Sign in with
Sign up | Sign in
Your question

failure audits

Last response: in Windows XP
Share
Anonymous
March 9, 2005 4:41:19 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Does anyone know why XP reports failure object access audits on the
NetBios over TCPIP device? I've given full control permissions to the
user in the registry that the audit entry includes but it hasn't
helped. I also get failed object accesses on /device/netbiossmb (the
other is /device/netbt_tcp_ip). These entries make my audit logs
hundreds of megs big and cause the visual Basic API method (used in a vb
script I created) to not be able to backup the logs due to them being so
large and they have to be cleared manually then. Ive read that Windows
lets a user/proces access files with full privileges even though they
don't need it and it still succeeds but when auditing is enabled it also
fills up the logs.

thanks
Brandon

More about : failure audits

Anonymous
March 10, 2005 8:21:13 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi Brandon.



A couple of things..



1.. Check "audit the access of global system objects" & disable
2.. By design behaviour

1. Disable the "Audit the access of global system objects" Local
Security Policy setting if you have previously enabled this setting. To do
this, follow these steps:

a. Click "Start", click "Run", type "gpedit.msc" (without the
quotation marks), and then click "OK".

b. Locate the following entry:
Console Root\Local Computer Policy\Computer Configuration\Windows
Settings\Security Settings\Local Policies\Security Options

c. Double-click the "Audit the access of global system objects"
policy, click "Disabled" under "Local Policy", and then click "OK".

d. On the "Console" menu, click "Exit", and then restart the computer.




2. Failed access attempts are usual during normal Windows operation.
Many times Windows uwill use a failed access attempt to determine behaviour.
When a process requests a handle to an object, the caller must provide a set
of security credentials and a bitmask representing the type of access
required. If the security identity provided by the caller doesn't have the
access rights requested in the call, then the object access fails with
Access Denied. In the failure response, however, the operating system also
returns a bit mask telling the caller what permissions it does have. The
caller can request access again -- this time with a modified access mask --
and get a handle to the object. As you mention, numerous applications will
request more privilege than they actually need, and it will fail the first
attempt, then use the template (bitmask) returned to it to make its second
request.





HTH, Les

This posting is provided "AS IS" with no warranties, and confers no rights.






"Brandon McCombs" <bmccombs@ma.rr.com> wrote in message
news:422E54FC.2B9CE149@ma.rr.com...
> Does anyone know why XP reports failure object access audits on the
> NetBios over TCPIP device? I've given full control permissions to the
> user in the registry that the audit entry includes but it hasn't
> helped. I also get failed object accesses on /device/netbiossmb (the
> other is /device/netbt_tcp_ip). These entries make my audit logs
> hundreds of megs big and cause the visual Basic API method (used in a vb
> script I created) to not be able to backup the logs due to them being so
> large and they have to be cleared manually then. Ive read that Windows
> lets a user/proces access files with full privileges even though they
> don't need it and it still succeeds but when auditing is enabled it also
> fills up the logs.
>
> thanks
> Brandon
>
!