Everyone includes everyone, from guest to Administrator. The point was that
Authenticated Users don't include Guest and Everyone does. So you should
replace Everyone with Authenticated Users. AFAIK, there is no 'Anonymous'
account, but anonymous access authenticated as IUSR.
Shane
> ----- Original Message -----
> From: "Laura A. Robinson" <larobins (at) bellatlantic (dot) net [email concealed]>
> To: "'Shane Brooks'" <shane (at) floridacomputerservices (dot) com [email concealed]>; "'Williamson,
> Scott'" <scott.williamson (at) htcinc (dot) net [email concealed]>; <focus-ms (at) securityfocus (dot) com [email concealed]>
> Sent: Friday, January 24, 2003 2:35 AM
> Subject: RE: Bypass Traverse Checking?
>
>
> Everyone also affects Anonymous- In Windows 2000 and earlier, Everyone
> includes the Anonymous account. In Windows Server 2003, there is a
> separation of the Anonymous account from the Everyone group. Where there
> would be an effect from this is in establishment of null connections to
> servers- null connection settings relate to what can be done with
> "unidentified" connections.
>
> As a side note, RestrictAnonymous=2 is no longer supported in Windows
Server
> 2003.
>
> Laura
>
> > -----Original Message-----
> > From: Shane Brooks [mailto:shane (at) floridacomputerservices (dot) com [email concealed]]
> > Sent: Monday, January 20, 2003 7:11 PM
> > To: Williamson, Scott; focus-ms (at) securityfocus (dot) com [email concealed]
> > Subject: Re: Bypass Traverse Checking?
> >
> >
> > You should definately make this change. If anything, the
> > other admin is confusing Anonymous access of web-pages by the
> > IUSR_[computername] account. However, IIS manages the
> > password of this account automatically and the account is
> > therefore a member of "Authenticated Users", since IIS
> > authenticates every page as IUSR automatically if Anonymous
> > access is enabled. The only account that is affected by
> > Everyone is the guest account which is disabled by default.
> > Hope this helps, Shane
> > ----- Original Message -----
> > From: "Williamson, Scott" <scott.williamson (at) htcinc (dot) net [email concealed]>
> > To: <focus-ms (at) securityfocus (dot) com [email concealed]>
> > Sent: Wednesday, January 15, 2003 1:10 PM
> > Subject: Bypass Traverse Checking?
> >
> >
> > > I'm working on procedures for servers in our organization. I keep
> > > coming across the recommendation to set the following on a Windows
> > > 2000 Server.
> > My
> > > problem is I have another administrator who believes this
> > could cause
> > > problems in IIS. What are the lists opinions? Anyone heard of this
> > causing
> > > problems?
> > >
> > > User Rights Assignment - Set "Bypass Traverse Checking" - Remove
> > > Everyone and Replace with Authenticated Users.
> > >
> > > Thanks in advance for your time,
> > >
> > > Michael Scott Williamson
> > > Systems Administrator
> >
>
>
Everyone includes everyone, from guest to Administrator. The point was that
Authenticated Users don't include Guest and Everyone does. So you should
replace Everyone with Authenticated Users. AFAIK, there is no 'Anonymous'
account, but anonymous access authenticated as IUSR.
Shane
> ----- Original Message -----
> From: "Laura A. Robinson" <larobins (at) bellatlantic (dot) net [email concealed]>
> To: "'Shane Brooks'" <shane (at) floridacomputerservices (dot) com [email concealed]>; "'Williamson,
> Scott'" <scott.williamson (at) htcinc (dot) net [email concealed]>; <focus-ms (at) securityfocus (dot) com [email concealed]>
> Sent: Friday, January 24, 2003 2:35 AM
> Subject: RE: Bypass Traverse Checking?
>
>
> Everyone also affects Anonymous- In Windows 2000 and earlier, Everyone
> includes the Anonymous account. In Windows Server 2003, there is a
> separation of the Anonymous account from the Everyone group. Where there
> would be an effect from this is in establishment of null connections to
> servers- null connection settings relate to what can be done with
> "unidentified" connections.
>
> As a side note, RestrictAnonymous=2 is no longer supported in Windows
Server
> 2003.
>
> Laura
>
> > -----Original Message-----
> > From: Shane Brooks [mailto:shane (at) floridacomputerservices (dot) com [email concealed]]
> > Sent: Monday, January 20, 2003 7:11 PM
> > To: Williamson, Scott; focus-ms (at) securityfocus (dot) com [email concealed]
> > Subject: Re: Bypass Traverse Checking?
> >
> >
> > You should definately make this change. If anything, the
> > other admin is confusing Anonymous access of web-pages by the
> > IUSR_[computername] account. However, IIS manages the
> > password of this account automatically and the account is
> > therefore a member of "Authenticated Users", since IIS
> > authenticates every page as IUSR automatically if Anonymous
> > access is enabled. The only account that is affected by
> > Everyone is the guest account which is disabled by default.
> > Hope this helps, Shane
> > ----- Original Message -----
> > From: "Williamson, Scott" <scott.williamson (at) htcinc (dot) net [email concealed]>
> > To: <focus-ms (at) securityfocus (dot) com [email concealed]>
> > Sent: Wednesday, January 15, 2003 1:10 PM
> > Subject: Bypass Traverse Checking?
> >
> >
> > > I'm working on procedures for servers in our organization. I keep
> > > coming across the recommendation to set the following on a Windows
> > > 2000 Server.
> > My
> > > problem is I have another administrator who believes this
> > could cause
> > > problems in IIS. What are the lists opinions? Anyone heard of this
> > causing
> > > problems?
> > >
> > > User Rights Assignment - Set "Bypass Traverse Checking" - Remove
> > > Everyone and Replace with Authenticated Users.
> > >
> > > Thanks in advance for your time,
> > >
> > > Michael Scott Williamson
> > > Systems Administrator
> >
>
>
[ reply ]