Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

No logging enabled - but events in security log 1

Status
Not open for further replies.

gmail2

Programmer
Jun 15, 2005
987
IE
I've gone through our group policies, and from what I can see the only thing enable is Object Access (success and failure) however, we haven't specified any objects to audit. But still there are logs in our security log - why ???!!! Below is an example of one:
Code:
Event Type:	Success Audit
Event Source:	Security
Event Category:	Object Access 
Event ID:	560
Date:		04/10/2006
Time:		10:22:43
User:		NT AUTHORITY\SYSTEM
Computer:	SERVER
Description:
Object Open:
 	Object Server:	Security
 	Object Type:	WindowStation
 	Object Name:	\Windows\WindowStations\WinSta0
 	Handle ID:	40
 	Operation ID:	{1,1596356799}
 	Process ID:	9392
 	Image File Name:	C:\Program Files\Trend Micro\OfficeScan Client\TSC.EXE
 	Primary User Name:	SERVER$
 	Primary Domain:	DOMAIN.LOCAL
 	Primary Logon ID:	(0x0,0x3E7)
 	Client User Name:	-
 	Client Domain:	-
 	Client Logon ID:	-
 	Accesses:	DELETE 
			READ_CONTROL 
			WRITE_DAC 
			WRITE_OWNER 
			Enumerate desktops 
			Read attributes 
			Access Clipboard 
			Create desktop 
			Write attributes 
			Access global atoms 
			Exit windows 
			Include this windowstation in enumerations 
			Read screen 
			
 	Privileges:	-
 	Restricted Sid Count:	0
 	Access Mask:	0xF037F

I've gone to C:\program files\trend micro\officescan client and there's nothing under Auditing on the security tab - so where is this comming from? Any help would be greatly appreciated.

Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau
 
Other than group policy. Auditing can be set up on a computers local security policy have you checked there?
 
Which security log are you viewing?
If it is the security log on your domain controller then probably your default domain GPO has been modified. Or there is a GPO at a lower level.

Run Gpresult.exe from a command prompt. This will tell you all of the GPO's that are effecting the computer.

Here you should be able to find which GPO is applying the unwanted setting.

However, object access auditing is a two stage thing.
You would also have to turn on auditing at the folder that is being auditing.

Have you checked whether auditing is on for the Windowstation folder?
 
Sorry for the late reply. As it turns out Audit object access was enabled on the local policy for Success and Failure. However, like basst pointed out, the objects still need to have SACL's created for them. One of the logs I saw this morning was Handle Closed - the file was mmc.exe. However when I go to security on mmc, there's no auditing enabled so why is this being logged?

It's not so much that these logs are unwanted, it's mainly because we want to implement a proper auditing policy now, but in order to do that I want to understand where the current ones are coming from first. Also, in the local policy, I can't disable Object Access auditing for success of failure - the check boxes are "greyed out". Why is this? I presume that they were enabled by default when windows or AD was installed?

thanks in advance for all your help

Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau
 
It would appear that auditing is enabled at the domain level. This is why the settings are greyed out on the client.

The auditing is most likely enabled on a folder.
The logs probably show that mmc.exe accesed an object in the audited folder not that mmc.exe is being audited.

Run RSoP on the client in logging mode. This should show you which policy has turned on Auditing.
 
Hi All,

Sorry, I never did get this problem solves, and it's becoming more of an issue now. All of our logs are filling up with event ID's 560, 562, 566 & 567 and my log files are huge. As I said before, Auditing is enabled at the domain level, but there are no SACL's defined. Even if the SACL was defined at the folder level and was inherited by the file, it should still show up onthe SACL of the file, the same as with file and folder permissions. So can somebody explain to me what is going on here. I'd really appreciate some assistance on this.

Thanks again

Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau
 
gmail2,

I'm a newbie still studying for my MCSA, but as I understand it, you don't have to have explicit ACEs. There are a host of special groups (Authenticated Users, Batch, Creator Group, etc.) that "are designed to provide access to resources without administrative or user interaction." If auditing is enabled, perhaps these special groups' accesses are what are showing up in the log.

Thanks, Kirk
 
Thanks for the reply, but unfortunately it's nothing to do with any special groups, this is happening on user's PC's now also (our audit policy is defined at the domain level). This really is doing my head in, I can't understand what's going on here but it's becoming more and more of a problem as users cannot log onto their PC's if the security log is full.

Irish Poetry - Karen O'Connor
Get your Irish Poetry Published
Garten und Landschaftsbau
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top