[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Bypass Traverse Checking Security

Posted on 2012-03-27
6
Medium Priority
?
1,349 Views
Last Modified: 2012-06-22
Can someone please tell me if Backup Operators and Users groups actually need to be given this right?  We follow DISA Stigs and this was a finding.  We need to know if they can be removed safely and if not, sound justification.  Thanks in advance.
0
Comment
Question by:BrianRB
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 1000 total points
ID: 37771582
It should give you some performance gains on long/deep folders, because the account can traverse the path.  Having said that I don't have stats to know how noticeable the gain would be.

Is this a CAT I, II, or III finding (for those not familiar with the DISA stigs CAT1 is most critical)

Thanks

Mike
0
 
LVL 2

Author Comment

by:BrianRB
ID: 37771629
3 I believe.  I'll confirm.  Do you see why Backup Ops and the users groups need to be added?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37771637
I could see the case for backup ops as accounts used to backup do have to go through the entire directory.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 2

Author Comment

by:BrianRB
ID: 37771647
V-26475      STIG.DOD.MIL      WINUR-000008      Automated      CAT III      Unauthorized accounts will not have the "Bypass traverse checking" user right      "Inappropriate granting of user rights can provide system, administrative, and other high level capabilities.

Accounts with the ""Bypass traverse checking"" right can pass through folders when browsing even if they do not have the Traverse Folder access permission. They could potentially view sensitive file and folder names. They would not have additional access to the files and folders unless it is granted through permissions"      "Analyze the system using the Security Configuration and Analysis snap-in.
Expand the Security Configuration and Analysis tree view.
Navigate to Local Policies -> User Rights Assignment.

If any accounts or groups other than the following are granted the “Bypass traverse checking” right, this is a finding:

Administrators
Authenticated Users
Local Service
Network Service"
0
 
LVL 43

Accepted Solution

by:
Adam Brown earned 1000 total points
ID: 37772067
Heh. That's hilarious. It's barking about the Backup Operators group having Bypass Traverse checking, but that explanation says it's okay for the Authenticated Users group to have it. That means everyone is going to have it anyway.

Generally it's safe to remove the Bypass right from the Backup Operators group, particularly if it is already assigned to the Authenticated Users group. Again, if you're not using the Backup Operators group, this finding is mostly mitigated by that. The end result of removing the right from that group is that backup processes that use accounts in the Backup Operators group for authentication (not particularly common) will not be able to read the entire file structure if they are not granted permission to do so. This will affect those backups. It's generally a better idea to configure backup services to run using the local service or a highly secured specialized administrative account with no local or remote login rights.
0
 
LVL 2

Author Closing Comment

by:BrianRB
ID: 37772188
You guys are the best.  Thx.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question