LMS 3.1 Windows security event 560 cwuser and SC_Manager Object

Answered Question
Sep 11th, 2009

Hi,

I just upgraded an LMS 3.1 server, but the new server has tighter security settings. So far, I have not noticed any problems with the use of CiscoWorks, but the Windows security event log shows a lot of Audit Failures for event 560.

The causers group has "log on as a batch job" as required, and the service daemon manager and all other services start up with no problem.

I was wondering if anyone else has seen these event logs, and if you have noticed any problems due to these.

Thanks!

--Max

___________________________________

Source: Security

Category: Object Access

Type: Failure Aud Event ID: 560

User: CWserver\causer

Computer: CWserver

Object Open:

Object Server: SC Manager

Object Type: SC_MANAGER OBJECT

Object Name: ServicesActive

Handle ID: -

Operation ID: {0,123157396}

Process ID: 584

Image File Name: C:\WINDOWS\system32\services.exe

Primary User Name: CWserver$

Primary Domain: WindowsDomain

Primary Logon ID: (0x0,0xXXX)

Client User Name: casuser

Client Domain: CWserver

Client Logon ID: (0x0,0xXXXXXXX)

Accesses: READ_CONTROL

Connect to service controller

Enumerate services

Query service database lock state

Correct Answer by Joe Clarke about 7 years 5 months ago

We never tested LMS with Windows auditing enabled. In fact, certain security restrictions are known to break LMS (i.e. disabling cookies for all using MMC or IEAK users can cause Apache to fail).

However, something which may quell these messages is to add casuser to the Distributed DCOM group on the server.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Joe Clarke Fri, 09/11/2009 - 09:02

We never tested LMS with Windows auditing enabled. In fact, certain security restrictions are known to break LMS (i.e. disabling cookies for all using MMC or IEAK users can cause Apache to fail).

However, something which may quell these messages is to add casuser to the Distributed DCOM group on the server.

Actions

This Discussion