Dang, you are right Bypass Traverse by Checking user right, which everyone has does override. I do stand corrected.
Yep and never remove the bypass traverse by checking, it defintely breaks things ( tried it before and not much worked afterwards) Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 -----Original Message----- From: Ben Scott [mailto:[email protected]] Sent: Tuesday, August 10, 2010 8:14 AM To: NT System Admin Issues Subject: Re: File server structure and perms On Tue, Aug 10, 2010 at 8:03 AM, Ziots, Edward <[email protected]> wrote: > If they don't have at least read on the directory, they aren't getting > access to it, which means they aren't going to have write, unless you > explicitly add that accordingly, which I believe also adds read. Incorrect. With NTFS, objects can have Read but not Write. Yes, in the basic "Security tab" GUI, when you check "Write" it adds "Read" automatically, but that's a feature of the GUI. You can then uncheck "Read" if you want. If you're using API calls or various command-line tools, adding "Write" does not explicitly add "Read". This has real-world uses. For example, a "drop box" folder, where users can copy files in, but cannot access other stuff in there. Also, if a user has the "Bypass traverse checking" right, if they have no permission to a directory but they have permission to objects within that directory, and they know the names of those objects, they can still access those objects. "Bypass traverse checking" is assigned to all users by default, and removing it breaks things. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
