theNetFlow.com

Hidden traverse folder permissions

We all folder permission projects, you’re going to get odd situations where users have access to resources that you hadn’t planned. Usually minor and easy to fix like an active directory grouping error. Or some inheritance that you forgot to force.

One thing that I’ve come across recently from a bit of a odd situation is the Bypass traverse checking group policy object.

Basically, what this allows users to do, is traverse folders that they should have no access to…

This is how it is explained in Microsoft’s technet article about it…

This user right determines which users can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories.

This normally would bother anyone, unless during a very sensitive data move that requires you leave the permissions of the underlying data alone. In this case, you have a top level folder with a certain set of permissions but because of an audit rule you have to leave the permissions on the lower level folders alone for a period of time.

You would expect the users not to be able to get to the data below the top level folder – why should they? You’ve set the permissions correctly on the top of the folder and then the Bypass traverse checking group policy object steps in. And ruins your day.

Slight exaggeration, and easily dealt with since we don’t knowingly use this GPO for anything else in the server. This is the default user set that can, by default, gain access via this group policy:

• Administrators
• Backup Operators
• Power Users
• Users
• Everyone

Out comes the “everyone” group, and now we’re nicely audit compliant.

Normally this would not be a problem as most of you will force replication after a folder move, thus inherit the permissions of the top level folder and block the user from traversing the folder as they will have no access to the folder below the top level.