|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
AuditBaseObjects set reveals Event 560 Object Access Audit when Taskmanager is running
Subject: AuditBaseObjects set reveals Event 560 Object Access Audit when Taskmanager is running
From: Gary Kuyat (gary
DIGISLE.NET)
Date: Tue Dec 07 1999 - 02:10:27 CST
- Next message: Ussr Labs: "Remote DoS Attack in Serv-U FTP-Server v2.5a Vulnerability"
- Previous message: Forster, Jacques: "Re: SUBST problem"
- Next in thread: David LeBlanc: "Re: AuditBaseObjects set reveals Event 560 Object Access Audit when Taskmanager is running"
- Reply: David LeBlanc: "Re: AuditBaseObjects set reveals Event 560 Object Access Audit when Taskmanager is running"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
In the TechNet article "Securing Windows NT 4.0 Installation" the following
entry appears:
---- Auditing Base Objects To enable auditing on base system objects, add the following key value to the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa:Name: AuditBaseObjects Type: REG_DWORD Value: 1 Note that simply setting this key does not start generating audits. The administrator will need to turn auditing on for the "Object Access" category using User Manager. This registry key setting tells Local Security Authority that base objects should be created with a default system audit control list. ----
Once this entry is set, and Auditing "File and Object Access" failures is enabled, bringing up the Task Manager will cause the following entry to appear in the Security Log approximately once a second:
---- Date : xxxx Event ID: 560 Time: xxxx Source: Security User: xxxx Type: Failure Audit Computer: xxxx Category: Object Access
Object Open: Object Server: Security Object Type: Desktop Object Name: \Winlogon New Handle ID: - Operation ID: {0,596543} Process ID: 2154096848 Primary User Name: xxxxxx Primary Domain: xxxxxxx Primary Logon ID: (0x0,0xXXXX) Client User Name: - Client Domain: - Client Logon ID: - Accesses MAX_ALLOWED Read Objects Write objects
Privileges - ----
In fact, the load of jamming this in the log can make the machine appear to hang.
This has been verified on several machines with SP3 and 6a and on both Workstation and Server. I'm guessing the failure is always present, but only shows itself when auditing is enabled to this degree.
Anybody seen this before?
- Gary Kuyat & Lawrence Cheung Digital Island
- Next message: Ussr Labs: "Remote DoS Attack in Serv-U FTP-Server v2.5a Vulnerability"
- Previous message: Forster, Jacques: "Re: SUBST problem"
- Next in thread: David LeBlanc: "Re: AuditBaseObjects set reveals Event 560 Object Access Audit when Taskmanager is running"
- Reply: David LeBlanc: "Re: AuditBaseObjects set reveals Event 560 Object Access Audit when Taskmanager is running"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b27 : Tue Dec 07 1999 - 02:25:41 CST