Root cause of 560 failed object access... Expand / Collapse
Author
Message
Posted 8/26/2010 11:02:52 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 9/14/2010 11:01:27 AM
Posts: 5, Visits: 9

I have a question in regard to auditing on XP workstations. We have
object auditing enabled and get lots of 560 events for users accessing
service.exe through the SC_Manager. The problem is user's don't know what
they are doing to generate these events, many happen just logging on. The
information in the actual 560 event is somewhat useless. How can you tell
what program or service is calling SC_Manager to generate the event. I
have been trying off and on for several months and have no clue where to
look or how to find out?

From the event i know:

Object Server: SC Manager

Object Type:   SC_MANAGER OBJECT

Object Name:   ServicesActive

Operation ID, Process ID xxx

Image File name: path to services.exe

login ID, Domain name, User client name etc...what properties are accessed (attempted fail, only monitoring failed access)

What I don't know is what program or process is calling services.exe to cause these events.  How can I investigate this to pin point the cause? Any help would be GREATLY appreciated...

Thanks,

Post #431
Posted 8/28/2010 4:47:53 PM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
These are most likely just naturally occuring noise events.  To provide more help I really need to see actual events.
Post #439
Posted 8/30/2010 11:42:00 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 9/14/2010 11:01:27 AM
Posts: 5, Visits: 9
These event have been flagged by Information Systems Security Officers as potential violations to be reported to DSS.  I know they are mostly like noise generated by Windows XP,  however ISSOs and DSS reps don't like to hear generic "noise" as a response to an investigation. I am trying to find a more definitive explaination as what these events are and what causes them to occur.  Here are some events with username/machinename/domainname changed to "protect the innocent".

Any information to assist in determining the root cause of these events would be GREATLY appreciated.

Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date:  8/20/2010
Time:  12:42:07 PM
User:  domainname\username
Computer: computername
Description:
Object Open:
  Object Server: SC Manager
  Object Type: SC_MANAGER OBJECT
  Object Name: ServicesActive
  Handle ID: -
  Operation ID: {0,450777109}
  Process ID: 736
  Image File Name: C:\WINDOWS\system32\services.exe
  Primary User Name: computername$
  Primary Domain: domainname
  Primary Logon ID: (0x0,0x3E7)
  Client User Name: username
  Client Domain: domainname
  Client Logon ID: (0x0,0x1914A2AD)
  Accesses:  Connect to service controller
   Create a new service
   
  Privileges:  -
  Restricted Sid Count: 0

Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date:  8/20/2010
Time:  12:42:07 PM
User:  domainname\username
Computer: computername
Description:
Object Open:
  Object Server: SC Manager
  Object Type: SC_MANAGER OBJECT
  Object Name: ServicesActive
  Handle ID: -
  Operation ID: {0,450776966}
  Process ID: 736
  Image File Name: C:\WINDOWS\system32\services.exe
  Primary User Name: computername$
  Primary Domain: DD-X
  Primary Logon ID: (0x0,0x3E7)
  Client User Name: username
  Client Domain: DD-X
  Client Logon ID: (0x0,0x1914A2AD)
  Accesses:  DELETE
   READ_CONTROL
   WRITE_DAC
   WRITE_OWNER
   Connect to service controller
   Create a new service
   Enumerate services
   Lock service database for exclusive access
   Query service database lock state
   Set last-known-good state of service database
   
  Privileges:  -
  Restricted Sid Count: 0

Post #451
Posted 8/31/2010 12:23:50 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 9/14/2010 11:01:27 AM
Posts: 5, Visits: 9
These event have been flagged by Information Systems Security Officers as potential violations to be reported to DSS.  I know they are mostly like noise generated by Windows XP,  however ISSOs and DSS reps don't like to hear generic "noise" as a response to an investigation. I am trying to find a more definitive explaination as what these events are and what causes them to occur.  Here are some events with username/machinename/domainname changed to "protect the innocent".

Any information to assist in determining the root cause of these events would be GREATLY appreciated.

Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date:  8/20/2010
Time:  12:42:07 PM
User:  domainname\username
Computer: computername
Description:
Object Open:
  Object Server: SC Manager
  Object Type: SC_MANAGER OBJECT
  Object Name: ServicesActive
  Handle ID: -
  Operation ID: {0,450777109}
  Process ID: 736
  Image File Name: C:\WINDOWS\system32\services.exe
  Primary User Name: computername$
  Primary Domain: domainname
  Primary Logon ID: (0x0,0x3E7)
  Client User Name: username
  Client Domain: domainname
  Client Logon ID: (0x0,0x1914A2AD)
  Accesses:  Connect to service controller
   Create a new service
   
  Privileges:  -
  Restricted Sid Count: 0

Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date:  8/20/2010
Time:  12:42:07 PM
User:  domainname\username
Computer: computername
Description:
Object Open:
  Object Server: SC Manager
  Object Type: SC_MANAGER OBJECT
  Object Name: ServicesActive
  Handle ID: -
  Operation ID: {0,450776966}
  Process ID: 736
  Image File Name: C:\WINDOWS\system32\services.exe
  Primary User Name: computername$
  Primary Domain: DD-X
  Primary Logon ID: (0x0,0x3E7)
  Client User Name: username
  Client Domain: DD-X
  Client Logon ID: (0x0,0x1914A2AD)
  Accesses:  DELETE
   READ_CONTROL
   WRITE_DAC
   WRITE_OWNER
   Connect to service controller
   Create a new service
   Enumerate services
   Lock service database for exclusive access
   Query service database lock state
   Set last-known-good state of service database
   
  Privileges:  -
  Restricted Sid Count: 0

Post #454
Posted 9/3/2010 11:16:41 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
OK, next step is to look at the Client User Name.  Is it a human account or a user account created for some application?  Is it a domain account or a local account; you can figure that out by looking at the Client Domain which will either be the computer's name or a domain name.

Also look at the Client Logon ID and find the logon event 528 or 540 that precedes with event and bears the same Logon ID.  What is the Logon Type in that 528/540? 

Post #455
Posted 9/3/2010 3:06:55 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 9/14/2010 11:01:27 AM
Posts: 5, Visits: 9
Thanks for working with me on this....

It is a domain account for a human user.   The user successfully logs in with 528 events prior to the 560s occurring.   Some 528s are type 2 for logging in at the console and some are type 7 for unlocking the system (most the later).

I typical scenario I see is for a 528 (type 7) followed by a 576, then a  538 and right after (within the same minute) we get 8 560s in a row.  4 sets of the two examples I have provided.

Post #458
Posted 9/4/2010 12:46:32 PM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
Wierd.  You might be able to figure out which Service is trying to be accessed by enabling auditing on all the services.  To do that you need to run the Security Templates MMC and create a security template on that computer.  In the template you will need to edit each Service's Security properties, click Advanced and in the auditing tab turn on auditing for Everyone, Full Control, Failures.  Then apply the template using Security Configuration and Analysis.  You should start getting additional 560s that identify which service is being accessed. 
Post #461
Posted 9/14/2010 11:04:23 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 9/14/2010 11:01:27 AM
Posts: 5, Visits: 9
I will continue to post information as I work on this issue.  So far the workstation I have modified the auditing on for a test case is not getting any 560 now (go figure).  I will continue to monitor additional systems as the are reported to me and post the results.

Thanks,

Jeff

Post #472
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 3:20am