user is causing this to be
logged?)

If you are auditing logon events for Everyone, then you should be seeing
this event happening for a whole bunch of people.

Hmmm .... on a semi-related note, this post (apparently from EricF, a
Microsoft employee) states that there was a small bug in Windows Server 2003
regarding the auditing of this event. Possibly this was in XP as well (??)
http://lists.jammed.com/loganalysis/2004/06/0015.html

---

• Next message: Colin Nash [MVP]: "Re: Many ANONYMOUS LOGON in Security Event Log"
• Previous message: Carey Frisch [MVP]: "Re: Many ANONYMOUS LOGON in Security Event Log"
• In reply to: biz: "Bypass Traverse Checking"
• Next in thread: biz: "Re: Bypass Traverse Checking"
• Reply: biz: "Re: Bypass Traverse Checking"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: GPO Policy Auditing Solution ... within the Domain Controller's OU and enable account logon auditing in the ... enable auditing for logon events. ... (microsoft.public.windows.server.networking) Re: Audit logon and logoff times ... > We are interested in auditing the logon and logoff times for users in our ... > Windows 2000 domain. ... (microsoft.public.win2000.active_directory) Re: Security event logs ... If you are auditing what you want/need, the size is what you get. ... AFAIK there is no way to say "Audit logon success and failure, ... Windows put tens thousand plus entries per day into the security log. ... (microsoft.public.windows.group_policy) RE: audit ... ownership of any and all files and folders. ... See the following URL for the SeChangeNotifyPrivilege: ... > Special privileges assigned to new logon: ... > Privileges: SeChangeNotifyPrivilege ... (microsoft.public.win2000.security) Re: 000,000s of logon/logoff events ... want to audit "logon" events on your server on a continuous basis or only ... enable it for failures for "logon" events. ... auditing of "account logon" events remains enabled. ... Successful Network Logon: ... (microsoft.public.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)