1. Welcome Guest! In order to create a new topic or reply to an existing one, you must register first. It is easy and free. Click here to sign up now!.
    Dismiss Notice

Failure Audit, ID 560, Object Access, SC Manager, Query or Enumera

Discussion in 'Windows Security' started by Claude Lachapelle, Apr 30, 2009.

  1. Claude Lachapelle

    Claude Lachapelle Guest

    Hi!

    Since we enabled Object auditing on domain controllers, security event logs
    are flooded with these events:

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Object Access
    Event ID: 560
    Date: 4/30/2009
    Time: 1:20:21 PM
    User: DOMAIN\USERID
    Computer: SERVER
    Description:
    Object Open:
    Object Server: SC Manager
    Object Type: SERVICE OBJECT
    Object Name: ServiceName
    Handle ID: -
    Operation ID: {0,126766685}
    Process ID: 388
    Image File Name: C:\WINDOWS\system32\services.exe
    Primary User Name: SERVER$
    Primary Domain: DOMAIN
    Primary Logon ID: (0x0,0x3E7)
    Client User Name: USERID
    Client Domain: DOMAIN
    Client Logon ID: (0x0,0x78E4E51)
    Accesses: READ_CONTROL
    Query service configuration information
    Query status of service
    Enumerate dependencies of service
    Query information from service

    Privileges: -
    Restricted Sid Count: 0
    Access Mask: 0x2008D


    For more information, see Help and Support Center at
    .

    Here the security on the related objects:

    C:\>sc sdshow scmanager

    D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;
    GA;;;WD)

    C:\>sc sdshow servicename

    D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPW
    PDTLOCRSDRCWDWO;;;WD)

    What's wrong?

    Thanks.

    Claude Lachapelle
    Systems Administrator, MCSE
     
    Claude Lachapelle, Apr 30, 2009
    #1

Share This Page