asked on

Bypass Traverse Checking Security

Can someone please tell me if Backup Operators and Users groups actually need to be given this right? We follow DISA Stigs and this was a finding. We need to know if they can be removed safely and if not, sound justification. Thanks in advance.

SOLUTION

Mike Kline

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

BrianRB

ASKER

3 I believe. I'll confirm. Do you see why Backup Ops and the users groups need to be added?

Mike Kline

I could see the case for backup ops as accounts used to backup do have to go through the entire directory.

BrianRB

ASKER

V-26475 STIG.DOD.MIL WINUR-000008 Automated CAT III Unauthorized accounts will not have the "Bypass traverse checking" user right "Inappropriate granting of user rights can provide system, administrative, and other high level capabilities.

Accounts with the ""Bypass traverse checking"" right can pass through folders when browsing even if they do not have the Traverse Folder access permission. They could potentially view sensitive file and folder names. They would not have additional access to the files and folders unless it is granted through permissions" "Analyze the system using the Security Configuration and Analysis snap-in.
Expand the Security Configuration and Analysis tree view.
Navigate to Local Policies -> User Rights Assignment.

If any accounts or groups other than the following are granted the “Bypass traverse checking” right, this is a finding:

Administrators
Authenticated Users
Local Service
Network Service"

ASKER CERTIFIED SOLUTION

Adam Brown

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

BrianRB

ASKER

You guys are the best. Thx.