Guest Mark Z. Posted August 4, 2008 Posted August 4, 2008 I'm seeing these 2 events in my Security Event log on a member server (non-DC) several times each second: ===== 1 ===== Event Type: Success Audit Event Source: Security Event Category: Object Access Event ID: 560 Date: 8/4/2008 Time: 12:26:53 PM User: NT AUTHORITY\SYSTEM Computer: SERVER01 Description: Object Open: Object Server: Security Object Type: Key Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Security\Security Account Manager Handle ID: 492 Operation ID: {0,808503072} Process ID: 1656 Image File Name: C:\Program Files\BMC Software\CONTROL-M Links\NTAgent\WinNTAgService.exe Primary User Name: SERVER01$ Primary Domain: DOMAIN Primary Logon ID: (0x0,0x3E7) Client User Name: - Client Domain: - Client Logon ID: - Accesses: DELETE READ_CONTROL WRITE_DAC WRITE_OWNER Query key value Set key value Create sub-key Enumerate sub-keys Notify about changes to keys Create Link Privileges: - Restricted Sid Count: 0 Access Mask: 0xF003F ===== 2 ===== Event Type: Success Audit Event Source: Security Event Category: Object Access Event ID: 562 Date: 8/4/2008 Time: 12:26:53 PM User: NT AUTHORITY\SYSTEM Computer: SERVER01 Description: Handle Closed: Object Server: Security Handle ID: 492 Process ID: 1656 Image File Name: C:\Program Files\BMC Software\CONTROL-M Links\NTAgent\WinNTAgService.exe =============================== Here's what I've done: 1. Checked the local "Audit: Audit the access of global system objects" policy - it is confirmed as disabled. GPOs are not changing this auditing policy either. 2. There is no special auditing set on "C:\Program Files\BMC Software\CONTROL-M Links\NTAgent\WinNTAgService.exe" or any parent folders. 3. The only auditing set on "REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Security\Security Account Manager" is Success/Failure on [set Value/Create Subkey/Delete/Write DAC/Write Owner] which appears to be a Server 2003 default and is not causing an issue on another server with a similar config. The server is rebooted every morning on schedule - this issue has been ongoing for weeks.
Guest Mark Z. Posted August 4, 2008 Posted August 4, 2008 RE: Security Event Log exploding with 560/562 auditing entries Figured it out, the agent was receiving a config from the server which was making it hit the Security log, therefore logging these events due to the "audit privilege use" policy being enabled for our domain. "Mark Z." wrote: > I'm seeing these 2 events in my Security Event log on a member server > (non-DC) several times each second: > > ===== 1 ===== > > Event Type: Success Audit > Event Source: Security > Event Category: Object Access > Event ID: 560 > Date: 8/4/2008 > Time: 12:26:53 PM > User: NT AUTHORITY\SYSTEM > Computer: SERVER01 > Description: > Object Open: > Object Server: Security > Object Type: Key > Object > Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Security\Security Account Manager > Handle ID: 492 > Operation ID: {0,808503072} > Process ID: 1656 > Image File Name: C:\Program Files\BMC Software\CONTROL-M > Links\NTAgent\WinNTAgService.exe > Primary User Name: SERVER01$ > Primary Domain: DOMAIN > Primary Logon ID: (0x0,0x3E7) > Client User Name: - > Client Domain: - > Client Logon ID: - > Accesses: DELETE > READ_CONTROL > WRITE_DAC > WRITE_OWNER > Query key value > Set key value > Create sub-key > Enumerate sub-keys > Notify about changes to keys > Create Link > > Privileges: - > Restricted Sid Count: 0 > Access Mask: 0xF003F > > ===== 2 ===== > > Event Type: Success Audit > Event Source: Security > Event Category: Object Access > Event ID: 562 > Date: 8/4/2008 > Time: 12:26:53 PM > User: NT AUTHORITY\SYSTEM > Computer: SERVER01 > Description: > Handle Closed: > Object Server: Security > Handle ID: 492 > Process ID: 1656 > Image File Name: C:\Program Files\BMC Software\CONTROL-M > Links\NTAgent\WinNTAgService.exe > > =============================== > > > Here's what I've done: > 1. Checked the local "Audit: Audit the access of global system objects" > policy - it is confirmed as disabled. GPOs are not changing this auditing > policy either. > > 2. There is no special auditing set on "C:\Program Files\BMC > Software\CONTROL-M Links\NTAgent\WinNTAgService.exe" or any parent folders. > > 3. The only auditing set on > "REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Security\Security > Account Manager" is Success/Failure on [set Value/Create Subkey/Delete/Write > DAC/Write Owner] which appears to be a Server 2003 default and is not causing > an issue on another server with a similar config. > > The server is rebooted every morning on schedule - this issue has been > ongoing for weeks.
Recommended Posts