Data Center Security

Hi Folks,

We have two distinct installations of DCS 6.7.
Both installations are on Windows Server 2012 R2 and both installed on a D:\

We found a significant amount of successful security audit events any time an object is created or accessed on the filesystem where DCS is installed.
It peaks every hour - for about 5 minutes every hour, about 200,000 audit events are created (Per instance)

86% of events are Event ID: 4663
13% of events are Event ID: 4660

After a full day, we could have 3 millions 4663,4660 events and this is causing a real problem for visibility.
The only two filesystems in the entire environment doing this belong to the DCS Server.

Does anyone have thoughts on how to reduce/eliminate all these events?

Example:

Message=An attempt was made to access an Object

Object
Object Server: Security
Object Name: D:\Program Files (x86)\Symantec\Data Center Security\Server\config.db

Process Information
Process Name=D:\Program Files (x86)\Symantec\Data Center Security\Server\tomcat\bin\tomcat7.exe
Access Request Information
Accesses:  WriteData (or Addfile)

Thanks
James

Solved.

From digging through my environment, I found the originator of the 4663/4666 object audit events, being "Removeable Storage".

I noticed an Active Directory Security GPO to audit all removeable media in the environment.

Digging into why our D: E: VMDKs in VMware were considered Removeable Media I looked into "safely eject media" and found the drives, NICs and vSCSI HBA.  

Checking Vmware's support site, I then found this https://kb.vmware.com/s/article/1012225?language=en_US

I set the VMs to not have hotplug and the problem was solved.

James.

Hi James,

If this is resolved, would it be possible you can mark yourself as the solution?

Thanks