Bypass Traverse Checking

w^rl0rdw^rl0rd Member Posts: 329
in Windows XP Professional
What is the difference between the Bypass Traverse Checking privelege and the Traverse Folder permission?

If I understand correctly, Bypass Traverse allows a user to "move through" folders he doesn't have access to.
· Share on FacebookShare on Twitter

Comments

  • 12thlevelwarrior12thlevelwarrior Member Posts: 302
    This is a user right assignment: Info from MS:

    Bypass traverse checking
    a. Background

    The Bypass traverse checking user right allows the user to browse through folders in the NTFS file system or in the registry without checking for the Traverse Folder special access permission. The Bypass traverse checking user right does not allow the user to list the contents of a folder; it allows the user to traverse its folders only.
    b. Risky Configurations

    The following are risky configurations:
    • Removing non-administrative accounts that log on to Windows 2000-based or Windows Server 2003-based Terminal Services computers that lack permissions to access files and folders in the file system.
    • Removing the Everyone group from the list of security principals who, by default, have this user right. The Windows operating systems, and also many programs, have been designed with the expectation that anyone who can legitimately access the computer will have the Bypass traverse checking user right. Therefore, removing the Everyone group from the list of security principals who, by default, have this user right could lead to operating system instability or to program failure. It is better that you leave this setting at its default.
    c. Reasons to Grant This User Right

    The default setting for the Bypass traverse checking user right is to allow anyone to bypass traverse checking. For experienced Windows system administrators, this is the expected behavior, and they configure file system access control lists (SACLs) accordingly. The only scenario where the default configuration may lead to a mishap is if the administrator who configures permissions does not understand the behavior and expects that users who cannot access a parent folder will not be able to access the contents of any child folders.
    d. Reasons to Remove This User Right

    Organizations that are extremely concerned about security may be tempted to remove the Everyone group, or even perhaps to remove the Users group, from the list of groups that have the Bypass traverse checking user right to try to prevent access to the files or the folders in the file system.
    Every man dies, not every man really lives.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.