Re: Audit Failures/READ_CONTROL SYNCHRONIZE

From: Eric Fitzgerald [MSFT] (ericf@online.microsoft.com)
Date: 03/27/02 

From: "Eric Fitzgerald [MSFT]" <ericf@online.microsoft.com>
Date: Wed, 27 Mar 2002 14:03:52 -0800

The 560 object access event does not record what actions were performed on
the file, it records what accesses were requested to the file. It does not
mean that the program performed those operations on the file or even
intended to do so.

If you're using Windows 2000 then you're going to see a lot of yucky events
like this. Access failures often occur normally, Explorer in particular
often tries to open files with maximum privilege (which will often fail),
and then use the failure as a UI cue- it will display the file differently.
For instance, if you don't have Full Control on a file, Explorer will notice
and disable parts of the security dialog. Unfortunately if you've enabled
failure auditing then you will get an event.

Lastly, "Read Control" and "Synchronize" are two of the standard rights-
they are requested with almost every access. Read Control is the ability to
read the security descriptor on the file. Synchronize is the ability to
have the operating system notify the program of changes to the file.

For Windows XP and Windows .NET Server we've added a new event, 567, which
is logged when an operation is actually performed on a file. This will not
be back-ported to Windows 2000. 

--
Eric Fitzgerald
Program Manager, Windows Auditing and Intrusion Detection
Microsoft Corporation

"Binesh Bannerjee" <binesh-dated-1017745245.ab1b1d@hex21.com> wrote in
message news:a7pkd0$9ug$1@bob.news.rcn.net...
> OK, in further trying to isolate the problem, here's what I've come with.
>
>
> I set in user manager Audit these events has ONLY File and Object access
> failure.
>
> ALL permissions on ALL files are defaults, (meaning Everyone still exists
on
> everything, everything is as it is after a normal install of WinNT 4.0
server)
>
> I've added Auditing on ONE file: C:\WINNT\Explorer.exe to audit ONLY
> Write failures.
>
> This generates the following set of failures in the event log. (I've
appended
> it to this post)
>
> Why? Why should anything want to write to Explorer, first off,
> and then, what is this attempt to connect to a service controller
> that's failing?
>
> Thanks,
> Binesh Bannerjee
>
> (The event log follows)
>
>
> 3/26/02 5:49:48 AM Security Failure Audit Object Access 560 user VMWARE
Object Open:
> Object Server: Security
> Object Type: File
> Object Name: C:\WINNT\EXPLORER.EXE
> New Handle ID: -
> Operation ID: {0,342032}
> Process ID: 2154198752
> Primary User Name: user
> Primary Domain: VMWARE
> Primary Logon ID: (0x0,0x5324B)
> Client User Name: -
> Client Domain: -
> Client Logon ID: -
> Accesses READ_CONTROL
> SYNCHRONIZE
> ReadData (or ListDirectory)
> ReadEA
> ReadAttributes
> WriteAttributes
>
> Privileges -
>
> 3/26/02 5:49:49 AM Security Failure Audit Object Access 560 user VMWARE
Object Open:
> Object Server: Security
> Object Type: File
> Object Name: C:\WINNT\EXPLORER.EXE
> New Handle ID: -
> Operation ID: {0,344370}
> Process ID: 2154198752
> Primary User Name: user
> Primary Domain: VMWARE
> Primary Logon ID: (0x0,0x5324B)
> Client User Name: -
> Client Domain: -
> Client Logon ID: -
> Accesses READ_CONTROL
> SYNCHRONIZE
> ReadData (or ListDirectory)
> ReadEA
> ReadAttributes
> WriteAttributes
>
> Privileges -
>
> 3/26/02 5:49:51 AM Security Failure Audit Object Access 560 user VMWARE
Object Open:
> Object Server: SC Manager
> Object Type: SC_MANAGER OBJECT
> Object Name: ServicesActive
> New Handle ID: -
> Operation ID: {0,354711}
> Process ID: 2154290528
> Primary User Name: SYSTEM
> Primary Domain: NT AUTHORITY
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: user
> Client Domain: VMWARE
> Client Logon ID: (0x0,0x5324B)
> Accesses Connect to service controller
> Create a new service
>
> Privileges -
>

Relevant Pages

  • Re: WMI / DCOM ACCESS DENIED
    ... I finally started logging Object Access and looks like Network Service ... Primary Logon ID: ... Client User Name: NETWORK SERVICE ... Query information from service ...
    (microsoft.public.security)
  • Re: SAM events
    ... When you enable auditing of object access, a lot of system access events are ... > Object Server: Security Account Manager ... > Primary Logon ID: ... > Client User Name: SERVER$ ...
    (microsoft.public.win2000.security)
  • Re: Event ID 560 (SC_MANAGER OBJECT)
    ... Unless you have a specific need to audit ... Category: Object Access ... Primary Logon ID: ... Client User Name: NETWORK SERVICE ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Event ID 565
    ... Client User Name: GANDALF$ ... > Event Type: Failure Audit ... > Event Category: Directory Service Access ... > Primary Logon ID: ...
    (microsoft.public.win2000.security)
  • Re: Event ID 565
    ... > Client User Name: GANDALF$ ... >> Event Type: Failure Audit ... >> Event Category: Directory Service Access ... >> Primary Logon ID: ...
    (microsoft.public.win2000.security)