560 Audit Failure

From: Brian Cohen (BrianCohen_at_discussions.microsoft.com)
Date: 01/31/05

• Next message: Roger Abell: "Re: Internet Access - Require logon"
• Previous message: Tom Pepper Willett: "Re: ** FREE! Laptop, 40GB Photo Ipod, Dell P4 Desktop, Bose Sound Dock, Car Gear, PC Gear, Mini Mac, + Loads MORE! FREE! ** NOT SPAM! check it out"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Mon, 31 Jan 2005 06:41:09 -0800

I am seeing the following event in the security log for all of our Win2k3
servers. We use a security template to configure items like auditing events,
user rights, etc.. I am not seeing the event in the Win2k servers. Any help
would be appreciated.

Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 1/31/2005
Time: 9:21:01 AM
User: NT AUTHORITY\LOCAL SERVICE
Computer: <ServerName>
Description:
Object Open:
         Object Server: Security
         Object Type: File
         Object Name: \Device\NetbiosSmb
         Handle ID: -
         Operation ID: {0,20574410}
         Process ID: 900
         Image File Name: C:\WINDOWS\system32\svchost.exe
         Primary User Name: LOCAL SERVICE
         Primary Domain: NT AUTHORITY
         Primary Logon ID: (0x0,0x3E5)
         Client User Name: -
         Client Domain: -
         Client Logon ID: -
         Accesses: SYNCHRONIZE
                        ReadData (or ListDirectory)
                        WriteData (or AddFile)
                        
         Privileges: -
         Restricted Sid Count: 0
         Access Mask: 0x100003

Thanks,

Brian Cohen

---

• Next message: Roger Abell: "Re: Internet Access - Require logon"
• Previous message: Tom Pepper Willett: "Re: ** FREE! Laptop, 40GB Photo Ipod, Dell P4 Desktop, Bose Sound Dock, Car Gear, PC Gear, Mini Mac, + Loads MORE! FREE! ** NOT SPAM! check it out"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Erratic access to network resources from service ... >> When things are working correctly, I see the expected logins from ... >> domain\computername$ in the security log of the servers. ... >> is running in the security logs of the servers. ... >> errors to refresh the credentials of the computer running the ... (microsoft.public.win32.programmer.networks) Re: Reading Security Event Logs with Service Account ... account in the Domain Users group. ... the right pane will be Manage auditing and security log. ... then set that in the GPO for the OU where the servers are. ... I have a log aggregation application that uses WMI to monitor security ... (microsoft.public.windows.server.security) Re: anonymous access to security/application/system logs ... authenticated users can access the logs locally but not ... remotely on w2k3 servers. ... the security log can only be accessed by admins, ... (microsoft.public.windows.server.active_directory) Security Log file in Event Viewer ... When I try to read the Security Log file on ANY [yes all the servers and all the clients] pc or server I receive the following error: ... Unable to complete the operation on "Security Log". ... Now I am unable to find anything in any log file about what the actual issue is. ... (microsoft.public.windows.server.security) Security Template ... TCP/UDP ports that we need on the servers only. ... Problem 1 - After applied the security template, ... message "IP Security can not be triggered by port 500 traffic. ... (Security-Basics)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)