[Forgot Password]
Login  Register Subscribe

23631

 
 

115038

 
 

96174

 
 

909

 
 

78077

 
 

109

Paid content will be excluded from the download.


Download | Alert*
OVAL

Specify the list of Users to 'Bypass traverse checking'

ID: oval:org.secpod.oval:def:36489Date: (C)2016-08-05   (M)2017-10-18
Class: COMPLIANCEFamily: windows




This policy setting allows users who do not have the Traverse Folder access permission to pass through folders when they browse an object path in the NTFS file system or the registry. This user right does not allow users to list the contents of a folder. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users, or computers. Counter Measure: Organizations that are extremely concerned about security may want to remove the Everyone group, or perhaps even the Users group, from the list of groups with the Bypass traverse checking user right. Taking explicit control over traversal assignments can be an effective way to limit access to sensitive information. (Also, the Access-based Enumeration feature that was added in Windows Server 2003 with SP1 can be used. If you use access-based enumeration, users cannot see any folder or file to which they do not have access. For more information about this feature, see Access-based Enumeration (http://go.microsoft.com/fwlink/?LinkId=100745). Potential Impact: The Windows operating systems, as well as many applications, were designed with the expectation that anyone who can legitimately access the computer will have this user right. Therefore, we recommend that you thoroughly test any changes to assignments of the Bypass traverse checking user right before you make such changes to production systems. In particular, IIS requires this user right to be assigned to the Network Service, Local Service, IIS_WPG, IUSR_, and IWAM_ accounts. (It must also be assigned to the ASPNET account through its membership in the Users group.) We recommend that you leave this policy setting at its default configuration. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Bypass traverse checking (2) REG: ### (3) WMI: root\rsop\computer RSOP_UserPrivilegeRight AccountList UserRight='SeChangeNotifyPrivilege' and precedence=1

Platform:
Microsoft Windows 10
Reference:
CCE-43322-7
CCE    1
CCE-43322-7
XCCDF    4
xccdf_org.secpod_benchmark_NIST_800_53_r4_Windows_10
xccdf_org.secpod_benchmark_PCI_3_2_Windows_10
xccdf_org.secpod_benchmark_NIST_800_171_R1_Windows_10
xccdf_org.secpod_benchmark_general_Windows_10
...

© 2013 SecPod Technologies