A
awrightus@gmail.com
Guest
Running a Windows 2003 server in a workgroup only. In the name of
"security", I have "audit object access" set to "failure" in my local
security policy. I'm also auditing hklm\software and hklm\system for
"failure" on all events. Lastly, I'm auditing all of my hard disk
partitions for for "failure" on all events, from the root directory on
down. Yeah, I know this is a lot, but it's not my doing... Just
trying to deal with all of the event log chatter that results. All of
my applications are working fine, but I get almost constant "failure
audit" "object access" 560 errors in my security event log. These
failure audits are both on file system and registry objects. It fills
up an 80 meg event log in about 10 days. By far the most frequent
error seems to be generated by Symanted Endpoint Protection, trying
access some joystick registry key with several events generated every
minute. There's a handful of others as well, pasted below. Any tips
on approaches for ways to be able to audit as I've described above,
yet not get this constant chatter? Thanks.
Object Open:
Object Server: Security
Object Type: Key
Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control
\MediaProperties\PrivateProperties\Joystick\Winmm
Handle ID: -
Operation ID: {0,232437010}
Process ID: 804
Image File Name: D:\Program Files\Symantec\Symantec Endpoint
Protection\Smc.exe
Primary User Name: TESTBOX01$
Primary Domain: STAND-ALONE
Primary Logon ID: (0x0,0x3E7)
Client User Name: Testuser01
Client Domain: SAPLAB01
Client Logon ID: (0x0,0x2D1D960)
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
Query key value
Set key value
Create sub-key
Enumerate sub-keys
Notify about changes to keys
Create Link
Privileges: -
Restricted Sid Count: 0
Access Mask: 0xF003F
bject Open:
Object Server: Security
Object Type: File
Object Name: C:\WINDOWS\system32\mmc.exe
Handle ID: -
Operation ID: {0,233996859}
Process ID: 1580
Image File Name: C:\WINDOWS\explorer.exe
Primary User Name: Testuser01
Primary Domain: TESTBOX01
Primary Logon ID: (0x0,0x2D1D960)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
WriteAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x120189
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINDOWS\system32\mydocs.dll
Handle ID: -
Operation ID: {0,233545483}
Process ID: 1672
Image File Name: C:\WINDOWS\system32\notepad.exe
Primary User Name: Testuser01
Primary Domain: TESTBOX01
Primary Logon ID: (0x0,0x2D1D960)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
WriteAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x120189
"security", I have "audit object access" set to "failure" in my local
security policy. I'm also auditing hklm\software and hklm\system for
"failure" on all events. Lastly, I'm auditing all of my hard disk
partitions for for "failure" on all events, from the root directory on
down. Yeah, I know this is a lot, but it's not my doing... Just
trying to deal with all of the event log chatter that results. All of
my applications are working fine, but I get almost constant "failure
audit" "object access" 560 errors in my security event log. These
failure audits are both on file system and registry objects. It fills
up an 80 meg event log in about 10 days. By far the most frequent
error seems to be generated by Symanted Endpoint Protection, trying
access some joystick registry key with several events generated every
minute. There's a handful of others as well, pasted below. Any tips
on approaches for ways to be able to audit as I've described above,
yet not get this constant chatter? Thanks.
Object Open:
Object Server: Security
Object Type: Key
Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control
\MediaProperties\PrivateProperties\Joystick\Winmm
Handle ID: -
Operation ID: {0,232437010}
Process ID: 804
Image File Name: D:\Program Files\Symantec\Symantec Endpoint
Protection\Smc.exe
Primary User Name: TESTBOX01$
Primary Domain: STAND-ALONE
Primary Logon ID: (0x0,0x3E7)
Client User Name: Testuser01
Client Domain: SAPLAB01
Client Logon ID: (0x0,0x2D1D960)
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
Query key value
Set key value
Create sub-key
Enumerate sub-keys
Notify about changes to keys
Create Link
Privileges: -
Restricted Sid Count: 0
Access Mask: 0xF003F
bject Open:
Object Server: Security
Object Type: File
Object Name: C:\WINDOWS\system32\mmc.exe
Handle ID: -
Operation ID: {0,233996859}
Process ID: 1580
Image File Name: C:\WINDOWS\explorer.exe
Primary User Name: Testuser01
Primary Domain: TESTBOX01
Primary Logon ID: (0x0,0x2D1D960)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
WriteAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x120189
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINDOWS\system32\mydocs.dll
Handle ID: -
Operation ID: {0,233545483}
Process ID: 1672
Image File Name: C:\WINDOWS\system32\notepad.exe
Primary User Name: Testuser01
Primary Domain: TESTBOX01
Primary Logon ID: (0x0,0x2D1D960)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
WriteAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x120189