failure audits

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Does anyone know why XP reports failure object access audits on the
NetBios over TCPIP device? I've given full control permissions to the
user in the registry that the audit entry includes but it hasn't
helped. I also get failed object accesses on /device/netbiossmb (the
other is /device/netbt_tcp_ip). These entries make my audit logs
hundreds of megs big and cause the visual Basic API method (used in a vb
script I created) to not be able to backup the logs due to them being so
large and they have to be cleared manually then. Ive read that Windows
lets a user/proces access files with full privileges even though they
don't need it and it still succeeds but when auditing is enabled it also
fills up the logs.

thanks
Brandon
1 answer Last reply
More about failure audits
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Hi Brandon.


    A couple of things..


    1.. Check "audit the access of global system objects" & disable
    2.. By design behaviour

    1. Disable the "Audit the access of global system objects" Local
    Security Policy setting if you have previously enabled this setting. To do
    this, follow these steps:

    a. Click "Start", click "Run", type "gpedit.msc" (without the
    quotation marks), and then click "OK".

    b. Locate the following entry:
    Console Root\Local Computer Policy\Computer Configuration\Windows
    Settings\Security Settings\Local Policies\Security Options

    c. Double-click the "Audit the access of global system objects"
    policy, click "Disabled" under "Local Policy", and then click "OK".

    d. On the "Console" menu, click "Exit", and then restart the computer.


    2. Failed access attempts are usual during normal Windows operation.
    Many times Windows uwill use a failed access attempt to determine behaviour.
    When a process requests a handle to an object, the caller must provide a set
    of security credentials and a bitmask representing the type of access
    required. If the security identity provided by the caller doesn't have the
    access rights requested in the call, then the object access fails with
    Access Denied. In the failure response, however, the operating system also
    returns a bit mask telling the caller what permissions it does have. The
    caller can request access again -- this time with a modified access mask --
    and get a handle to the object. As you mention, numerous applications will
    request more privilege than they actually need, and it will fail the first
    attempt, then use the template (bitmask) returned to it to make its second
    request.


    HTH, Les

    This posting is provided "AS IS" with no warranties, and confers no rights.


    "Brandon McCombs" <bmccombs@ma.rr.com> wrote in message
    news:422E54FC.2B9CE149@ma.rr.com...
    > Does anyone know why XP reports failure object access audits on the
    > NetBios over TCPIP device? I've given full control permissions to the
    > user in the registry that the audit entry includes but it hasn't
    > helped. I also get failed object accesses on /device/netbiossmb (the
    > other is /device/netbt_tcp_ip). These entries make my audit logs
    > hundreds of megs big and cause the visual Basic API method (used in a vb
    > script I created) to not be able to backup the logs due to them being so
    > large and they have to be cleared manually then. Ive read that Windows
    > lets a user/proces access files with full privileges even though they
    > don't need it and it still succeeds but when auditing is enabled it also
    > fills up the logs.
    >
    > thanks
    > Brandon
    >
Ask a new question

Read More

Devices Windows XP