W
wbe1981
I am having a problem with Failure Audits on W2k3 R2. I have recently
enabled failure auditing for object access. We want to monitor any
attempts by users to access files they shouldn't be accessing. To that
end, I enabled audit object access in Group Policy. It does indeed log
failure audits for objects that are trying to be accessed by otherwise
unauthorized individuals, however, it is also generating what seems to
be "false failures." It is generating Event ID 560 failure audit
entries for EVERYTHING. I tested it and accessed a file that I have
full control over. I checked the security log and it generated the
following failure audit entry;
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 11/15/2006
Time: 12:35:14 PM
User: DOMAIN\user
Computer: CRA002
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: D:\Home_Folders\userfolder\Time record.xls
Handle ID: -
Operation ID: {0,2144879367}
Process ID: 4
Image File Name:
Primary User Name: CRA002$
Primary Domain: DOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: wbevertsen
Client Domain: DOMAIN
Client Logon ID: (0x0,0x7FAEEE25)
Accesses: DELETE
READ_CONTROL
ACCESS_SYS_SEC
ReadData (or ListDirectory)
ReadEA
ReadAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x1030089
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Any ideas on how I can stop these "false failures" while retaining the
ability to view GENUINE failures? Thanks!
William E.
MCP
enabled failure auditing for object access. We want to monitor any
attempts by users to access files they shouldn't be accessing. To that
end, I enabled audit object access in Group Policy. It does indeed log
failure audits for objects that are trying to be accessed by otherwise
unauthorized individuals, however, it is also generating what seems to
be "false failures." It is generating Event ID 560 failure audit
entries for EVERYTHING. I tested it and accessed a file that I have
full control over. I checked the security log and it generated the
following failure audit entry;
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 11/15/2006
Time: 12:35:14 PM
User: DOMAIN\user
Computer: CRA002
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: D:\Home_Folders\userfolder\Time record.xls
Handle ID: -
Operation ID: {0,2144879367}
Process ID: 4
Image File Name:
Primary User Name: CRA002$
Primary Domain: DOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: wbevertsen
Client Domain: DOMAIN
Client Logon ID: (0x0,0x7FAEEE25)
Accesses: DELETE
READ_CONTROL
ACCESS_SYS_SEC
ReadData (or ListDirectory)
ReadEA
ReadAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x1030089
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Any ideas on how I can stop these "false failures" while retaining the
ability to view GENUINE failures? Thanks!
William E.
MCP