I also have had this issue and did just as Laura mentioned below that did
provide a fix by
assigning the user the right to bypass traverse checking.

Kevin Wilson
Systems Analyst
WSI-OR/NCI Information Systems Inc.
Phone - (865)574-8017
Pager - 1-877-836-5420
Fax - (865)576-0220

-----Original Message-----
From: Laura A. Robinson [mailto:larobins (at) bellatlantic (dot) net [email concealed]]
Sent: Monday, January 27, 2003 6:55 PM
To: 'matthew patton'; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: Bypass Traverse Checking?

Not a good idea as a rule of thumb. Giving _nobody_ this right will cause
problems. For example:

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B290647
If you want Group Policy to work, this is a big one.

And this, again GP related:
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B319808

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B272142
This is pretty significant if you use terminal services.

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B324333
This one affects IIS.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodt
echn
ol/windowsnetserver/proddocs/datacenter/cluad_pr_59.asp
Clusters.

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B243813

So, while you may remove the right for some, removing it across the board
may not be wise.

Laura

> -----Original Message-----
> From: matthew patton [mailto:pattonme (at) yahoo (dot) com [email concealed]]
> Sent: Friday, January 24, 2003 11:01 AM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: Bypass Traverse Checking?
>
>
> Sorry I'm late in on the conversation. "Bypass Traverse
> checking" as a matter of course needs to be unset for
> everybody (ie. nobody is allowed to do it) if you really care
> about file system security. IMO.
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

[ reply ]