Attack of the Event ID 565
I have a Windows Server 2003 box that is a DC, a DNS server, and an Exchange 2003 server. In the security event log we are getting 50-100 events a second like this:Source: SecurityCatagory: Directory Service AccessEvent ID: 565User: NT AUTHORITY\SYSTEMObject Open: Object Server: Security Account Manager Object Type: SAM_DOMAIN Object Name: CN=Builtin,DC=tmfteam,DC=com Handle ID: 129843432 Operation ID: {0,588717592} Process ID: 520 Process Name: C:\WINDOWS\system32\lsass.exe Primary User Name: SERVERNAME$ Primary Domain: SERVERNAME Primary Logon ID: (0x0,0x3E7) Client User Name: SERVERNAME$ Client Domain: SERVERNAME Client Logon ID: (0x0,0x3E7) Accesses: DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadPasswordParameters WritePasswordParameters ReadOtherParameters WriteOtherParameters CreateUser CreateGlobalGroup CreateLocalGroup GetLocalGroupMembership ListAccounts Privileges: - Properties:--- %{19195a5a-6da0-11d0-afd3-00c04fd930c9}DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ReadPasswordParameters WritePasswordParameters ReadOtherParameters WriteOtherParameters CreateUser CreateGlobalGroup CreateLocalGroup GetLocalGroupMembership ListAccounts %{c7407360-20bf-11d0-a768-00aa006e0529} %{bf9679a4-0de6-11d0-a285-00aa003049e2} %{bf9679a5-0de6-11d0-a285-00aa003049e2} %{bf9679a6-0de6-11d0-a285-00aa003049e2} %{bf9679bb-0de6-11d0-a285-00aa003049e2} %{bf9679c2-0de6-11d0-a285-00aa003049e2} %{bf9679c3-0de6-11d0-a285-00aa003049e2} %{bf967a09-0de6-11d0-a285-00aa003049e2} %{bf967a0b-0de6-11d0-a285-00aa003049e2} %{b8119fd0-04f6-4762-ab7a-4986c76b3f9a} %{bf967a34-0de6-11d0-a285-00aa003049e2} %{bf967a33-0de6-11d0-a285-00aa003049e2} %{bf9679c5-0de6-11d0-a285-00aa003049e2} %{bf967a61-0de6-11d0-a285-00aa003049e2} %{bf967977-0de6-11d0-a285-00aa003049e2} %{bf96795e-0de6-11d0-a285-00aa003049e2} %{bf9679ea-0de6-11d0-a285-00aa003049e2} %{ab721a52-1e2f-11d0-9819-00aa0040529b} Access Mask: 0I'm sure this has something to do with auditing, but I can't find where to turn it off. I've checked all of our group policies and none of them have directory service auditing enabled. I've checked the security properties of the server and the domain, and neither of them have it enabled either.
August 27th, 2008 7:47pm
Based on a search I have got an extremely well explained article give an eye over it.These events are caused because Microsoft Exchange server is accessing your active directory user accounts.Microsoft
Exchange uses Active Directory accounts, and extends the schema of
those accounts to store Exchange-related settings on those accounts.
The "unknown specific access" entries mean that the Windows system
that you used to look at the logs, didn't natively know the names of
the Exhange-related properties being accessed.Failure audit
events and "unknown specific access" events, while annoying, are not in
themselves signs of a problem on your system. If you enable failure
auditing you will see some failures; Windows and Windows applications
often have code to take care of the failure by doing something a
different way. For instance, if you use Word to open a document that
you only have read permission to, Word will try to open the document
for write- this will cause a failure audit if failure auditing for
object access is turned on. However Word won't crash or throw an
error; it will simply notify you that it's going to open the document
as read-only. Similarly Exchange and many other Windows applications
do similar things.If the only symptom you're seeing is the failure audits, and Exchange is working properly, these can be safely ignored.If
you have problems using or administering Exchange, then you should post
to one of the Exchange forums, and offer these audit events as
additional troubleshooting information.If you just want these
events to go away, the easiest way to do so is to modify the Default
Domain Controllers Policy in Administrative tools. You can change
computer settings\security settings\local policies\audit policy to
disable Failure auditing for the DS Object Access category.Or,
you can change the SACL on the root of your Active Directory, to either
remove failure accesses, or to remove the object types or accesses in
question.Thanks and Hope it helps Syed Khairuddin
Free Windows Admin Tool Kit Click here and download it now
August 28th, 2008 10:07am
Thanks for the response, Syed. It is true that this issue does not seem to be causing any obvious problems. I just can't imagine that many events logged every second can be good for system performance. This is on an Exchange server, so I'm not sure why it would not be aware of those events. FWIW I did have an Exchange 2007 server in the organization briefly, but had to uninstall it to work out some hardware issues.I've tried turning off auditing directory service access in both domain controler policy and at the root of the domain, but it isn't turned on.
September 3rd, 2008 4:15pm
We are getting AD account lockouts server times a day. Not sure what's causing it.
Free Windows Admin Tool Kit Click here and download it now
September 1st, 2011 3:41pm