Re: 560 errors

From: Mike W (wunderlinmw@state.gov)
Date: 01/31/03 

From: "Mike W" <wunderlinmw@state.gov>
Date: Fri, 31 Jan 2003 05:02:30 -0800

>-----Original Message-----
>You need to disable the security option "Audit Base
System Objects" in
>security policy. The audits will go away. Also, unless
you are REQUIRED to
>do so, CrashOnAuditFail is a really bad choice.
>
>Eric
>
>--
>Eric Fitzgerald
>Program Manager, Windows Auditing and Intrusion Detection
>Microsoft Corporation
>
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>
>"Mike W" <wunderlinmw@state.gov> wrote in message
>news:093601c2c797$f57fd5a0$d3f82ecf@TK2MSFTNGXA10...
>> Our systems are locked down by security settings, and
>> auditing. I recently deployed a Win2K computer in a NT
>> 4.0 domain as part of a planned rollout. The system
>> crashed within 2 hours (crashonauditfail is enabled)
Most
>> of the errors are similar to these:
>>
>> Event Type: Failure Audit
>> Event Source: Security
>> Event Category: Object Access
>> Event ID: 560
>> Date: 01/23/03
>> Time: 9:04:01 AM
>> User: <domain name>\<user name>
>> Computer: <computer name>
>> Description:
>> Object Open:
>> Object Server: Security
>> Object Type: Event
>> Object Name:
>> \BaseNamedObjects\crypt32LogoffEvent
>> New Handle ID: -
>> Operation ID: {0,253463}
>> Process ID: 248
>> Primary User Name: <removed for posting>
>> Primary Domain: <domain name>
>> Primary Logon ID: (0x0,0x253EE)
>> Client User Name: -
>> Client Domain: -
>> Client Logon ID: -
>> Accesses DELETE
>> READ_CONTROL
>> WRITE_DAC
>> WRITE_OWNER
>> SYNCHRONIZE
>> Query event state
>> Modify event state
>>
>> Privileges -
>>
>>
>> Event Type: Failure Audit
>> Event Source: Security
>> Event Category: Object Access
>> Event ID: 560
>> Date: 01/23/03
>> Time: 9:03:57 AM
>> User: <domain name>\<user name>
>> Computer: <computer name>
>> Description:
>> Object Open:
>> Object Server: Security
>> Object Type: Section
>> Object Name:
>> \BaseNamedObjects\_MsiFeatureCacheCount
>> New Handle ID: -
>> Operation ID: {0,249010}
>> Process ID: 976
>> Primary User Name: <removed for posting>
>> Primary Domain: <domain name>
>> Primary Logon ID: (0x0,0x253EE)
>> Client User Name: -
>> Client Domain: -
>> Client Logon ID: -
>> Accesses DELETE
>> READ_CONTROL
>> WRITE_DAC
>> WRITE_OWNER
>> Query section state
>> Map section for write
>> Map section for read
>>
>> Privileges -
>>
>> I tried searching through TechNet for information on
this
>> event, but can't find anything specific. Not even a
>> description of what it's looking for and/or why this is
>> happening. Is there a technet article, or some other
>> article, that can explain this type of error to me?
>> What is it looking for? What did it see? Why am I
seeing
>> these errors?
>>
>> Other errors include:
>> Event Type: Failure Audit
>> Event Source: Security
>> Event Category: Object Access
>> Event ID: 560
>> Date: 01/23/03
>> Time: 9:03:57 AM
>> User: <domain name>\<user name>
>> Computer: <computer name>
>> Description:
>> Object Open:
>> Object Server: Security
>> Object Type: File
>> Object Name: C:\WINNT\welcome.exe
>> New Handle ID: -
>> Operation ID: {0,1189599}
>> Process ID: 1172
>> Primary User Name: <user name>
>> Primary Domain: <domain name>
>> Primary Logon ID: (0x0,0x10FBA3)
>> Client User Name: -
>> Client Domain: -
>> Client Logon ID: -
>> Accesses SYNCHRONIZE
>> Execute/Traverse
>>
>> Privileges -
>>
>> In this case, the user has READ rights to the file in
>> question. It looks like the problem identified in
article
>> Q172509 also affects Windows 2000.
>>
>> Help?!?
>> Thanks!
>
>
>.
>

What Special Access says is true. We are required to have
the Crash on Audit Fail turned on. But raises a point on
what else gets "lost" if we turn off the auditing of "base
system objects".

Can anyone explain what "accesses" and "privileges" are,
when referenced by the 560 error message? And how this
relates to the permissions the user has? I can find NO
reference to how this relates anywhere in TechNet. I
can't even find any reference on the description of the
560 failure error....

Relevant Pages

  • Re: User activity log
    ... You can enable auditing of object access in Local Security Policy or the ... folders/files you want to track. ... For instance you can audit an executable ...
    (microsoft.public.windows.server.security)
  • Re: Track Changes to IP Configuration?
    ... You could enable auditing of object access and then audit the registry key ... security logs for event IDs and text strings. ... Set key value. ...
    (microsoft.public.windows.server.security)
  • RE: Windows Event 560
    ... You are probaly getting these events becuase you have your security policy ... set to audit object access. ... Security Event Log object access ...
    (Security-Basics)
  • RE: syslog
    ... For the same kind of environment, I am using Computer Associates eTrust ... Audit integrated with Security command center for an easy event management ... and consolidation of logs + administration of all the Security ...
    (Security-Basics)
  • RE: Blue Team ROE
    ... These types of constraints are a way to create the illusion of due ... diligence in that they are having an outside company perform a security ... the audit by client constraints. ... Cenzic Hailstorm finds vulnerabilities fast. ...
    (Pen-Test)