OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Tony Mason (Mason_at_osr.com)
Date: Mon Jan 20 2003 - 18:20:46 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    "Traverse checking" is comparable to the 'x' bit check on a directory in
    UNIX systems - that is, it grants access to traverse the given directory.
    It does not impart permission to enumerate, add, or delete entries to the
    directory.

    Traverse permission checks are disabled for any thread that has enabled the
    SeChangeNotifyPrivilege. Without this privilege, it requires that NTFS
    actually perform an ACL check to determine if the FILE_TRAVERSE bit is set
    within an ACE that applies to the caller. In addition, NTFS must also
    verify that operation which reveal the structure of the directory hierarchy
    must be checked (the notable case here is directory change notification,
    used heavily by IIS and Explorer.) These checks (in particular) are very
    expensive to perform because they require checking ACLs on all directories
    in the path (assuming successful access). Of course, if it only applies to
    unauthenticated users, the cost for the check is immaterial.

    IIS does run under an authenticated (albeit minimally privileged) account.
    So long as that account has SeChangeNotifyPrivilege it seems ridiculous to
    believe that it would make any difference at all. On the other hand, given
    that IIS caches everything in memory, the cost of that check on first load
    of the cache doesn't seem so unreasonable - and then if your IIS server is
    compromised it would not be able to arbitrarily traverse through other
    directories - so perhaps NOT granting it this privilege is a good idea.

    Provided that you understand the potential risk, I'd set up a test server,
    configure it this way and verify that IIS works the way you expect. If it
    does not, you may need to grant it this privilege, or explicitly list it on
    ACLs for those directories to which you wish to grant it traverse access.

    Regards,

    Tony

    Tony Mason
    Consulting Partner
    OSR Open Systems Resources, Inc.
    http://www.osr.com

    -----Original Message-----
    From: Williamson, Scott [mailto:scott.williamsonhtcinc.net]
    Sent: Wednesday, January 15, 2003 1:11 PM
    To: focus-mssecurityfocus.com
    Subject: Bypass Traverse Checking?

    I'm working on procedures for servers in our organization. I keep coming
    across the recommendation to set the following on a Windows 2000 Server. My
    problem is I have another administrator who believes this could cause
    problems in IIS. What are the lists opinions? Anyone heard of this causing
    problems?

    User Rights Assignment - Set "Bypass Traverse Checking" - Remove Everyone
    and Replace with Authenticated Users.

    Thanks in advance for your time,

    Michael Scott Williamson
    Systems Administrator