NT Gatekeeper: Granting the Bypass Traverse Checking Advanced User Right
Learn the pros and cons of letting users bypass directory traversal access checks.
August 17, 2003
Which privilege does the Windows NT 4.0 Bypass traverse checking advanced user right grant to user accounts?
Bypass traverse checking, also known as the SeChangeNotifyPrivilege, is granted by default to the NT 4.0 Everyone group. Bypass traverse checking causes the Windows security subsystem to bypass directory traversal access checks. Users who have this privilege can access a subdirectory even though they don't have access to its parent directory. When users don't have this privilege (i.e., when Directory traverse checking is enabled), the OS will check not only the ACL of the requested file but also the ACL of each parent directory of that file up to the logical drive's root directory. In this scenario, the OS will deny access to users who don't have List Folder Contents access permissions on every parent directory.
Because granting the Bypass traverse checking user right accelerates access to NTFS-formatted volumes, it also provides an NTFS optimization. Bypass traverse checking also lets users receive notifications of changes to files and directories (Windows Explorer uses this feature).
The downside of giving an account the Bypass traverse checking permission is that locking down a directory might not fully close access to that directory's entire subtree. If you or one of your administrators leaves ACLs open on portions of the subtree, users will be able to access those portions. From a security standpoint, I recommend that you give Bypass traverse checking permissions to members of the Administrators group only.
By default, NT 4.0 doesn't log the use of Bypass traverse checking to the event log. To enable auditing for SeChangeNotifyPrivilege, you must edit the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa registry subkey and set the FullPrivilegeAuditing value of type (REG_DWORD) to 1. Note that enabling this registry subkey might have a significant impact on the system's performance and event-log activity.
About the Author
You May Also Like