Failure Audit | Security | Object Access |560

Failure Audit | Security | Object Access |560

I am getting a the following errors but having a little problem trying to understand and could use some help.
The system is a w2003-sp1 server with iis6.0

Event ID 540 shows a successful login for the account PMGBBS.
Event ID 560 show a failure audit.

Now is the failure audit a result of PMGBBS not having the proper ACL's ?
Or is it IWAM_P0075 that doesn't have the correct rights?

Is the failure being deinied execute access to w3wp.exe?
Or is it being denied write access for JET4E28.tmp ?

I am assuming I am dealing with a permissions issue. This is a heavliy tweaked box and I am trying to track down the last of my few errors.

TIA,

*****************************************************

Code:

[b]Event Type: Success Audit
Event Source: Security
Event Category:	Logon/Logoff 
Event ID: 540[/b]
Date: 8/17/2006
Time: 10:22:40 AM
[b]User: P0075\PMGBBS[/b]
Computer: P0075
Description:
Successful Network Logon:
    [b]User Name: PMGBBS[/b]
 	Domain:	P0075
 	Logon ID: (0x0,0x822A8A)
 	Logon Type: 8
 	Logon Process: Advapi  
 	Authentication Package: Negotiate
 	Workstation Name: P0075
 	Logon GUID:	-
    [b]Caller User Name: IWAM_P0075[/b]
 	Caller Domain:	P0075
 	Caller Logon ID: (0x0,0x1623F4)
 	Caller Process ID: 3280  [b]### W3WP.EXE ###[/b]
 	Transited Services: -
 	Source Network Address:	192.168.222.122
 	Source Port: 1244
****************************************************
[b]Event Type: Failure Audit
Event Source: Security
Event Category: Object Access 
Event ID: 560[/b]
Date: 8/17/2006
Time: 10:31:23 AM
User: P0075\PMGBBS
Computer: P0075
Description:
Object Open:
 	Object Server:	Security
 	Object Type:	File
    [b]Object Name: C:\WINDOWS\Temp\JET4E28.tmp[/b]
 	Handle ID:	-
 	Operation ID: {0,8748799}
 	Process ID: 3280  [b]### W3WP.EXE ###[/b]
    [b]Image File Name: C:\WINDOWS\system32\inetsrv\w3wp.exe[/b]
 	Primary User Name:	IWAM_P0075
 	Primary Domain:	P0075
 	Primary Logon ID: (0x0,0x1623F4)
    [b]Client User Name: PMGBBS[/b]
 	Client Domain:	P0075
 	Client Logon ID: (0x0,0x822A8A)
 	Accesses:	DELETE 
			READ_CONTROL 
			SYNCHRONIZE 
			ReadData (or ListDirectory) 
			WriteData (or AddFile) 
			AppendData (or AddSubdirectory or CreatePipeInstance) 
			ReadEA 
			WriteEA 
			ReadAttributes 
			WriteAttributes 
			
 	Privileges:	-
 	Restricted Sid Count:	0
 	Access Mask:	0x13019F

 

The user looks like they have all the access they need. It could possibly be that that temp file was in use by the web service when the user attempted to access it, so it is logged as an access denied message.

Does the user have any problems when using the server??

 

short story....got it working.

long story....read on >>

I took a shot in the dark and made the assumption that the user account PMGBBS, who appeared to be trying to write/append something to C:\WINDOWS\Temp\JET4E28.tmp, but didn't have access rights to this folder.

I knew that I specifically put the PMBGGS account in the Power Users group, but allowed only read & execute access to the root volumn C:\, when I built the box. Under normal instances, there should be no reason for PMGBBS to go creating/writing/appending any files on the root volumn.

I made one small security adjustment by allowing the account PMGBBS modify access to the folder and files only for C:\WINDOWS\Temp\. No sub-folders and files to keeps changes minimized. This appears to have been the issue. No more errors.

I just wish I could have found a "How-to" on interpreting the event-viewer "variables" or field names. ie... "image file name" OK, it's the name of an image file . Only after searching google did I find that image file name is the name of the program being used to execute some function.

In my case PMGBBS was trying to use w3wp.exe to create a temp file in the location C:\WINDOWS\Temp\JET4E28.tmp

PMGBBS had execute rights for w3wp.exe, but no right access to C:\WINDOWS\Temp\.

Anyway, I hope this helps someone else. Back to work.