I have a policy in place & for the most part its deployment has been successful with a few exceptions, i ran into another exception today. When the IPS is enabled i can stop windows services without issue, i cannot restart or start the stopped services. The service in question is windows time. i seem to be unable to generate an event in the log when i stop the service or fail in starting it.
i can restart & start windows time when the prevention is disabled. looking through the audit log i have a few failed audits below is the failed audit
####################
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 9/18/2013 3:14:16 PM
Event ID: 4656
Task Category: File System
Level: Information
Keywords: Audit Failure
User: N/A
Computer: app.xxxx.xxx
Description:
A handle to an object was requested.
Subject:
Security ID: XXXXXX\jdoe
Account Name: XXXXXX
Account Domain: XXXXXX
Logon ID: 0x1d85be15
Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\System32\services.msc
Handle ID: 0x0
Process Information:
Process ID: 0x17f0
Process Name: C:\Windows\System32\mmc.exe
Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: READ_CONTROL
SYNCHRONIZE
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
ReadAttributes
WriteAttributes
Access Reasons: READ_CONTROL: Granted by D:(A;;0x1200a9;;;BA)
SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;BA)
WriteData (or AddFile): Not granted
AppendData (or AddSubdirectory or CreatePipeInstance): Not granted
WriteEA: Not granted
ReadAttributes: Granted by ACE on parent folder D:(A;;0x1301bf;;;BA)
WriteAttributes: Not granted
Access Mask: 0x120196
Privileges Used for Access C
############################
Below is the entry i have in my policy for to cover this problem, though it doesnt appear to be working. i am applying this in the service options section under alternative privileges.
any help is appreciated!