|
Posted by Andrew Phillips on October 29, 2005, 6:41 pm
Please log in for more thread options
While scrolling through the Security logs of a Windows 2003 box, I noticed
seven seperate security failure audit's from the MSDTC service relating to
accessing and writing to two MSDTC Logs.
The Audit's:
Audit 1:
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 29/10/2005
Time: 6:05:01 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: LFN-SVR-1
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log
Handle ID: -
Operation ID:
Process ID: 1372
Image File Name: C:\WINDOWS\system32\msdtc.exe
Primary User Name: NETWORK SERVICE
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E4)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: DELETE
SYNCHRONIZE
ReadAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x110080
Audit 2:
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 29/10/2005
Time: 6:05:01 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: LFN-SVR-1
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log
Handle ID: -
Operation ID:
Process ID: 1372
Image File Name: C:\WINDOWS\system32\msdtc.exe
Primary User Name: NETWORK SERVICE
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E4)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: DELETE
SYNCHRONIZE
ReadAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x110080
Audit 3:
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 29/10/2005
Time: 6:05:01 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: LFN-SVR-1
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log
Handle ID: -
Operation ID:
Process ID: 1372
Image File Name: C:\WINDOWS\system32\msdtc.exe
Primary User Name: NETWORK SERVICE
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E4)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: DELETE
ReadAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x10080
Audit 4:
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 29/10/2005
Time: 6:05:01 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: LFN-SVR-1
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log
Handle ID: -
Operation ID:
Process ID: 1372
Image File Name: C:\WINDOWS\system32\msdtc.exe
Primary User Name: NETWORK SERVICE
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E4)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: DELETE
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x10000
Audit 5:
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 29/10/2005
Time: 6:05:01 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: LFN-SVR-1
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINDOWS\DtcInstall.log
Handle ID: -
Operation ID:
Process ID: 1372
Image File Name: C:\WINDOWS\system32\msdtc.exe
Primary User Name: NETWORK SERVICE
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E4)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
ReadEA
WriteEA
ReadAttributes
WriteAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x12019F
Audit 6:
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 29/10/2005
Time: 6:05:01 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: LFN-SVR-1
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINDOWS\DtcInstall.log
Handle ID: -
Operation ID:
Process ID: 1372
Image File Name: C:\WINDOWS\system32\msdtc.exe
Primary User Name: NETWORK SERVICE
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E4)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
ReadEA
WriteEA
ReadAttributes
WriteAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x12019F
Audit 7:
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 29/10/2005
Time: 6:05:02 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: LFN-SVR-1
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINDOWS\DtcInstall.log
Handle ID: -
Operation ID:
Process ID: 1372
Image File Name: C:\WINDOWS\system32\msdtc.exe
Primary User Name: NETWORK SERVICE
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E4)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
ReadEA
WriteEA
ReadAttributes
WriteAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x12019F
My interpretation of these audit's is that the MSDTC service is trying to
modify it's log files and failing, due to incorrect permissions. However,
both files have full access given to the NETWORK SERVICE account. Can anyone
provide any suggestions on how to fix this permissions issue and remove
these failure audits? Thanks...
|
| Similar Threads | Posted | | Security Failure Audits - hackers? | March 16, 2006, 5:28 am |
| Failure audits for object access on logon scripts and startup scripts, but clients still run them fine. | February 27, 2008, 7:40 am |
| Silencing Security Audits of Memory Mapped Files? | March 11, 2007, 5:15 pm |
| MSDTC dependencies | February 7, 2007, 2:33 am |
| Services Security Failure Audit | October 29, 2005, 2:09 pm |
| MSDTC fails on Windows 2000 Advanced Server SP4 | December 19, 2005, 3:10 pm |
| Security Configuration Wizard: Catastrophic Failure | October 7, 2005, 8:30 am |
| Sourcing security failure audit id: 529 Windows server 2003 | March 7, 2007, 9:14 am |
| 673 Failure Audit appears several times per day | December 10, 2005, 11:46 pm |
| Object Access Failure Audit | June 12, 2006, 10:37 am |
|
XML Sitemap