Failure Audit - 560

Archived from groups: microsoft.public.win2000.advanced_server (More info?)

I just installed Windows 2003 server with Windows Sharepoint Services. I am
getting a 560 event every few seconds. The Oject Name is different and the
image file name changes as well. The events occurred after I installed the
following patch:

Security Update for Windows Server 2003 (KB824151)
A security issue has been identified that could allow an attacker to
cause a computer running Microsoft Internet Information Services to stop
responding. You can help protect your computer by installing this update
from Microsoft. After you install this item, you may have to restart your
computer.
Print | Close

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Any suggestions


Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 7/1/2005
Time: 2:39:42 PM
User: XXX\yyy
Computer: 195
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: \Device\FloppyPDO0
Handle ID: -
Operation ID: {0,336716}
Process ID: 324
Image File Name: C:\WINDOWS\system32\mmc.exe
Primary User Name: yyy
Primary Domain: XXXXX
Primary Logon ID: (0x0,0x45702)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: SYNCHRONIZE
ReadAttributes

Privileges: -
Restricted Sid Count: 0
Access Mask: 0x100080


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
1 answer Last reply
More about failure audit
  1. Archived from groups: microsoft.public.win2000.advanced_server (More info?)

    Hi Joan,

    Based on my research, Event ID 560 occur because of Audit object access is
    enabled in win2k3 server. This security setting determines whether to audit
    the event of a user accessing an object--for example, a file, folder,
    registry key, printer, and so forth--that has its own system access control
    list (SACL) specified.

    If you define this policy setting, you can specify whether to audit
    successes, audit failures, or not audit the event type at all. Success
    audits generate an audit entry when a user successfully accesses an object
    that has an appropriate SACL specified. Failure audits generate an audit
    entry when a user unsuccessfully attempts to access an object that has a
    SACL specified.

    For example, suppose that Harold is working in Microsoft Excel and tries to
    open payroll.xls. Excel asks Win2K3 for a handle to payroll.xls. Win2k3
    compares the file's DACL with Harold's user account and with Excel's
    request for read access; according to the DACL, Harold doesn't have
    permission to read payroll.xls. (As Figure 2 shows, only the Administrators
    and HR groups have access to payroll.xls, and Harold isn't a member of
    either group.) Win2k3 determines that the system audit policy is enabled to
    log failed object access, so the OS searches payroll.xls's SACL and
    examines each ACE that audits failed access attempts. Win2k3 determines
    which of these ACEs specify either Harold's user account or a group that
    Harold belongs to. As Figure 3 shows, the object's SACL contains an ACE
    that applies to failed read access and to the Everyone group, so Win2k3
    logs the event ID 560. This is the reason Event 560 is always logged in the
    win2k3 server.

    The following article has taken an example which is easy to be understood:

    Keeping Tabs on Object Access
    http://www.windowsitpro.com/Article/ArticleID/20563/20563.html

    The following article has addressed Audit object access mechanism, if you
    switch off addressed Audit object, the event 560 will not be logged
    anymore:

    Audit object access
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serve
    rHelp/50fdb7bc-7dae-4dcd-8591-382aeff2ea79.mspx

    HTH!

    Any update, let's get in touch!

    Best regards,

    Rebecca Chen

    MCSE2000 MCDBA CCNA


    Microsoft Online Partner Support
    Get Secure! - www.microsoft.com/security

    =====================================================

    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.

    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    >Reply-To: "Joan" <joan@jaks-technology.com>
    >From: "Joan" <joan@jaks-technology.com>
    >Subject: Failure Audit - 560
    >Date: Fri, 1 Jul 2005 14:45:19 -0500
    >Lines: 52
    >X-Priority: 3
    >X-MSMail-Priority: Normal
    >X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
    >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
    >X-RFC2646: Format=Flowed; Original
    >Message-ID: <O4Qx1UnfFHA.912@TK2MSFTNGP10.phx.gbl>
    >Newsgroups: microsoft.public.win2000.advanced_server
    >NNTP-Posting-Host: ip67-153-233-134.z233-153-67.customer.algx.net
    67.153.233.134
    >Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
    >Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.win2000.advanced_server:6081
    >X-Tomcat-NG: microsoft.public.win2000.advanced_server
    >
    >I just installed Windows 2003 server with Windows Sharepoint Services. I
    am
    >getting a 560 event every few seconds. The Oject Name is different and
    the
    >image file name changes as well. The events occurred after I installed
    the
    >following patch:
    >
    > Security Update for Windows Server 2003 (KB824151)
    > A security issue has been identified that could allow an attacker to
    >cause a computer running Microsoft Internet Information Services to stop
    >responding. You can help protect your computer by installing this update
    >from Microsoft. After you install this item, you may have to restart your
    >computer.
    > Print | Close
    >
    >+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    >Any suggestions
    >
    >
    >Event Type: Failure Audit
    >Event Source: Security
    >Event Category: Object Access
    >Event ID: 560
    >Date: 7/1/2005
    >Time: 2:39:42 PM
    >User: XXX\yyy
    >Computer: 195
    >Description:
    >Object Open:
    > Object Server: Security
    > Object Type: File
    > Object Name: \Device\FloppyPDO0
    > Handle ID: -
    > Operation ID: {0,336716}
    > Process ID: 324
    > Image File Name: C:\WINDOWS\system32\mmc.exe
    > Primary User Name: yyy
    > Primary Domain: XXXXX
    > Primary Logon ID: (0x0,0x45702)
    > Client User Name: -
    > Client Domain: -
    > Client Logon ID: -
    > Accesses: SYNCHRONIZE
    > ReadAttributes
    >
    > Privileges: -
    > Restricted Sid Count: 0
    > Access Mask: 0x100080
    >
    >
    >For more information, see Help and Support Center at
    >http://go.microsoft.com/fwlink/events.asp.
    >
    >
    >
Ask a new question

Read More

Windows Server 2003 Microsoft Windows