Bypass traverse checking
- Windows 10
Learn more about what features and functionality are supported in each Windows edition at Compare Windows 10 Editions.
Describes the best practices, location, values, policy management, and security considerations for the Bypass traverse checking security policy setting.
This policy setting determines which users (or a process that acts on behalf of the user’s account) have permission to navigate an object path in the NTFS file system or in the registry without being checked for the Traverse Folder special access permission. This user right does not allow the user to list the contents of a folder. It only allows the user to traverse folders to access permitted files or subfolders.
- User-defined list of accounts
- Not Defined
- Use access–based enumeration when you want to prevent users from seeing any folder or file to which they do not have access.
- Use the default settings of this policy in most cases. If you change the settings, verify your intent through testing.
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
|Server type or GPO||Default value|
|Default Domain Policy||Not Defined|
|Default Domain Controller Policy||Administrators
Pre-Windows 2000 Compatible Access
|Stand-Alone Server Default Settings||Administrators
|Domain Controller Effective Default Settings||Administrators
Pre-Windows 2000 Compatible Access
|Member Server Effective Default Settings||Administrators
|Client Computer Effective Default Settings||Administrators
Permissions to files and folders are controlled though the appropriate configuration of file system access control lists (ACLs).The ability to traverse the folder does not provide any Read or Write permissions to the user.
A restart of the computer is not required for this policy setting to be effective.
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
- Local policy settings
- Site policy settings
- Domain policy settings
- OU policy settings
When a local setting is greyed out, it indicates that a GPO currently controls that setting.
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
The default configuration for the Bypass traverse checking setting is to allow all users to bypass traverse checking. Permissions to files and folders are controlled though the appropriate configuration of file system access control lists (ACLs) because the ability to traverse the folder does not provide any Read or Write permissions to the user. The only scenario in which the default configuration could lead to a mishap would be if the administrator who configures permissions does not understand how this policy setting works. For example, the administrator might expect that users who are unable to access a folder are unable to access the contents of any child folders. Such a situation is unlikely, and, therefore, this vulnerability presents little risk.
Organizations that are extremely concerned about security may want to remove the Everyone group, and perhaps the Users group, from the list of groups that have the Bypass traverse checking user right. Taking explicit control over traversal assignments can be an effective way to limit access to sensitive information. Access–based enumeration can also be used. If you use access–based enumeration, users cannot see any folder or file to which they do not have access. For more info about this feature, see Access-based Enumeration.
The Windows operating systems and many applications were designed with the expectation that anyone who can legitimately access the computer will have this user right. Therefore, we recommend that you thoroughly test any changes to assignments of the Bypass traverse checking user right before you make such changes to production systems. In particular, IIS requires this user right to be assigned to the Network Service, Local Service, IIS_WPG, IUSR_<ComputerName>, and IWAM_<ComputerName> accounts. (It must also be assigned to the ASPNET account through its membership in the Users group.) We recommend that you leave this policy setting at its default configuration.