mpearson99
asked on
Security log on 2003 getting audit failure event ID: 560 every few minutes.
I have a member server in my domain that keeps getting the following errors:
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 6/9/2011
Time: 7:54:19 AM
User: NT AUTHORITY\SYSTEM
Computer: CHISRV3
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: D:\LemmondJ
Handle ID: -
Operation ID: {0,478648230}
Process ID: 1376
Image File Name: C:\Program Files\Diskeeper Corporation\Diskeeper\DkSe rvice.exe
Primary User Name: CHISRV3$
Primary Domain: CHI
Primary Logon ID: (0x0,0x3E7)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: SYNCHRONIZE
ReadAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x100080
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ----
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 6/8/2011
Time: 9:04:12 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: CHISRV3
Description:
Object Open:
Object Server: Security
Object Type: Key
Object Name: \REGISTRY\MACHINE\SOFTWARE \Microsoft \Enterpris eCertifica tes\Disall owed
Handle ID: -
Operation ID: {0,474152740}
Process ID: 2036
Image File Name: C:\WINDOWS\SYSMSI\SSEE\MSS QL.2005\MS SQL\Binn\s qlservr.ex e
Primary User Name: NETWORK SERVICE
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E4)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
Query key value
Set key value
Create sub-key
Enumerate sub-keys
Notify about changes to keys
Create Link
Privileges: -
Restricted Sid Count: 0
Access Mask: 0xF003F
-------------------------- ---------- ---------- ---------- ---------- ---------- -
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 6/9/2011
Time: 5:06:06 AM
User: NT AUTHORITY\NETWORK SERVICE
Computer: CHISRV3
Description:
Object Open:
Object Server: Security
Object Type: Key
Object Name: \REGISTRY\MACHINE\SOFTWARE \Microsoft \Enterpris eCertifica tes\Disall owed
Handle ID: -
Operation ID: {0,477791840}
Process ID: 2036
Image File Name: C:\WINDOWS\SYSMSI\SSEE\MSS QL.2005\MS SQL\Binn\s qlservr.ex e
Primary User Name: NETWORK SERVICE
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E4)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
Query key value
Set key value
Create sub-key
Enumerate sub-keys
Notify about changes to keys
Create Link
Privileges: -
Restricted Sid Count: 0
Access Mask: 0xF003F
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ----------
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 6/9/2011
Time: 7:54:19 AM
User: NT AUTHORITY\SYSTEM
Computer: CHISRV3
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: D:\SchneiderC
Handle ID: -
Operation ID: {0,478648235}
Process ID: 1376
Image File Name: C:\Program Files\Diskeeper Corporation\Diskeeper\DkSe rvice.exe
Primary User Name: CHISRV3$
Primary Domain: CHI
Primary Logon ID: (0x0,0x3E7)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: SYNCHRONIZE
ReadAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x100080
My server has all patches installed and it seems to generate errors any time their is a system object access. I have a windows 2003 SP2 installed which has the member role.
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 6/9/2011
Time: 7:54:19 AM
User: NT AUTHORITY\SYSTEM
Computer: CHISRV3
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: D:\LemmondJ
Handle ID: -
Operation ID: {0,478648230}
Process ID: 1376
Image File Name: C:\Program Files\Diskeeper Corporation\Diskeeper\DkSe
Primary User Name: CHISRV3$
Primary Domain: CHI
Primary Logon ID: (0x0,0x3E7)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: SYNCHRONIZE
ReadAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x100080
--------------------------
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 6/8/2011
Time: 9:04:12 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: CHISRV3
Description:
Object Open:
Object Server: Security
Object Type: Key
Object Name: \REGISTRY\MACHINE\SOFTWARE
Handle ID: -
Operation ID: {0,474152740}
Process ID: 2036
Image File Name: C:\WINDOWS\SYSMSI\SSEE\MSS
Primary User Name: NETWORK SERVICE
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E4)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
Query key value
Set key value
Create sub-key
Enumerate sub-keys
Notify about changes to keys
Create Link
Privileges: -
Restricted Sid Count: 0
Access Mask: 0xF003F
--------------------------
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 6/9/2011
Time: 5:06:06 AM
User: NT AUTHORITY\NETWORK SERVICE
Computer: CHISRV3
Description:
Object Open:
Object Server: Security
Object Type: Key
Object Name: \REGISTRY\MACHINE\SOFTWARE
Handle ID: -
Operation ID: {0,477791840}
Process ID: 2036
Image File Name: C:\WINDOWS\SYSMSI\SSEE\MSS
Primary User Name: NETWORK SERVICE
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E4)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
Query key value
Set key value
Create sub-key
Enumerate sub-keys
Notify about changes to keys
Create Link
Privileges: -
Restricted Sid Count: 0
Access Mask: 0xF003F
--------------------------
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 6/9/2011
Time: 7:54:19 AM
User: NT AUTHORITY\SYSTEM
Computer: CHISRV3
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: D:\SchneiderC
Handle ID: -
Operation ID: {0,478648235}
Process ID: 1376
Image File Name: C:\Program Files\Diskeeper Corporation\Diskeeper\DkSe
Primary User Name: CHISRV3$
Primary Domain: CHI
Primary Logon ID: (0x0,0x3E7)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: SYNCHRONIZE
ReadAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x100080
My server has all patches installed and it seems to generate errors any time their is a system object access. I have a windows 2003 SP2 installed which has the member role.
ASKER
If this is not causing a issue I would like to disable this. The point is that I did not have this problem before and my other servers do not have this issues.
Do you have a local Auditing policy enabled?
The link for the MS article covers what steps to take to disable the notification.
Double check whether a GPO with auditing was pushed or local auditing was setup.
The link for the MS article covers what steps to take to disable the notification.
Double check whether a GPO with auditing was pushed or local auditing was setup.
ASKER
Our OU policy for member servers have Audit object Access set for Success, Failure. We cannot change this policy . It is goverment mandated.
Should the SQL be running as a local system/network service versus using a domain based sql service account? How is SQL configured on the other systems?
Check the permissions on D:\Sche and make sure system has rights.
Check the permissions on D:\Sche and make sure system has rights.
ASKER
The sql that is running is the Windows Internal Database used for WSUS service. As As far as the D:\Sche prmissions my deskkeeper softeware is scanning the drive and getting the error on all the directorys that it scans. This softeware has ran fine for years with haviing the 560 errors. Just to let you know I had a issue accessing the D: drive yesterday getting access denied when login as a administrator. After a few minutes everythimg work OK.
Did you configure the WSUS instance to use encrypted communications? That could explain why it keeps checking the disallowed.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Will reimage server. Cannot find a solution
What exactly are you looking for an explanation or a way to disable these?
The events seem to be from local services run run as a local system account and periodically check a resource to which they have no access right.