I am running the sysinternals tool accessEnum. By default, it lists only files that have less than restrictive permissions than a parent folder. Parent folder being A:\admin and is granted access to GroupA and GroupB AccessEnum lists a file in A:\admin\test\data.xls, and this file is granted access to GroupA, GroupB but also GroupC. As GroupC doesnt have acess to the parent folder, am I correct in thinking they wont be able to access the file anyway?

not always. This depends on Traverse Folder rights (full name of this right is bypass traverse checking). If certain user has this right, he or she can traverse directory trees even though the user may not have permissions on the traversed directory. So in that case if a user has an access to a file, knows full path to a file and hasn't permissions on a folders contained this file, the user will have an access to a file. By default this right is assigned to each authenticated user (member of Authenticated Users group).http://en-us.sysadmins.lv

Excuse my ignorance on the subject, but how can I determine who is in the authenticated users group. With example above, share is callled data \\localhost\data$ When map data, first forlder is A:\admin MBSA reports share acl - everyone F, directory acl - GroupA, GroupB For A:\admin\test\data.xls accessenum reports GroupA, GroupB and GroupC So for A:\admin\test\data.xls how can I produce a report of all users outside GroupA, GroupB who can Traverse Folder rights ?

each user that has been authenticted by the system automatically becomes as a member Authenticated Users. Actually only anonymous users are not granted with this membership. Usually anonymous access is used in IIS. Therefore each user have this right. This is a reason why you MUST NOT use file level permissions. Instead, permissions on a file must be inherited from parent folder (use folder level permissions).http://en-us.sysadmins.lv

If I removed a groups access to a parent folder, should that not filter down to every sub folder? For example I took a groups access off A:\admin, yet accessenum still shows a list of files in sub folders with differing control rights to this parent folder. So I (perhaps wrongly), thought that by taking the group access from the parent folder actually removed there access to each subfolder.... Out of interest, can any user setting a file up in a sub-folder of the parent untick the inheritance option, or only admins?

> So I (perhaps wrongly), thought that by taking the group access from the parent folder actually removed there access to each subfolder.... if inheriatance is enabled. To force inheritance enable 'Replace all child object permissions with inheritable permissions from this object' checkbox.http://en-us.sysadmins.lv

I dont see that choice, when right click on the parent folder >Security > Advanced There is an option (currently unchecked) "Replace permission entries on all child objects with entries shown here that apply to child objects". Is that the same? Sorry this in win2k now.

I'm talkoing about this: http://en-us.sysadmins.lv

Me too, its just the wording is different on mine... Whats stopping some uneducated user unticking it though at parent level and setting there own directory permissions opening specific child folders up to bypass traverse checking attacks?

this will prevent an access to a file for a user if he is not listed in a parent folder ACL. And only users that have Change Permissions (or a folder owner) can untick this checkbox.http://en-us.sysadmins.lv