SBS2000 Health Monitor, Errors Access Permissions > 10

Hi all,

I started to get a Health Monitor Errors Access Permissions > 10 warning a few weeks back that coincided with some memmory and page faults.  We have just upgraded the ram from 1GB to 2GB, restarted and not a few minutes after the server came back up we got this warning again (the memmory and page faults have gone).

The decription says:
The number of times opens on behalf of clients have failed with STATUS_ACCESS_DENIED.  Can indicate whether somebody is randomly attempting to access files in hopes of getting at something that was not properly protected.

We are running daily updated virus software here, and all the latest SPs.
I've run AdAware with the latest def file, and Trojan Remover which both detected nothing.

What else can I check to get to the root of this warning?
Is there any way I can check where these permission errors are coming from because at the moment I cant tell on what files the errors are occuring.

I'm guessing that there is a computer on my network some where that's got a trojan of some kind running thats scanning the server?  Or someone from outside trying to access files on the server through the internet?

I've got no idea of where to start in hunting for this.  Any help is very appreciated.

ChrisB.
FalconUKAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TJworldCommented:
First thing is to enable Auditing so you get reports in the event log.

HowTo example at http://tjworld.net/help/ee/Q_21217566a.avi

Then watch the security event log for failure reports.

If you don't see much add auditing of failures to the permissions of your network shares (including the hiddden administrative shares like C$).

0
FalconUKAuthor Commented:
Both Sucess and Failure are set to audit in Local Security Setting, but the effective setting is set to No Auditing, so I checked the Group Policy for my domain.
Here they weren't set in Default Domain Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy, so I've Defined these policy settings to Success and Failure.
But in the Local Security snap in, it is still showing the effective setting as No Auditing.

Should this setting take hold imediatly, or do I need to enable some thing else first?
0
TJworldCommented:
The policy is only for the Domain Controller itself, so you need to ensure that the group policy for Domain Controllers isn't taking precedence.

Here's another demo... this time its on my streaming media server so it'll load faster!

http://live.tjworld.net/help/ee/Q_21217566b.wmv
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

FalconUKAuthor Commented:
:(

Cant seam to view that one, could you post the avi up?
0
TJworldCommented:
Similar URL, just doesn't hit the "live" streaming server.

http://tjworld.net/help/ee/Q_21217566b.wmv
0
FalconUKAuthor Commented:
Thanks TJWorld, local security settings effective setting for all of the audit policies are set to failure (not sucess as i was getting loads of sucess logons), so I'm thinking now that I should see lots of failures in the security event viewer, as I'm looking at the health monitor Errors Access Permission ticking higher and higher.  But I'm not.

Can you explain a bit more what you ment by adding auditing of failures to the permissions of my network shares, as I thought setting all the audit policies to log failures would show up the errors access permission in the security log?
0
TJworldCommented:
Okay, I feel another demo coming on :-)

(seriously, its so much easier recording it as I do it rather than trying to type all the steps).

http://live.tjworld.net/help/ee/Q_21217566c.wmv (Streaming)

http://tjworld.net/help/ee/Q_21217566c.wmv (web download)

You can do this for any folders you want to monitor.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FalconUKAuthor Commented:
Your demos are execlent TJWorld.  Saving time your end and mine...I dont have to read anything!

Looking in my local shares folder I've got abotu 35 shares.  Could I not just implement the auditing at the root of the local drive, instead of doing this implicitly on all the shares?
0
FalconUKAuthor Commented:
I have made all the auditing changes and am getting some failures, but no where near the amount of Errors Access Permissions I'm seeing in health monitor.
I'm seeing about 1 a second in health monitor.

What else could I try?
0
TJworldCommented:
This is where we figuratively scratch our heads and go "hmmmm!"

Knowing Microsoft this is one of those situations where you can safely ignore the warnings!

However as the error description 'suggests' this is related to attempts to open files ( it could be something else despite the message) why don't you monitor file open attempts.

Go to www.sysinternals.com and download/install NT File Monitor. Play about with it for a bit to get the hang of it, especially the filtering, then set an allow filter for something like "*FAIL*"

I might have that wrong but basically you only want it to log file open attempts that return a fail status. You will have to watch the live monitoring until you see what the exact text is when it happens.

I know FILE_NOT_FOUND is one, but can't remember what Access Denied is precisely.
0
FalconUKAuthor Commented:
Sorry for not responding, unfortunatly I am no longer working on this project.

Thanks TJworld for all your help, you deserve the points.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.