Failure Audit - 560

[Joan]

I just installed Windows 2003 server with Windows Sharepoint Services. I am
getting a 560 event every few seconds. The Oject Name is different and the
image file name changes as well. The events occurred after I installed the
following patch:

Security Update for Windows Server 2003 (KB824151)
A security issue has been identified that could allow an attacker to
cause a computer running Microsoft Internet Information Services to stop
responding. You can help protect your computer by installing this update
from Microsoft. After you install this item, you may have to restart your
computer.
Print | Close

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Any suggestions


Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 7/1/2005
Time: 2:39:42 PM
User: XXX\yyy
Computer: 195
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: \Device\FloppyPDO0
Handle ID: -
Operation ID: {0,336716}
Process ID: 324
Image File Name: C:\WINDOWS\system32\mmc.exe
Primary User Name: yyy
Primary Domain: XXXXX
Primary Logon ID: (0x0,0x45702)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: SYNCHRONIZE
ReadAttributes

Privileges: -
Restricted Sid Count: 0
Access Mask: 0x100080


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

 

[Rebecca Chen [MSFT]]

Hi Joan,

Based on my research, Event ID 560 occur because of Audit object access is
enabled in win2k3 server. This security setting determines whether to audit
the event of a user accessing an object--for example, a file, folder,
registry key, printer, and so forth--that has its own system access control
list (SACL) specified.

If you define this policy setting, you can specify whether to audit
successes, audit failures, or not audit the event type at all. Success
audits generate an audit entry when a user successfully accesses an object
that has an appropriate SACL specified. Failure audits generate an audit
entry when a user unsuccessfully attempts to access an object that has a
SACL specified.

For example, suppose that Harold is working in Microsoft Excel and tries to
open payroll.xls. Excel asks Win2K3 for a handle to payroll.xls. Win2k3
compares the file's DACL with Harold's user account and with Excel's
request for read access; according to the DACL, Harold doesn't have
permission to read payroll.xls. (As Figure 2 shows, only the Administrators
and HR groups have access to payroll.xls, and Harold isn't a member of
either group.) Win2k3 determines that the system audit policy is enabled to
log failed object access, so the OS searches payroll.xls's SACL and
examines each ACE that audits failed access attempts. Win2k3 determines
which of these ACEs specify either Harold's user account or a group that
Harold belongs to. As Figure 3 shows, the object's SACL contains an ACE
that applies to failed read access and to the Everyone group, so Win2k3
logs the event ID 560. This is the reason Event 560 is always logged in the
win2k3 server.

The following article has taken an example which is easy to be understood:

Keeping Tabs on Object Access
http://www.windowsitpro.com/Article/ArticleID/20563/20563.html

The following article has addressed Audit object access mechanism, if you
switch off addressed Audit object, the event 560 will not be logged
anymore:

Audit object access
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serve
rHelp/50fdb7bc-7dae-4dcd-8591-382aeff2ea79.mspx

HTH!

Any update, let's get in touch!

Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------