IIS/Network Service registry audit failure for Disallowed certific

We are required to have failure auditing on the HKLM\Software and HKLM\System
registry hives (implemented recently) and now we are getting several thousand
of the following event in just a couple of days. Why does it need all the
WRITE, Set, and Create access privileges? No IIS problem has been currently
traced to this failure audit yet, but it does result in Windows issues
because it contributes to filling up our system drive with archived security
event logs because we are not allowed to overwrite events when the log is
full.
------------------------------------------------------------ -----------
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
User: NT AUTHORITY\NETWORK SERVICE
Description:
Object Open:
Object Server: Security
Object Type: Key
Object Name:
\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disa llowed
Handle ID: -
Operation ID: {0,18914555}
Image File Name: C:\WINDOWS\system32\inetsrv\w3wp.exe
Primary User Name: NETWORK SERVICE
Primary Domain: NT AUTHORITY
Primary Login ID: (0x0,0x3E4)
Client User Name: -
Client Domain: -
Client Login ID: -
Accesses:
DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, Query key value, Set key
value, Create sub-key, Enumerate sub-keys, Notify about changes to keys,
Create Link
Privileges: -
Restricted Sid Count: 0
Access Mask: 0xF003F
------------------------------------------------------------ -----------
Thanks,

Tim

Re: IIS/Network Service registry audit failure for Disallowed

On Apr 16, 7:38=A0am, TimG wrote:
> We are required to have failure auditing on the HKLM\Software and HKLM\Sys=
tem
> registry hives (implemented recently) and now we are getting several thous=
and
> of the following event in just a couple of days. =A0Why does it need all t=
he
> WRITE, Set, and Create access privileges? =A0No IIS problem has been curre=
ntly
> traced to this failure audit yet, but it does result in Windows issues
> because it contributes to filling up our system drive with archived securi=
ty
> event logs because we are not allowed to overwrite events when the log is
> full.
> ------------------------------------------------------------ -----------
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 560
> User: NT AUTHORITY\NETWORK SERVICE
> Description:
> Object Open:
> =A0 Object Server: Security
> =A0 Object Type: Key
> =A0 Object Name:
> \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disa llowed
> =A0 Handle ID: -
> =A0 Operation ID: {0,18914555}
> =A0 Image File Name: C:\WINDOWS\system32\inetsrv\w3wp.exe
> =A0 Primary User Name: NETWORK SERVICE
> =A0 Primary Domain: NT AUTHORITY
> =A0 Primary Login ID: (0x0,0x3E4)
> =A0 Client User Name: -
> =A0 Client Domain: -
> =A0 Client Login ID: -
> =A0 Accesses:
> =A0 =A0 DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, Query key value, Set=
key
> value, Create sub-key, Enumerate sub-keys, Notify about changes to keys,
> Create Link
> =A0 Privileges: -
> =A0 Restricted Sid Count: 0
> =A0 Access Mask: 0xF003F
> ------------------------------------------------------------ -----------
> Thanks,
>
> Tim


Your policy of failure auditing is going to cause you headaches
because it doesn't work the way you think or how you are describing
the issue.

You want to read Eric's blog on the topic of audit logging:

http://blogs.msdn.com/ericfitz/archive/2005/01/11/350848.asp x


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Re: IIS/Network Service registry audit failure for Disallowed certific

Hi Tim,

I agree with David. You should be able to safely ignore these access denied
failures and stop auditting to avoid the security events. Network Service
account should only requires Read permission on these certificate store
related registry entities. By default, Local Users group already has the
Read permission. So SSL stuff is working fine, you do not need to change
anything or grant rights to the account.

Please update here if you have any further concern on this.

Thanks.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx .
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Re: IIS/Network Service registry audit failure for Disallowed cer

I have browsed many of Eric's discussions on auditing in the past (including
the one David referenced) and have found them very useful, unfortunately we
are required to have C2 compliant auditing enabled and provide justification
for any deviations.

Is there a reason that Network Service is attempting to get all these access
rights to the Disallowed key for IIS?

--
Thanks,

Tim


""WenJun Zhang[msft]"" wrote:

> Hi Tim,
>
> I agree with David. You should be able to safely ignore these access denied
> failures and stop auditting to avoid the security events. Network Service
> account should only requires Read permission on these certificate store
> related registry entities. By default, Local Users group already has the
> Read permission. So SSL stuff is working fine, you do not need to change
> anything or grant rights to the account.
>
> Please update here if you have any further concern on this.
>
> Thanks.
>
> Sincerely,
>
> WenJun Zhang
>
> Microsoft Online Community Support
>
> Delighting our customers is our #1 priority. We welcome your comments and
> suggestions about how we can improve the support we provide to you. Please
> feel free to let my manager know what you think of the level of service
> provided. You can send feedback directly to my manager at:
> msdnmg@microsoft.com.
>
> ==================================================
> Get notification to my posts through email? Please refer to
> http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at
> http://msdn.microsoft.com/subscriptions/support/default.aspx .
> ==================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>

Re: IIS/Network Service registry audit failure for Disallowed cer

The best way to resolve this will be for you to open a support ticket
with Microsoft PSS to get an explanation/fix.

IIS6 is not installed by default so the C2 complaince team couldn't
have known. I can also tell you that C2 complaince was not on the IIS6
team's radar during development, so it is very possible that we are
inadvertently spamming the audit.

The support ticket is the only way you can make forward progress. We
can discuss it all day, but without the support ticket, no change will
happen.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//





On Apr 17, 6:36=A0am, TimG wrote:
> I have browsed many of Eric's discussions on auditing in the past (includi=
ng
> the one David referenced) and have found them very useful, unfortunately w=
e
> are required to have C2 compliant auditing enabled and provide justificati=
on
> for any deviations.
>
> Is there a reason that Network Service is attempting to get all these acce=
ss
> rights to the Disallowed key for IIS?
>
> --
> Thanks,
>
> Tim
>
>
>
> ""WenJun Zhang[msft]"" wrote:
> > Hi Tim,
>
> > I agree with David. You should be able to safely ignore these access den=
ied
> > failures and stop auditting to avoid the security events. Network Servic=
e
> > account should only requires Read permission on these certificate store
> > related registry entities. By default, Local Users group already has the=

> > Read permission. So SSL stuff is working fine, you do not need to change=

> > anything or grant rights to the account.
>
> > Please update here if you have any further concern on this.
>
> > Thanks.
>
> > Sincerely,
>
> > WenJun Zhang
>
> > Microsoft Online Community Support
>
> > Delighting our customers is our #1 priority. We welcome your comments an=
d
> > suggestions about how we can improve the support we provide to you. Plea=
se
> > feel free to let my manager know what you think of the level of service
> > provided. You can send feedback directly to my manager at:
> > msd...@microsoft.com.
>
> > ==================== =====
==================== =====3D=
=3D
> > Get notification to my posts through email? Please refer to
> >http://msdn.microsoft.com/subscriptions/managednewsgroups/d efault.asp...
> > ications.
>
> > Note: The MSDN Managed Newsgroup support offering is for non-urgent issu=
es
> > where an initial response from the community or a Microsoft Support
> > Engineer within 1 business day is acceptable. Please note that each foll=
ow
> > up response may take approximately 2 business days as the support
> > professional working with you may need further investigation to reach th=
e
> > most efficient resolution. The offering is not appropriate for situation=
s
> > that require urgent, real-time or phone-based interactions or complex
> > project analysis and dump analysis issues. Issues of this nature are bes=
t
> > handled working with a dedicated Microsoft Support Engineer by contactin=
g
> > Microsoft Customer Support Services (CSS) at
> >http://msdn.microsoft.com/subscriptions/support/default.asp x.
> > ==================== =====
==================== =====3D=
=3D
> > This posting is provided "AS IS" with no warranties, and confers no righ=
ts.- Hide quoted text -
>
> - Show quoted text -

Re: IIS/Network Service registry audit failure for Disallowed cer

I will attempt to open a support incident.

--
Thanks,

Tim


"David Wang" wrote:

> The best way to resolve this will be for you to open a support ticket
> with Microsoft PSS to get an explanation/fix.
>
> IIS6 is not installed by default so the C2 complaince team couldn't
> have known. I can also tell you that C2 complaince was not on the IIS6
> team's radar during development, so it is very possible that we are
> inadvertently spamming the audit.
>
> The support ticket is the only way you can make forward progress. We
> can discuss it all day, but without the support ticket, no change will
> happen.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
>
>
> On Apr 17, 6:36 am, TimG wrote:
> > I have browsed many of Eric's discussions on auditing in the past (including
> > the one David referenced) and have found them very useful, unfortunately we
> > are required to have C2 compliant auditing enabled and provide justification
> > for any deviations.
> >
> > Is there a reason that Network Service is attempting to get all these access
> > rights to the Disallowed key for IIS?
> >
> > --
> > Thanks,
> >
> > Tim
> >
> >
> >
> > ""WenJun Zhang[msft]"" wrote:
> > > Hi Tim,
> >
> > > I agree with David. You should be able to safely ignore these access denied
> > > failures and stop auditting to avoid the security events. Network Service
> > > account should only requires Read permission on these certificate store
> > > related registry entities. By default, Local Users group already has the
> > > Read permission. So SSL stuff is working fine, you do not need to change
> > > anything or grant rights to the account.
> >
> > > Please update here if you have any further concern on this.
> >
> > > Thanks.
> >
> > > Sincerely,
> >
> > > WenJun Zhang
> >
> > > Microsoft Online Community Support
> >
> > > Delighting our customers is our #1 priority. We welcome your comments and
> > > suggestions about how we can improve the support we provide to you. Please
> > > feel free to let my manager know what you think of the level of service
> > > provided. You can send feedback directly to my manager at:
> > > msd...@microsoft.com.
> >
> > > ==================================================
> > > Get notification to my posts through email? Please refer to
> > >http://msdn.microsoft.com/subscriptions/managednewsgroups/d efault.asp...
> > > ications.
> >
> > > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> > > where an initial response from the community or a Microsoft Support
> > > Engineer within 1 business day is acceptable. Please note that each follow
> > > up response may take approximately 2 business days as the support
> > > professional working with you may need further investigation to reach the
> > > most efficient resolution. The offering is not appropriate for situations
> > > that require urgent, real-time or phone-based interactions or complex
> > > project analysis and dump analysis issues. Issues of this nature are best
> > > handled working with a dedicated Microsoft Support Engineer by contacting
> > > Microsoft Customer Support Services (CSS) at
> > >http://msdn.microsoft.com/subscriptions/support/default.asp x.
> > > ==================================================
> > > This posting is provided "AS IS" with no warranties, and confers no rights.- Hide quoted text -
> >
> > - Show quoted text -
>
>