Bypass traverse checking This policy setting allows users who do not have the Traverse Folder access permission to pass through folders when they browse an object path in the NTFS file system or the registry. This user right does not allow users to list the contents of a folder. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users, or computers. Counter Measure: Organizations that are extremely concerned about security may want to remove the Everyone group, or perhaps even the Users group, from the list of groups with the Bypass traverse checking user right. Taking explicit control over traversal assignments can be an effective way to limit access to sensitive information. (Also, the Access-based Enumeration feature that was added in Windows Server 2003 with SP1 can be used. If you use access-based enumeration, users cannot see any folder or file to which they do not have access. For more information about this feature, see Access-based Enumeration (http://go.microsoft.com/fwlink/?LinkId=100745). Potential Impact: The Windows operating systems, as well as many applications, were designed with the expectation that anyone who can legitimately access the computer will have this user right. Therefore, we recommend that you thoroughly test any changes to assignments of the Bypass traverse checking user right before you make such changes to production systems. In particular, IIS requires this user right to be assigned to the Network Service, Local Service, IIS_WPG, IUSR_<ComputerName>, and IWAM_<ComputerName> accounts. (It must also be assigned to the ASPNET account through its membership in the Users group.) We recommend that you leave this policy setting at its default configuration. (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Bypass traverse checking (2) REG: ### (3) WMI: root\rsop\computer RSOP_UserPrivilegeRight AccountList UserRight='SeChangeNotifyPrivilege' and precedence=1 oval:org.secpod.oval:def:36489 oval:org.secpod.oval:def:36489 oval:org.secpod.oval:def:36489 SCAP Repo OVAL Definition 2016-08-05