Bypass traverse checkingID: oval:org.secpod.oval:def:36489 | Date: (C)2016-08-05 (M)2023-07-14 |
Class: COMPLIANCE | Family: windows |
This user right determines which users can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories.
This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.
Default on workstations and servers:
Administrators
Backup Operators
Users
Everyone
Local Service
Network Service
Default on domain controllers:
Administrators
Authenticated Users
Everyone
Local Service
Network Service
Pre-Windows 2000 Compatible Access
Counter Measure:
Organizations that are extremely concerned about security may want to remove the Everyone group, or perhaps even the Users group, from the list of groups with the Bypass traverse checking user right. Taking explicit control over traversal assignments can be an effective way to limit access to sensitive information. (Also, the Access-based Enumeration feature that was added in Windows Server 2003 with SP1 can be used. If you use access-based enumeration, users cannot see any folder or file to which they do not have access. For more information about this feature, see Access-based Enumeration (http://go.microsoft.com/fwlink/?LinkId=100745).
Potential Impact:
The Windows operating systems, as well as many applications, were designed with the expectation that anyone who can legitimately access the computer will have this user right. Therefore, we recommend that you thoroughly test any changes to assignments of the Bypass traverse checking user right before you make such changes to production systems. In particular, IIS requires this user right to be assigned to the Network Service, Local Service, IIS_WPG, IUSR_<ComputerName>, and IWAM_<ComputerName> accounts. (It must also be assigned to the ASPNET account through its membership in the Users group.) We recommend that you leave this policy setting at its default configuration.
Fix:
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Bypass traverse checking
(2) REG: ###
(3) WMI: root\rsop\computer#RSOP_UserPrivilegeRight#AccountList#UserRight='SeChangeNotifyPrivilege' and precedence=1
Platform: |
Microsoft Windows 10 |