Michael,

Either one will satisfy your needs for your server, and IIS. Remember IIS
uses the anonymous account IUSR_COMPNAME and is a member of the Guest Group.
(which it really should not be but that is another subject). Now since The
IUSER "authenticates" it is a member of Authenticated Users, therefore it
will still work no problem.

Now Bypass Traverse Checking "SeChangeNotifyPrivilege" simply means, the
user can traverse a directory tree even if the user has no other rights to
access that directory. Since you should be specifically giving permissions
"ACL's" to your IUSR account it should not need this privilege.

My standard setup of a standalone IIS system is: Make a group for your web
accounts.

Like Web Users and Web Apps, make IUSR a member of users and IWAM a member
of Apps remove them from any other group association especially guest.

For the Bypass Traverse Checking I leave it on Admins and Users.

The only specific permissions your IUSR account needs is "Log on locally".
It will put itself there.

Hope this helps,
 

Dave Kleiman
davenetmedic.net
www.netmedic.net

-----Original Message-----
From: Williamson, Scott [mailto:scott.williamsonhtcinc.net]
Sent: Wednesday, January 15, 2003 13:11
To: focus-mssecurityfocus.com
Subject: Bypass Traverse Checking?

I'm working on procedures for servers in our organization. I keep coming
across the recommendation to set the following on a Windows 2000 Server. My
problem is I have another administrator who believes this could cause
problems in IIS. What are the lists opinions? Anyone heard of this causing
problems?

User Rights Assignment - Set "Bypass Traverse Checking" - Remove Everyone
and Replace with Authenticated Users.

Thanks in advance for your time,

Michael Scott Williamson
Systems Administrator

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]