troubleshooting 560 object access failure audit entries

[Guest awrightus@gmail.com]

Running a Windows 2003 server in a workgroup only. In the name of

"security", I have "audit object access" set to "failure" in my local

security policy. I'm also auditing hklm\software and hklm\system for

"failure" on all events. Lastly, I'm auditing all of my hard disk

partitions for for "failure" on all events, from the root directory on

down. Yeah, I know this is a lot, but it's not my doing... Just

trying to deal with all of the event log chatter that results. All of

my applications are working fine, but I get almost constant "failure

audit" "object access" 560 errors in my security event log. These

failure audits are both on file system and registry objects. It fills

up an 80 meg event log in about 10 days. By far the most frequent

error seems to be generated by Symanted Endpoint Protection, trying

access some joystick registry key with several events generated every

minute. There's a handful of others as well, pasted below. Any tips

on approaches for ways to be able to audit as I've described above,

yet not get this constant chatter? Thanks.

 

Object Open:

Object Server: Security

Object Type: Key

Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control

\MediaProperties\PrivateProperties\Joystick\Winmm

Handle ID: -

Operation ID: {0,232437010}

Process ID: 804

Image File Name: D:\Program Files\Symantec\Symantec Endpoint

Protection\Smc.exe

Primary User Name: TESTBOX01$

Primary Domain: STAND-ALONE

Primary Logon ID: (0x0,0x3E7)

Client User Name: Testuser01

Client Domain: SAPLAB01

Client Logon ID: (0x0,0x2D1D960)

Accesses: DELETE

READ_CONTROL

WRITE_DAC

WRITE_OWNER

Query key value

Set key value

Create sub-key

Enumerate sub-keys

Notify about changes to keys

Create Link

 

Privileges: -

Restricted Sid Count: 0

Access Mask: 0xF003F

 

bject Open:

Object Server: Security

Object Type: File

Object Name: C:\WINDOWS\system32\mmc.exe

Handle ID: -

Operation ID: {0,233996859}

Process ID: 1580

Image File Name: C:\WINDOWS\explorer.exe

Primary User Name: Testuser01

Primary Domain: TESTBOX01

Primary Logon ID: (0x0,0x2D1D960)

Client User Name: -

Client Domain: -

Client Logon ID: -

Accesses: READ_CONTROL

SYNCHRONIZE

ReadData (or ListDirectory)

ReadEA

ReadAttributes

WriteAttributes

 

Privileges: -

Restricted Sid Count: 0

Access Mask: 0x120189

 

 

Object Open:

Object Server: Security

Object Type: File

Object Name: C:\WINDOWS\system32\mydocs.dll

Handle ID: -

Operation ID: {0,233545483}

Process ID: 1672

Image File Name: C:\WINDOWS\system32\notepad.exe

Primary User Name: Testuser01

Primary Domain: TESTBOX01

Primary Logon ID: (0x0,0x2D1D960)

Client User Name: -

Client Domain: -

Client Logon ID: -

Accesses: READ_CONTROL

SYNCHRONIZE

ReadData (or ListDirectory)

ReadEA

ReadAttributes

WriteAttributes

 

Privileges: -

Restricted Sid Count: 0

Access Mask: 0x120189