Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


windows 2003 domain, security failure audits with event 861 and 577

Posted on 2006-04-14
Medium Priority
Last Modified: 2007-12-19
We are running a Windows 2003 domain with many XP Pro clients. This morning, several stations only allowed a login from a "Security administrator". The stations' security event log was at the max filesize and full of failure audits of 577 and 861 events. 577 was appearing only on stations with the Windows firewall turned on. 861 events appeared on all stations.

This started this morning, with no viruses or malware detected (yet).

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Detailed Tracking
Event ID:      861
Date:            4/14/2006
Time:            8:31:43 AM
User:            NT AUTHORITY\SYSTEM
Computer:      COMP-03
The Windows Firewall has detected an application listening for incoming traffic.
Name: -
Path: C:\WINDOWS\system32\lsass.exe
Process identifier: 704
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 1091 <----- port number varies
Allowed: No
User notified: No

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Privilege Use
Event ID:      577
Date:            4/14/2006
Time:            8:59:36 AM
User:            DOMAINNAME\username
Computer:      COMP-03
Privileged Service Called:
       Server:            Security
       Service:            -
       Primary User Name:      username
       Primary Domain:            DOMAINNAME
       Primary Logon ID:      (0x0,0xA6EF6)
       Client User Name:      -
       Client Domain:            -
       Client Logon ID:      -
       Privileges:      SeIncreaseBasePriorityPrivilege

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Question by:arahming
  • 2
LVL 48

Accepted Solution

Jay_Jay70 earned 2000 total points
ID: 16458285
Hi arahming,

windows firewall is shi******!!!! dont even bother with it

but if you insist on using it

start - run - cmd
netsh firewall add allowedprogram LSASS \ C:\WINDOWS\system32\lsass.exe
This will allow lsass.exe outbound, and will get rid of these messages


Author Comment

ID: 16464663
Any idea if this could happen b setting up auditing on the domain or a virus we set up auditing recently  that the only change
LVL 48

Expert Comment

ID: 16464764
possible virus but i dont know of any as yet

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Integration Management Part 2
Kernel Data Recovery is a renowned Data Recovery solution provider which offers wide range of softwares for both enterprise and home users with its cost-effective solutions. Let's have a quick overview of the journey and data recovery tools range he…

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question