| Author |
Message |
Ralish
Guest
|
 Posted:
Sat Oct 29, 2005 8:50 am Post subject:
Services Security Failure Audit |
|
|
Hello,
Yesterday I was reading through the Security Logs in Event Viewer on a
Windows Server 2003 Domain Controller when I noticed the following event:
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 29/10/2005
Time: 1:20:08 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: <cut>
Description:
Object Open:
Object Server: SC Manager
Object Type: SC_MANAGER OBJECT
Object Name: ServicesActive
Handle ID: -
Operation ID: {0,41170}
Process ID: 528
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: <cut>$ (Machine Logon)
Primary Domain: <cut>
Primary Logon ID: (0x0,0x3E7)
Client User Name: NETWORK SERVICE
Client Domain: NT AUTHORITY
Client Logon ID: (0x0,0x3E4)
Accesses: READ_CONTROL
Connect to service controller
Lock service database for exclusive access
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x20009
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
A quick bit of experimentation revealed that this Failure Audit occurs only
once every reboot, relatively early in the Windows boot-up process.
Can anyone provide any advice on the cause of this failure audit, and any
likely repercussions from it? I have yet to notice any negative effects from
this error, but it would still be nice to know the reason behind this event.
Thanks in advance,
Ralish |
|
| Back to top |
|
 |
Steven L Umbach
Guest
|
| Posted:
Mon Oct 31, 2005 9:05 am Post subject:
Re: Services Security Failure Audit |
|
|
Object access errors like that can be hard to track down and usually can be
ignored if everything is working well. Also look in the system and
application logs to see if there are any other warning or error messages
that show about the same timestamp that may give a clue. I have seen that
Event ID when an account tries access the operating system in such a way
that requires administrator access but fails.--- Steve
"Ralish" <ralish@gmail.com> wrote in message
news:eafmY6D3FHA.2196@tk2msftngp13.phx.gbl...
| Quote: | Hello,
Yesterday I was reading through the Security Logs in Event Viewer on a
Windows Server 2003 Domain Controller when I noticed the following event:
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 29/10/2005
Time: 1:20:08 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: <cut
Description:
Object Open:
Object Server: SC Manager
Object Type: SC_MANAGER OBJECT
Object Name: ServicesActive
Handle ID: -
Operation ID: {0,41170}
Process ID: 528
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: <cut>$ (Machine Logon)
Primary Domain: <cut
Primary Logon ID: (0x0,0x3E7)
Client User Name: NETWORK SERVICE
Client Domain: NT AUTHORITY
Client Logon ID: (0x0,0x3E4)
Accesses: READ_CONTROL
Connect to service controller
Lock service database for exclusive access
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x20009
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
A quick bit of experimentation revealed that this Failure Audit occurs
only once every reboot, relatively early in the Windows boot-up process.
Can anyone provide any advice on the cause of this failure audit, and any
likely repercussions from it? I have yet to notice any negative effects
from this error, but it would still be nice to know the reason behind this
event.
Thanks in advance,
Ralish
|
|
|
| Back to top |
|
|
Roger Abell [MVP]
Guest
|
| Posted:
Mon Oct 31, 2005 9:51 am Post subject:
Re: Services Security Failure Audit |
|
|
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:emsFWBd3FHA.700@TK2MSFTNGP15.phx.gbl...
| Quote: | Object access errors like that can be hard to track down and usually can
be ignored if everything is working well. Also look in the system and
application logs to see if there are any other warning or error messages
that show about the same timestamp that may give a clue. I have seen that
Event ID when an account tries access the operating system in such a way
that requires administrator access but fails.--- Steve
|
Agreed, but in case of message shown it is the machine$ account,
which runs as System, and that is hidden member of Administrators.
I assume that the SCM is impersonating an account used as a service
account, but the account does not have correct permissions on its service.
| Quote: |
"Ralish" <ralish@gmail.com> wrote in message
news:eafmY6D3FHA.2196@tk2msftngp13.phx.gbl...
Hello,
Yesterday I was reading through the Security Logs in Event Viewer on a
Windows Server 2003 Domain Controller when I noticed the following event:
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 29/10/2005
Time: 1:20:08 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: <cut
Description:
Object Open:
Object Server: SC Manager
Object Type: SC_MANAGER OBJECT
Object Name: ServicesActive
Handle ID: -
Operation ID: {0,41170}
Process ID: 528
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: <cut>$ (Machine Logon)
Primary Domain: <cut
Primary Logon ID: (0x0,0x3E7)
Client User Name: NETWORK SERVICE
Client Domain: NT AUTHORITY
Client Logon ID: (0x0,0x3E4)
Accesses: READ_CONTROL
Connect to service controller
Lock service database for exclusive access
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x20009
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
A quick bit of experimentation revealed that this Failure Audit occurs
only once every reboot, relatively early in the Windows boot-up process.
Can anyone provide any advice on the cause of this failure audit, and any
likely repercussions from it? I have yet to notice any negative effects
from this error, but it would still be nice to know the reason behind
this event.
Thanks in advance,
Ralish
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in