Access Based Enumeration and Traversing folders

Jerold Schulman

2007-01-03 15:35:27 UTC

Post by Phillip McIntosh
We have ABE installed on our 2003 R2 member servers - some file/print
clusters, others as single servers.
We have have not enabled Bypass traverse Checking in the Default Domain GPO.
I want to be able to grant NTFS permissions to a a child folder to a
specific group without giving them rights to the parent folder/s.
If I grant Traverse Folder / Execute File permissions to the child folder
they can't see the parent folder (I assume due to ABE) and can't walk the
tree to the child folder.
If I grant the group Traverse Folder / Execute File, List Folder / Read
Data, Read Attributes, Read Extended Attributes and Read Permissions they can
see the folder/s and walk the tree but they can also read any files in the
parent folder/s. I don't want to allow this.
What am I missing?
This was simple in Netware but we've migrated to Windows and I can't seem to
get my head around how to do it.
I gather this would be straight forward is Bypass traverse Checking was
enabled for Everyone in the Default Domain GPO. Does Bypass Traverse
Checking work with ABE?

From http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch04n.mspx

Bypass traverse checking
This policy setting determines whether users can pass through folders without being checked
for the special access permission Traverse Folder when they navigate an object path
in the NTFS file system or in the registry. This user right does not allow the user to
list the contents of a folder; it only allows the user to traverse folders.

The possible values for the Bypass traverse checking setting are:

A user-defined list of accounts

Not Defined

Vulnerability
The default configuration for the Bypass traverse checking setting is to allow anyone to
bypass traverse checking, and experienced Windows system administrators configure file
system access control list (ACLs) accordingly. The only scenario in which the default
configuration could lead to a mishap would be if the administrator who configures
permissions does not understand how this policy setting works. For example, they might
expect that users who are unable to access a folder will be unable to access the contents
of any child folders. Such a situation is unlikely, and therefore this vulnerability
presents little risk.

Countermeasure
Organizations that are extremely concerned about security may want to remove the
Everyone group, or perhaps even the Users group, from the list of groups with the
Bypass traverse checking user right. Taking explicit control over traversal assignments
can be a very effective way to control access to sensitive information.
(Also, the Accessbased Enumeration feature that was added in Windows Server 2003 SP1
can be used. If you use accessbased enumeration, users cannot see any folder or file
to which they do not have access. For more information about this feature,
see www.microsoft.com/technet/prodtechnol/windowsserver2003/library/BookofSP1/f04862a9-3e37-4f8c-ba87-917f4fb5b42c.mspx.)

Potential Impact
The Windows operating systems, as well as many applications, were designed with the
expectation that anyone who can legitimately access the computer will have this user right.
Therefore, Microsoft recommends that you thoroughly test any changes to assignments of the
Bypass traverse checking user right before you make such changes to production systems.
In particular, IIS requires this user right to be assigned to the Network Service,
Local Service, IIS_WPG, IUSR_<ComputerName>, and IWAM_<ComputerName> accounts.
(It must also be assigned to the ASPNET account through its membership in the Users group.)
This guide recommends that you leave this policy setting at its default configuration.

Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
http://www.jsifaq.com