Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
892
Views
0
Helpful
2
Replies

LMS 3.1 Windows security event 560 cwuser and SC_Manager Object

Go to solution
max12341234
Level 1
Level 1

‎09-11-2009 06:15 AM

Hi,

I just upgraded an LMS 3.1 server, but the new server has tighter security settings. So far, I have not noticed any problems with the use of CiscoWorks, but the Windows security event log shows a lot of Audit Failures for event 560.

The causers group has "log on as a batch job" as required, and the service daemon manager and all other services start up with no problem.

I was wondering if anyone else has seen these event logs, and if you have noticed any problems due to these.

Thanks!

--Max

___________________________________

Source: Security

Category: Object Access

Type: Failure Aud Event ID: 560

User: CWserver\causer

Computer: CWserver

Object Open:

Object Server: SC Manager

Object Type: SC_MANAGER OBJECT

Object Name: ServicesActive

Handle ID: -

Operation ID: {0,123157396}

Process ID: 584

Image File Name: C:\WINDOWS\system32\services.exe

Primary User Name: CWserver$

Primary Domain: WindowsDomain

Primary Logon ID: (0x0,0xXXX)

Client User Name: casuser

Client Domain: CWserver

Client Logon ID: (0x0,0xXXXXXXX)

Accesses: READ_CONTROL

Connect to service controller

Enumerate services

Query service database lock state

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee

‎09-11-2009 09:02 AM

We never tested LMS with Windows auditing enabled. In fact, certain security restrictions are known to break LMS (i.e. disabling cookies for all using MMC or IEAK users can cause Apache to fail).

However, something which may quell these messages is to add casuser to the Distributed DCOM group on the server.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee

‎09-11-2009 09:02 AM

We never tested LMS with Windows auditing enabled. In fact, certain security restrictions are known to break LMS (i.e. disabling cookies for all using MMC or IEAK users can cause Apache to fail).

However, something which may quell these messages is to add casuser to the Distributed DCOM group on the server.

0 Helpful

Go to solution
max12341234
Level 1
Level 1
In response to Joe Clarke

‎09-14-2009 05:54 AM

Thanks jclarke!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents