failure audits

  • Thread starter Brandon McCombs
  • Start date
B

Brandon McCombs

Does anyone know why XP reports failure object access audits on the
NetBios over TCPIP device? I've given full control permissions to the
user in the registry that the audit entry includes but it hasn't
helped. I also get failed object accesses on /device/netbiossmb (the
other is /device/netbt_tcp_ip). These entries make my audit logs
hundreds of megs big and cause the visual Basic API method (used in a vb
script I created) to not be able to backup the logs due to them being so
large and they have to be cleared manually then. Ive read that Windows
lets a user/proces access files with full privileges even though they
don't need it and it still succeeds but when auditing is enabled it also
fills up the logs.

thanks
Brandon
 
L

Lesley Kipling [MSFT]

Hi Brandon.



A couple of things..



1.. Check "audit the access of global system objects" & disable
2.. By design behaviour

1. Disable the "Audit the access of global system objects" Local
Security Policy setting if you have previously enabled this setting. To do
this, follow these steps:

a. Click "Start", click "Run", type "gpedit.msc" (without the
quotation marks), and then click "OK".

b. Locate the following entry:
Console Root\Local Computer Policy\Computer Configuration\Windows
Settings\Security Settings\Local Policies\Security Options

c. Double-click the "Audit the access of global system objects"
policy, click "Disabled" under "Local Policy", and then click "OK".

d. On the "Console" menu, click "Exit", and then restart the computer.




2. Failed access attempts are usual during normal Windows operation.
Many times Windows uwill use a failed access attempt to determine behaviour.
When a process requests a handle to an object, the caller must provide a set
of security credentials and a bitmask representing the type of access
required. If the security identity provided by the caller doesn't have the
access rights requested in the call, then the object access fails with
Access Denied. In the failure response, however, the operating system also
returns a bit mask telling the caller what permissions it does have. The
caller can request access again -- this time with a modified access mask --
and get a handle to the object. As you mention, numerous applications will
request more privilege than they actually need, and it will fail the first
attempt, then use the template (bitmask) returned to it to make its second
request.





HTH, Les

This posting is provided "AS IS" with no warranties, and confers no rights.
 
C

csobha

Joined
Nov 8, 2007
Messages
1
Reaction score
0
Hi,
I do not have the access to the option 1, where to disable the setting. is there any other way to correct his error ?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Failure Audits in the secruity log Event Viewer 3
Failure Audits in XP Events Security log 2
Audit object access - failure audit 0
F-Prot triggers huge amounts of Security Audit Failures on Windows XP 4
Event ID 560 - IUSR Attempting to run MSPaint.exe 3
failure audits 1
Security Audit Failure (Event Viewer) tcpip.sys hash not valid/cor 4
Help!!! Audit Failure - Event ID 560 1

Top