OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Laura A. Robinson (larobins_at_bellatlantic.net)
Date: Fri Jan 24 2003 - 08:57:37 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    An excellent answer, but there is one thing I'd point out- you state:
    "(Note that "Authenticated Users" can still include Guests - because Guests
    can be logged in with a valid username and password - but "Users" is a
    fixed-membership group and DOES NOT include Guests.)"

    This is actually not the case. "Users" is a local or domain local group
    that, by default, contains Domain Users and Authenticated Users in any
    domain environment (as well as the Interactive account; more on that later).
    Therefore, if Authenticated Users includes Guests and Users includes
    Authenticated Users...

    For more information (see table 7-12):

    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
    ol/windows2000serv/evaluate/featfunc/07w2kadc.asp

    or

    http://tinyurl.com/4ucv

    [There are some ambiguous statements in the above reference (the "tip"
    sections) that, if read exactly as written, are incorrect, but that
    aside...where those tips read "Administrator", substitute "Administrator
    account in the domain/forest root domain" and the statements become
    correct.]

    Additional information:
    http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/windo
    ws2000/en/advanced/help/sag_SEconceptsImpGroups.htm

    Also, the IUSR_ and IWAM_ accounts are members of Guests and *Domain Users*
    by default, not Guests and Authenticated Users, although the act of the
    account being used would then make it a member of Authenticated Users for
    the time that the account was active.

    Authenticated Users is a system group whose membership is determined by the
    activities of security principals. You cannot explicitly populate
    Authenticated Users; you can only use it in ACLs. You'll notice that you
    don't see it in AD Users and Computers, for example, but you'll see it when
    you add security principals to an ACL on a file system or AD object. The
    Interactive and Anonymous Logon accounts are similar to Authenticated Users
    in that you cannot see them listed in AD, but can see them in ACLs and can
    assign permissions to them. They are system accounts, and like system
    groups, are "owned" by NT AUTHORITY, or the operating system itself.

    Authenticated Users includes any authenticated security principal from the
    local domain or any trusted domain. This includes guest accounts.

    Domain Users includes any authenticated security principal from only the
    local domain, not any trusted domains. This includes guest accounts.

    Authenticated Users was added around SP4 for NT4 to separate unauthenticated
    connections (null connections) from authenticated connections.

    Everyone, another system group, in Windows 2000 and earlier includes all
    authenticated security principals, guests *and* Anonymous logon. In Windows
    Server 2003, Everyone does not include Anonymous logon unless you explicitly
    configure this to occur. The ADPrep /forestprep process separates Anonymous
    from Everyone as part of the schema upgrade process.

    Users is not a fixed-membership group. On a non-DC, it is a local group, and
    on DCs, it is a domain local group- both of which can be populated directly.
    You can edit the membership of Users, Domain Users, Guests and Domain
    Guests, but not Authenticated Users, Everyone or Anonymous logon.

    As you mention, Authenticated Users can (and, in fact, does) include
    Guest/Guests/Domain Guests. The act of providing identifiable credentials
    for an account, even a guest account, makes that security principal an
    Authenticated User.

    The Guest account and Anonymous Logon are very different things.

    So, to summarize, here is the difference between Everyone and Authenticated
    Users:

    Everyone includes any security principal from the local domain, including
    guest accounts; any security principal from any trusted domain, including
    guest accounts, and the Anonymous logon system account.

    Authenticated Users includes any security principal from the local domain,
    including guest accounts; any security principal from any trusted domain,
    including guest accounts, and does _not_ include the Anonymous logon system
    account.

    As I mentioned before, Windows Server 2003 (and Windows XP, as well)
    separates the Anonymous Logon system account from the Everyone group.

    And one last link, just to make this even wordier. <G>

    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
    ol/windowsnetserver/proddocs/datacenter/windows_security_differences.asp

    So, have I pounded on the whole
    "difference_between_Everyone_and_Authenticated_Users_is_the_**Anonymous_Logo
    n**_account_and_not_the_guest_account" thing enough yet?

    Laura

    > -----Original Message-----
    > From: Kolde, Jennifer E. [mailto:jkoldenosc.mil]
    > Sent: Tuesday, January 21, 2003 5:49 PM
    > To: 'Williamson, Scott'; focus-mssecurityfocus.com
    > Subject: RE: Bypass Traverse Checking?
    >
    >
    > Hello Scott,
    >
    > "Bypass traverse checking" is a right that allows a user to
    > navigate (traverse, browse) a directory structure, even if
    > they do not have explicit permissions to access that directory.
    >
    > With IIS 5.0, the IIS accounts (IUSR and IWAM) are part of
    > the Guests standard group by default. IUSR and IWAM are also
    > members of Authenticated Users, which is a special group with
    > a dynamic membership. It's membership consists of anyone who
    > happens to be logged in at the time with a valid userid and password.
    >
    > So...changing "Bypass traverse checking" from "Everyone" to
    > "Authenticated Uses" should NOT affect IUSR and IWAM. (But I
    > admit that I haven't done this in practice, so YMMV.)
    >
    > In general, changing from "Everyone" to "Authenticated Users"
    > is done to exclude null session (effectively unauthenticated)
    > users from accessing resources. (Note that "Authenticated
    > Users" can still include Guests - because Guests can be
    > logged in with a valid username and password - but "Users" is
    > a fixed-membership group and DOES NOT include Guests.)
    >
    > Regards,
    > Jennifer
    >
    > -----Original Message-----
    > From: Williamson, Scott [mailto:scott.williamsonhtcinc.net]
    > Sent: Wednesday, January 15, 2003 10:11 AM
    > To: focus-mssecurityfocus.com
    > Subject: Bypass Traverse Checking?
    >
    >
    > I'm working on procedures for servers in our organization. I
    > keep coming across the recommendation to set the following on
    > a Windows 2000 Server. My problem is I have another
    > administrator who believes this could cause problems in IIS.
    > What are the lists opinions? Anyone heard of this causing
    > problems?
    >
    > User Rights Assignment - Set "Bypass Traverse Checking" -
    > Remove Everyone and Replace with Authenticated Users.
    >
    > Thanks in advance for your time,
    >
    > Michael Scott Williamson
    > Systems Administrator
    >