Jump to content

Event 578 and KB 821458

Guest Smurfman

By Guest Smurfman
in Windows 2003 Server

 Share

Recommended Posts

Guest Smurfman

Guest Smurfman

Posted
Posted

I am writing to inquire about KB 821458 related to event id 578 being logged

for an administrator account generating an audit failure for

SeSecurityPriviledge

 

The KB says that this is expected behavior - are there options to stop this

event from logging? or Is it just safe to ignore it?

 

Any feedback would be useful.

 

This event is on a Windows 2003 Server - Web Server IIS6

Thanks

J

  • Replies 7
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Ryan Hanisco

Guest Ryan Hanisco

Posted
Posted

RE: Event 578 and KB 821458

 

Good evening,

 

Other than not auditing security, there isn't a way to stop logging this.

You can safely ignore the message.

--

Ryan Hanisco

MCSE, MCTS: SQL 2005, Project+

http://www.techsterity.com

Chicago, IL

 

Remember: Marking helpful answers helps everyone find the info they need

quickly.

 

 

"Smurfman" wrote:

> I am writing to inquire about KB 821458 related to event id 578 being logged

> for an administrator account generating an audit failure for

> SeSecurityPriviledge

>

> The KB says that this is expected behavior - are there options to stop this

> event from logging? or Is it just safe to ignore it?

>

> Any feedback would be useful.

>

> This event is on a Windows 2003 Server - Web Server IIS6

> Thanks

> J

Guest David Shen [MSFT]

Guest David Shen [MSFT]

Posted
Posted

RE: Event 578 and KB 821458

 

Dear Customer,

 

Thank you for posting here.

 

According to your description, my understanding is that:

 

You wonder the cause of event id 578 being logged for an administrator

account generating an audit failure for "SeSecurityPriviledge". Your

concern is that whether there are options to stop the event 578 from

logging or just safe to ignore it.

 

If I have any misunderstand, please let me know.

 

Based on my research, I'd like to share some knowledge with you.

 

Analysis and Suggestion:

======================

 

The event ID 578 was recorded as result of using the "SeSecurityPrivilege"

privilege. "SeSecurityPrivilege" privileges are required to make NTEventLog

calls. This requires the "Audit Privilege Usage" policy to be enabled for

both success and failure.

 

A "Success Audit" 578 indicates that a user had successfully used its

privileges on that computer. A typical privilege listed is:

"SeSecurityPrivilege". This means that the user had accessed the Security

event log.

 

A "Failure Audit" of the event ID 578 means the token used does not have

the "SeSecurityPrivilege" privilege, and it failed to access the event log

file. "SeSecurityPriviledge" privileges are required to make NTEventLog

calls. If the token does not have this privilege, event 578 is logged.

Because the default administrator token has the "SeSecurityPriviledge"

disabled, and Local Remote Procedure Calls (LRPC) remove nonenabled

attributes across the call, this privilege is also removed from this token.

When the NTEventLog calls are then made, NTEventLog does not see the

SeSecurityPriviledge privilege, and it logs event 578.

 

As we all know that during logoff and shutdown, "Csrss.exe" tries to

increase its priority. After it has notified all of the running processes

of the shutdown, it tries to decrease its priority. Since it is running in

the System context, this does not succeed and generates the audit event.

This will result in the access to the NtEventLog call, and finally

generated the event ID 578.

 

Based on our previous experience, some web application service such as

SAGENT_WEB service has frequent access to the security event log file and

log as event 578.

 

We have 3 ways to avoid the occurrence:

 

1. Obtain and apply the update service pack of the system.

2. Disable the "Audit Privilege Usage" policy setting.

3. Adjust the Web IIS application, and avoid the usage of frequent

logon/logoff.

 

If this event is logged twice during logoff and Windows shutdown then you

can ignore these events because they are logged in error.

 

For more information:

===================

 

How to obtain the latest service pack for Windows Server 2003

http://support.microsoft.com/kb/889100

 

Audit Failure Event 578 May Be Logged When You Save the Winmsd Report

http://support.microsoft.com/kb/821458

 

Event 578 May Be Logged During Logoff or Shutdown

http://support.microsoft.com/kb/266282

 

I hope all the information will help. I'm waiting for your reply.

 

Thanks for your time.

 

 

David Shen

Microsoft Online Partner Support

Microsoft Global Technology Support Center

Guest Smurfman

Guest Smurfman

Posted
Posted

RE: Event 578 and KB 821458

 

Thank you David for your research. I looked at the event further, and might

have misunderstood what privilege was generating the error.

 

It appears that it is the SeTcbPrivilege that is attempting to be accessed

not the SeSecurityPrivilege.

 

Is there a correlation between the 578 and the SeTcbPrivilege and are there

ways to clean this up or change how it is logged.?

 

Thanks

J

 

"David Shen [MSFT]" wrote:

> Dear Customer,

>

> Thank you for posting here.

>

> According to your description, my understanding is that:

>

> You wonder the cause of event id 578 being logged for an administrator

> account generating an audit failure for "SeSecurityPriviledge". Your

> concern is that whether there are options to stop the event 578 from

> logging or just safe to ignore it.

>

> If I have any misunderstand, please let me know.

>

> Based on my research, I'd like to share some knowledge with you.

>

> Analysis and Suggestion:

> ======================

>

> The event ID 578 was recorded as result of using the "SeSecurityPrivilege"

> privilege. "SeSecurityPrivilege" privileges are required to make NTEventLog

> calls. This requires the "Audit Privilege Usage" policy to be enabled for

> both success and failure.

>

> A "Success Audit" 578 indicates that a user had successfully used its

> privileges on that computer. A typical privilege listed is:

> "SeSecurityPrivilege". This means that the user had accessed the Security

> event log.

>

> A "Failure Audit" of the event ID 578 means the token used does not have

> the "SeSecurityPrivilege" privilege, and it failed to access the event log

> file. "SeSecurityPriviledge" privileges are required to make NTEventLog

> calls. If the token does not have this privilege, event 578 is logged.

> Because the default administrator token has the "SeSecurityPriviledge"

> disabled, and Local Remote Procedure Calls (LRPC) remove nonenabled

> attributes across the call, this privilege is also removed from this token.

> When the NTEventLog calls are then made, NTEventLog does not see the

> SeSecurityPriviledge privilege, and it logs event 578.

>

> As we all know that during logoff and shutdown, "Csrss.exe" tries to

> increase its priority. After it has notified all of the running processes

> of the shutdown, it tries to decrease its priority. Since it is running in

> the System context, this does not succeed and generates the audit event.

> This will result in the access to the NtEventLog call, and finally

> generated the event ID 578.

>

> Based on our previous experience, some web application service such as

> SAGENT_WEB service has frequent access to the security event log file and

> log as event 578.

>

> We have 3 ways to avoid the occurrence:

>

> 1. Obtain and apply the update service pack of the system.

> 2. Disable the "Audit Privilege Usage" policy setting.

> 3. Adjust the Web IIS application, and avoid the usage of frequent

> logon/logoff.

>

> If this event is logged twice during logoff and Windows shutdown then you

> can ignore these events because they are logged in error.

>

> For more information:

> ===================

>

> How to obtain the latest service pack for Windows Server 2003

> http://support.microsoft.com/kb/889100

>

> Audit Failure Event 578 May Be Logged When You Save the Winmsd Report

> http://support.microsoft.com/kb/821458

>

> Event 578 May Be Logged During Logoff or Shutdown

> http://support.microsoft.com/kb/266282

>

> I hope all the information will help. I'm waiting for your reply.

>

> Thanks for your time.

>

>

> David Shen

> Microsoft Online Partner Support

> Microsoft Global Technology Support Center

>

>

Guest David Shen [MSFT]

Guest David Shen [MSFT]

Posted
Posted

RE: Event 578 and KB 821458

 

Dear Customer,

 

Thanks for your reply.

 

Based on our experience, event 578 is not likely a security issue since the

event is recorded when the administrator is trying to obtain a

"SeTcbPrivilege" while administrator doesn't have the user rights (which is

controlled by the security policy).

 

I would like to perform further research to double confirm whether we can

safely ignore the event. Please post the event ID 578 log which is related

to "SeTcbPrivilege" here.

 

Thanks for your collaboration.

 

 

David Shen

Microsoft Online Partner Support

Microsoft Global Technology Support Center

Guest David Shen [MSFT]

Guest David Shen [MSFT]

Posted
Posted

RE: Event 578 and KB 821458

 

Dear Customer,

 

I'd like to check how things are going. Did you have the chance to try the

troubleshooting steps? If you have any other questions, please do not

hesitate to let me know. I look forward to your further updates.

 

David Shen

Microsoft Online Partner Support

Microsoft GTSC

Guest RZcitrix

Guest RZcitrix

Posted
Posted

Re: Event 578 and KB 821458

 

I would also like to comment on this issue, as I am having this event

log fill up my system. Usersa is always logged into the system. I

only get this message when I turn on auditing. I am ONLY autiding

deletion of file or folders for a few users. Usera is not in that

list. This is a windows 2000 domain in mixed mode while the acutal

auditing is happening on a windows 2003 R2 server. Here is the event.

 

Event Type: Success Audit

Event Source: Security

Event Category: Privilege Use

Event ID: 578

Date: 1/22/2008

Time: 9:19:39 AM

User: mydom\usera

Computer: serverb

Description:

Privileged object operation:

Object Server: Security

Object Handle: 2392

Process ID: 5248

Primary User Name: usera

Primary Domain: mydom

Primary Logon ID: (0x0,0x3C874)

Client User Name: usera

Client Domain: mydom

Client Logon ID: (0x0,0x3C874)

Privileges: SeSecurityPrivilege

Guest David Shen [MSFT]

Guest David Shen [MSFT]

Posted
Posted

RE: Event 578 and KB 821458

 

Hello Wilson,

 

Thanks for your post.

 

Analysis and Suggestion:

======================

 

A "Success Audit" 578 indicates that a user had successfully used its

privileges on that computer.

 

A typical privilege listed is:

"SeSecurityPrivilege".

 

This means that the user had accessed the Security event log.

 

Based on our experience, this is not a security issue and you can safely

ignore it. If you don't wish the event log be reoccurred, please just

disable the "Audit Privilege Usage" policy setting.

 

Hope the information will be helpful.

 

Thanks a lot.

 

David Shen

Microsoft Online Partner Support

Microsoft GTSC

 Share
Go to topic listing
×
×
  • Create New...