Bypass Traverse Checking

G

Guest

I know that bypass traverse checking is granted to Everyone by default.

The odd thing is in my Event log, I see an entry granting it to a specific
user:

Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0x553939)
Privileges: SeChangeNotifyPrivilege

It happens several times for the same user - a user that never accesses my
box. Any ideas?
 
C

Carey Frisch [MVP]

Bypass traverse checking
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/528.mspx

"This user right is defined in the Default Domain Controller Group Policy object (GPO)
and in the local security policy of workstations and servers."

Advanced File and Folder Permissions
http://www.microsoft.com/resources/...Windows/XP/all/reskit/en-us/prdd_sec_letd.asp

Windows XP Security Guide v2
http://www.microsoft.com/downloads/...BC-F434-4CC6-A5A7-09A8A229F118&displaylang=en

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect Your PC!
http://www.microsoft.com/athome/security/protect/default.aspx

---------------------------------------------------------------------------------------

:

| I know that bypass traverse checking is granted to Everyone by default.
|
| The odd thing is in my Event log, I see an entry granting it to a specific
| user:
|
| Special privileges assigned to new logon:
| User Name:
| Domain:
| Logon ID: (0x0,0x553939)
| Privileges: SeChangeNotifyPrivilege
|
| It happens several times for the same user - a user that never accesses my
| box. Any ideas?
 
G

Guest

I know what it is... I'm just curious why I would see a specific user
assignment in the event log of my workstation. By default Everyone has this
right... but why would someone who doesn't connect to my box, supposedly,
suddenly have this right assigned and logged in event viewer?

Looking under user rights in Local Policy doesn't show the user's username
as having the direct assignment.

Any ideas?
 
C

Colin Nash [MVP]

biz said:
I know that bypass traverse checking is granted to Everyone by default.

The odd thing is in my Event log, I see an entry granting it to a specific
user:

Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0x553939)
Privileges: SeChangeNotifyPrivilege

It happens several times for the same user - a user that never accesses my
box. Any ideas?
Click to expand...

What kind of security auditing do you have turned on? Do you have anything
special being audited for that user?

(This privilege is being granted to everyone, but as I understand your
question, you are wondering why only this user is causing this to be
logged?)

If you are auditing logon events for Everyone, then you should be seeing
this event happening for a whole bunch of people.

Hmmm .... on a semi-related note, this post (apparently from EricF, a
Microsoft employee) states that there was a small bug in Windows Server 2003
regarding the auditing of this event. Possibly this was in XP as well (??)
http://lists.jammed.com/loganalysis/2004/06/0015.html
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

GPO Bypass traverse checking user right 2
Event Viewer/Security 4
Possible Hacking attempt 5
How do I set User Right on Bypass traverse checking to 'Not Defined'? 2
Unexplained 540 Events in Security log on W2K workstation in a dom 0
Survey on Bypass Traverse Checking 1
Bypass Traverse Checking question 1
Event ID 560 (SC_MANAGER OBJECT) 3

Top