We monitor security events in event viewer. One that I have included is the Failure and success of privileged use. One event that is quite prevalent is 577:
Examples of the event id messages produced under 577 are:
(Example 1) Privileged Service Called:
Server: NT Local Security Authority / Authentication Service
Service: LsaRegisterLogonProcess()
Primary User Name: Server3$
Primary Domain: OURDOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: Server3$
Client Domain: OURDOMAIN
Client Logon ID: (0x0,0x3E7)
Privileges: SeTcbPrivilege
(Example 2)Privileged Service Called:
Server: Security
Service: -
Primary User Name: User1
Primary Domain: OURDOMAIN
Primary Logon ID: (0x0,0x28ADA11)
Client User Name: -
Client Domain: -
Client Logon ID: -
Privileges: SeIncreaseBasePriorityPrivilege
What is the significance of these events? What is being done when these events are generated?
I've read one news group discussion where someone reported the same experience and A Microsoft representative wrote this response:
"You should disable the auditing category "privilege use". You don't need it." (Eric Fitzgerald, Program Manager, Windows Auditing and Intrusion Detection Microsoft Corporation. (April 22, 2002)
See
The user was using windows 2000 server as well.
Do Tek-Tip readers agree with this position? Is this the Microsoft official position?
Thanks for your help.
Examples of the event id messages produced under 577 are:
(Example 1) Privileged Service Called:
Server: NT Local Security Authority / Authentication Service
Service: LsaRegisterLogonProcess()
Primary User Name: Server3$
Primary Domain: OURDOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: Server3$
Client Domain: OURDOMAIN
Client Logon ID: (0x0,0x3E7)
Privileges: SeTcbPrivilege
(Example 2)Privileged Service Called:
Server: Security
Service: -
Primary User Name: User1
Primary Domain: OURDOMAIN
Primary Logon ID: (0x0,0x28ADA11)
Client User Name: -
Client Domain: -
Client Logon ID: -
Privileges: SeIncreaseBasePriorityPrivilege
What is the significance of these events? What is being done when these events are generated?
I've read one news group discussion where someone reported the same experience and A Microsoft representative wrote this response:
"You should disable the auditing category "privilege use". You don't need it." (Eric Fitzgerald, Program Manager, Windows Auditing and Intrusion Detection Microsoft Corporation. (April 22, 2002)
See
The user was using windows 2000 server as well.
Do Tek-Tip readers agree with this position? Is this the Microsoft official position?
Thanks for your help.
![[smarty]](/data/assets/smilies/smarty.gif "[smarty] [smarty]")
