Windows serveur 2016, Security Audit Policy génère beaucoup log d'erreur

%3CLINGO-SUB%20id%3D%22lingo-sub-1976357%22%20slang%3D%22fr-FR%22%3EWindows%20server%202016%2C%20Security%20Audit%20Policy%20generates%20a%20lot%20of%20error%20log%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1976357%22%20slang%3D%22fr-FR%22%3E%3CP%3EWe%20have%20set%20up%20a%20monitoring%20system%20in%20place%20and%20have%20activated%20different%20Security%20Audit.%20One%20in%20particular%20causes%20me%20problem%20on%20a%20data%20server%20at%20the%20level%20of%20security%20audit%20on%20shares.%20SecPol-Advanced%20Audit%20Policies%20Configuration-Systeme%20Audit%20Policies%20-%20Local%20Group%20Policy%20Object-Object%20Access-Audit%20Handle%20Manipulation.%20We%20have%20enabled%20%22Succes%20and%20failure%22%20but%20since%20then%20we%20have%20an%20innumerable%20amount%20of%20error%20log%20related%20to%20System%20accounts%20that%20tries%20to%20access%20the%20share%20as%20soon%20as%20a%20user%20logs%20into%20their%20TS%20server%20and%20accesses%20certain%20network%20drive%20for%20which%20they%20have%20all%20the%20required%20access.%20I%20searched%20and%20I%20failed%20to%20explain%20why%20the%20system%20account%20tries%20to%20read%20these%20shares%20when%20a%20user%20logs%20in.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EExample%3A%3C%2FP%3E%3CP%3EEvent%20ID%3A%205145%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20network%20share%20object%20was%20checked%20to%20see%20if%20customer%20can%20be%20granted%20desired%20access.%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3ESubject%3A%3C%2FP%3E%3CP%3ESecurity%20ID%3A%20SYSTEM%3C%2FP%3E%3CP%3EAccount%20Name%3A%20SERVEUR-DATA%24%3C%2FP%3E%3CP%3EDomain%20Account%3A%20DOMAINE%3C%2FP%3E%3CP%3ELogon%20ID%3A%200x3e7%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENetwork%20Information%3A%3C%2FP%3E%3CP%3EObject%20Type%3A%20File%3C%2FP%3E%3CP%3ESource%20Address%3A%20%3A%3A%3A1%3C%2FP%3E%3CP%3EPort%20Source%3A%2056648%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3EShare%20Information%3A%3C%2FP%3E%3CP%3EShare%20Name%3A%20DE-DE-NOM%3C%2FP%3E%3CP%3EShare%20Path%3A%20%3F%3F%20'H%3ASHARED%20FOLDER%3C%2FP%3E%3CP%3ERelative%20Target%20Name%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAccess%20Request%20Information%3A%3C%2FP%3E%3CP%3EAccess%20Mask%3A%200x80%3C%2FP%3E%3CP%3EAccesses%3A%20ReadAttributes%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3EAccess%20Check%20Results%3A%3C%2FP%3E%3CP%3EReadAttributes%3A%20Not%20granted%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1976357%22%20slang%3D%22fr-FR%22%3E%3CLINGO-LABEL%3Esfournier%40magik-net.com%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Visitor

Nous avons mis en place un système de monitoring en place et avons activé différent Audit de sécurité. Un en particulier me cause problème sur un serveur de données au niveau de l'audit de sécurité sur les partages. SecPol\Advanced Audit Policies Configuration\Systeme Audit Policies - Local Group Policy Object\Object Access\Audit Handle Manipulation. Nous avons activé "Succes and failure" mais depuis nous avons un innombrable quantité de log d'erreur en lien avec les comptes Système qui tente d'accéder au share dès qu'un usager se connecte sur son serveur TS et qu'il accède a certains lecteur réseau pour lequel il a tous les accès requis. J'ai cherché et je ne réussi pas à expliquer pourquoi les compte système tente de lire ces partage quand un usager se connecte.

 

Exemple:

Event ID: 5145

 

A network share object was checked to see whether client can be granted desired access.

               

Subject:

                Security ID:                            SYSTEM

                Account Name:                    SERVEUR-DATA$

                Account Domain:                 DOMAINE

                Logon ID:                              0x3e7

 

Network Information:        

                Object Type:                         File

                Source Address:                   ::1

                Source Port:                          56648

               

Share Information:

                Share Name:                         \\*\NOM DU PARTAGE

                Share Path:                           \??\H:\DOSSIER PARTAGÉ

                Relative Target Name:         \

 

Access Request Information:

                Access Mask:                        0x80

                Accesses:                               ReadAttributes

                                                              

Access Check Results:

                ReadAttributes:     Not granted

0 Replies