Jump to content

Failure Audit, ID 560, Object Access, SC Manager, Query or Enumera


Recommended Posts

Guest Claude Lachapelle
Posted

Hi!

 

Since we enabled Object auditing on domain controllers, security event logs

are flooded with these events:

 

Event Type: Failure Audit

Event Source: Security

Event Category: Object Access

Event ID: 560

Date: 4/30/2009

Time: 1:20:21 PM

User: DOMAIN\USERID

Computer: SERVER

Description:

Object Open:

Object Server: SC Manager

Object Type: SERVICE OBJECT

Object Name: ServiceName

Handle ID: -

Operation ID: {0,126766685}

Process ID: 388

Image File Name: C:\WINDOWS\system32\services.exe

Primary User Name: SERVER$

Primary Domain: DOMAIN

Primary Logon ID: (0x0,0x3E7)

Client User Name: USERID

Client Domain: DOMAIN

Client Logon ID: (0x0,0x78E4E51)

Accesses: READ_CONTROL

Query service configuration information

Query status of service

Enumerate dependencies of service

Query information from service

 

Privileges: -

Restricted Sid Count: 0

Access Mask: 0x2008D

 

 

For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp.

 

Here the security on the related objects:

 

C:\>sc sdshow scmanager

 

D:(ACCLCRPRCAU)(ACCLCRPWPRCSY)(AKABA)S:(AUFAKAWD)(AUOIIOFA

GAWD)

 

C:\>sc sdshow servicename

 

D:(ACCDCLCSWRPWPDTLOCRSDRCWDWOSY)(ACCLCSWRPLORCAU)S:(AUFACCDCLCSWRPW

PDTLOCRSDRCWDWOWD)

 

What's wrong?

 

Thanks.

 

Claude Lachapelle

Systems Administrator, MCSE

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...