ESC4 and ESC5 should report issues based on effective access instead of just filtering out Deny ACEs. Filtering Denys cuts down on false positives but doesn't provide a picture of true risk.
To be clear, risky Allows should still be removed when a corresponding Deny exists, but the actual risk presented is less than an Allow without a superseding Deny.
ESC4 and ESC5 should report issues based on effective access instead of just filtering out Deny ACEs. Filtering Denys cuts down on false positives but doesn't provide a picture of true risk.
To be clear, risky Allows should still be removed when a corresponding Deny exists, but the actual risk presented is less than an Allow without a superseding Deny.