Today's task was to secure access to the Microsoft Windows 2008 server using GPO. That's an interesting topic to play with because there is a lot of different combinations exists to accomplish this. A combination of local and domain policies, NTFS permissions can be used. Here I will try to post a conclusions that arised after this work.
First of all I would like to talk about NTFS permission named "Traverse Folder". That's a very interesting permission because it allows us to tighten security to a highest level. Let's make an example. Let's say we want to access a folder under the following path: "C:\lala\dada\KEY". For user "Tony" to access folder "KEY" he has to have NTFS permissions for it, but not only for it. What about parent folders? In fact, he has to have a "Traverse Folder" permission on all the parent folders to access "KEY" folder. So we should modify all the parent folders permissions to give "Tony" access to "KEY"? Not at all. By default, GPO assign the following "User Right": "Bypass Traverse Checking" to "Administrators, Backup Operators, Users, Everyone, Local Service and Network Service" on workstations and servers and "Administrators, Authenticated Users, Everyone, Local Service, Network Service and Pre-Windows 2000 Compatible Access" on Domain Controllers.
This is the link to Microsoft support article that describes different incompatibilities that may appear after wrong modification of critical user rights like "Allow logon locally", "Access this computer from the network" etc.