Andrew Phillips
Guest
|
 Posted:
Sat Oct 29, 2005 8:50 am Post subject:
MSDTC Security Log Failure Audits |
|
|
While scrolling through the Security logs of a Windows 2003 box, I noticed
seven seperate security failure audit's from the MSDTC service relating to
accessing and writing to two MSDTC Logs.
The Audit's:
Audit 1:
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 29/10/2005
Time: 6:05:01 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: LFN-SVR-1
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log
Handle ID: -
Operation ID: {0,51323}
Process ID: 1372
Image File Name: C:\WINDOWS\system32\msdtc.exe
Primary User Name: NETWORK SERVICE
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E4)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: DELETE
SYNCHRONIZE
ReadAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x110080
Audit 2:
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 29/10/2005
Time: 6:05:01 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: LFN-SVR-1
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log
Handle ID: -
Operation ID: {0,51326}
Process ID: 1372
Image File Name: C:\WINDOWS\system32\msdtc.exe
Primary User Name: NETWORK SERVICE
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E4)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: DELETE
SYNCHRONIZE
ReadAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x110080
Audit 3:
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 29/10/2005
Time: 6:05:01 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: LFN-SVR-1
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log
Handle ID: -
Operation ID: {0,51347}
Process ID: 1372
Image File Name: C:\WINDOWS\system32\msdtc.exe
Primary User Name: NETWORK SERVICE
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E4)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: DELETE
ReadAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x10080
Audit 4:
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 29/10/2005
Time: 6:05:01 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: LFN-SVR-1
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log
Handle ID: -
Operation ID: {0,51350}
Process ID: 1372
Image File Name: C:\WINDOWS\system32\msdtc.exe
Primary User Name: NETWORK SERVICE
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E4)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: DELETE
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x10000
Audit 5:
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 29/10/2005
Time: 6:05:01 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: LFN-SVR-1
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINDOWS\DtcInstall.log
Handle ID: -
Operation ID: {0,51454}
Process ID: 1372
Image File Name: C:\WINDOWS\system32\msdtc.exe
Primary User Name: NETWORK SERVICE
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E4)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
ReadEA
WriteEA
ReadAttributes
WriteAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x12019F
Audit 6:
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 29/10/2005
Time: 6:05:01 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: LFN-SVR-1
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINDOWS\DtcInstall.log
Handle ID: -
Operation ID: {0,51458}
Process ID: 1372
Image File Name: C:\WINDOWS\system32\msdtc.exe
Primary User Name: NETWORK SERVICE
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E4)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
ReadEA
WriteEA
ReadAttributes
WriteAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x12019F
Audit 7:
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 29/10/2005
Time: 6:05:02 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: LFN-SVR-1
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINDOWS\DtcInstall.log
Handle ID: -
Operation ID: {0,51767}
Process ID: 1372
Image File Name: C:\WINDOWS\system32\msdtc.exe
Primary User Name: NETWORK SERVICE
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E4)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
ReadEA
WriteEA
ReadAttributes
WriteAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x12019F
My interpretation of these audit's is that the MSDTC service is trying to
modify it's log files and failing, due to incorrect permissions. However,
both files have full access given to the NETWORK SERVICE account. Can anyone
provide any suggestions on how to fix this permissions issue and remove
these failure audits? Thanks... |
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in