Hello Scott,

"Bypass traverse checking" is a right that allows a user to navigate
(traverse, browse) a directory structure, even if they do not have explicit
permissions to access that directory.

With IIS 5.0, the IIS accounts (IUSR and IWAM) are part of the Guests
standard group by default. IUSR and IWAM are also members of Authenticated
Users, which is a special group with a dynamic membership. It's membership
consists of anyone who happens to be logged in at the time with a valid
userid and password.

So...changing "Bypass traverse checking" from "Everyone" to "Authenticated
Uses" should NOT affect IUSR and IWAM. (But I admit that I haven't done
this in practice, so YMMV.)

In general, changing from "Everyone" to "Authenticated Users" is done to
exclude null session (effectively unauthenticated) users from accessing
resources. (Note that "Authenticated Users" can still include Guests -
because Guests can be logged in with a valid username and password - but
"Users" is a fixed-membership group and DOES NOT include Guests.)

Regards,
Jennifer

-----Original Message-----
From: Williamson, Scott [mailto:scott.williamsonhtcinc.net]
Sent: Wednesday, January 15, 2003 10:11 AM
To: focus-mssecurityfocus.com
Subject: Bypass Traverse Checking?

I'm working on procedures for servers in our organization. I keep coming
across the recommendation to set the following on a Windows 2000 Server. My
problem is I have another administrator who believes this could cause
problems in IIS. What are the lists opinions? Anyone heard of this causing
problems?

User Rights Assignment - Set "Bypass Traverse Checking" - Remove Everyone
and Replace with Authenticated Users.

Thanks in advance for your time,

Michael Scott Williamson
Systems Administrator

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]