|
|
|
Forum Newbie
Group: Forum Members
Last Login: 9/14/2010 11:01:27 AM
Posts: 5,
Visits: 9
|
|
I have a question in regard to auditing on XP workstations. We have
object auditing enabled and get lots of 560 events for users accessing
service.exe through the SC_Manager. The problem is user's don't know what
they are doing to generate these events, many happen just logging on. The
information in the actual 560 event is somewhat useless. How can you tell
what program or service is calling SC_Manager to generate the event. I
have been trying off and on for several months and have no clue where to
look or how to find out? From the event i know: Object Server: SC Manager Object Type: SC_MANAGER OBJECT Object Name: ServicesActive Operation ID, Process ID xxx Image File name: path to services.exe login ID, Domain name, User client name etc...what properties are accessed (attempted fail, only monitoring failed access) What I don't know is what program or process is calling services.exe to cause these events. How can I investigate this to pin point the cause? Any help would be GREATLY appreciated... Thanks,
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 326,
Visits: 0
|
|
| These are most likely just naturally occuring noise events. To provide more help I really need to see actual events.
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 9/14/2010 11:01:27 AM
Posts: 5,
Visits: 9
|
|
| These event have been flagged by Information Systems Security Officers as potential violations to be reported to DSS. I know they are mostly like noise generated by Windows XP, however ISSOs and DSS reps don't like to hear generic "noise" as a response to an investigation. I am trying to find a more definitive explaination as what these events are and what causes them to occur. Here are some events with username/machinename/domainname changed to "protect the innocent". Any information to assist in determining the root cause of these events would be GREATLY appreciated. Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 8/20/2010
Time: 12:42:07 PM
User: domainname\username
Computer: computername
Description:
Object Open:
Object Server: SC Manager
Object Type: SC_MANAGER OBJECT
Object Name: ServicesActive
Handle ID: -
Operation ID: {0,450777109}
Process ID: 736
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: computername$
Primary Domain: domainname
Primary Logon ID: (0x0,0x3E7)
Client User Name: username
Client Domain: domainname
Client Logon ID: (0x0,0x1914A2AD)
Accesses: Connect to service controller
Create a new service
Privileges: -
Restricted Sid Count: 0 Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 8/20/2010
Time: 12:42:07 PM
User: domainname\username
Computer: computername
Description:
Object Open:
Object Server: SC Manager
Object Type: SC_MANAGER OBJECT
Object Name: ServicesActive
Handle ID: -
Operation ID: {0,450776966}
Process ID: 736
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: computername$
Primary Domain: DD-X
Primary Logon ID: (0x0,0x3E7)
Client User Name: username
Client Domain: DD-X
Client Logon ID: (0x0,0x1914A2AD)
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
Connect to service controller
Create a new service
Enumerate services
Lock service database for exclusive access
Query service database lock state
Set last-known-good state of service database
Privileges: -
Restricted Sid Count: 0
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 9/14/2010 11:01:27 AM
Posts: 5,
Visits: 9
|
|
| These event have been flagged by Information Systems Security Officers as potential violations to be reported to DSS. I know they are mostly like noise generated by Windows XP, however ISSOs and DSS reps don't like to hear generic "noise" as a response to an investigation. I am trying to find a more definitive explaination as what these events are and what causes them to occur. Here are some events with username/machinename/domainname changed to "protect the innocent". Any information to assist in determining the root cause of these events would be GREATLY appreciated. Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 8/20/2010
Time: 12:42:07 PM
User: domainname\username
Computer: computername
Description:
Object Open:
Object Server: SC Manager
Object Type: SC_MANAGER OBJECT
Object Name: ServicesActive
Handle ID: -
Operation ID: {0,450777109}
Process ID: 736
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: computername$
Primary Domain: domainname
Primary Logon ID: (0x0,0x3E7)
Client User Name: username
Client Domain: domainname
Client Logon ID: (0x0,0x1914A2AD)
Accesses: Connect to service controller
Create a new service
Privileges: -
Restricted Sid Count: 0 Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 8/20/2010
Time: 12:42:07 PM
User: domainname\username
Computer: computername
Description:
Object Open:
Object Server: SC Manager
Object Type: SC_MANAGER OBJECT
Object Name: ServicesActive
Handle ID: -
Operation ID: {0,450776966}
Process ID: 736
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: computername$
Primary Domain: DD-X
Primary Logon ID: (0x0,0x3E7)
Client User Name: username
Client Domain: DD-X
Client Logon ID: (0x0,0x1914A2AD)
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
Connect to service controller
Create a new service
Enumerate services
Lock service database for exclusive access
Query service database lock state
Set last-known-good state of service database
Privileges: -
Restricted Sid Count: 0
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 326,
Visits: 0
|
|
| OK, next step is to look at the Client User Name. Is it a human account or a user account created for some application? Is it a domain account or a local account; you can figure that out by looking at the Client Domain which will either be the computer's name or a domain name. Also look at the Client Logon ID and find the logon event 528 or 540 that precedes with event and bears the same Logon ID. What is the Logon Type in that 528/540?
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 9/14/2010 11:01:27 AM
Posts: 5,
Visits: 9
|
|
| Thanks for working with me on this.... It is a domain account for a human user. The user successfully logs in with 528 events prior to the 560s occurring. Some 528s are type 2 for logging in at the console and some are type 7 for unlocking the system (most the later). I typical scenario I see is for a 528 (type 7) followed by a 576, then a 538 and right after (within the same minute) we get 8 560s in a row. 4 sets of the two examples I have provided.
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 326,
Visits: 0
|
|
| Wierd. You might be able to figure out which Service is trying to be accessed by enabling auditing on all the services. To do that you need to run the Security Templates MMC and create a security template on that computer. In the template you will need to edit each Service's Security properties, click Advanced and in the auditing tab turn on auditing for Everyone, Full Control, Failures. Then apply the template using Security Configuration and Analysis. You should start getting additional 560s that identify which service is being accessed.
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 9/14/2010 11:01:27 AM
Posts: 5,
Visits: 9
|
|
| I will continue to post information as I work on this issue. So far the workstation I have modified the auditing on for a test case is not getting any 560 now (go figure). I will continue to monitor additional systems as the are reported to me and post the results. Thanks, Jeff
|
|
|
|