windows 2003 domain, security failure audits with event 861 and 577

We are running a Windows 2003 domain with many XP Pro clients. This morning, several stations only allowed a login from a "Security administrator". The stations' security event log was at the max filesize and full of failure audits of 577 and 861 events. 577 was appearing only on stations with the Windows firewall turned on. 861 events appeared on all stations.

This started this morning, with no viruses or malware detected (yet).

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Detailed Tracking
Event ID:      861
Date:            4/14/2006
Time:            8:31:43 AM
User:            NT AUTHORITY\SYSTEM
Computer:      COMP-03
The Windows Firewall has detected an application listening for incoming traffic.
Name: -
Path: C:\WINDOWS\system32\lsass.exe
Process identifier: 704
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 1091 <----- port number varies
Allowed: No
User notified: No

For more information, see Help and Support Center at

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Privilege Use
Event ID:      577
Date:            4/14/2006
Time:            8:59:36 AM
User:            DOMAINNAME\username
Computer:      COMP-03
Privileged Service Called:
       Server:            Security
       Service:            -
       Primary User Name:      username
       Primary Domain:            DOMAINNAME
       Primary Logon ID:      (0x0,0xA6EF6)
       Client User Name:      -
       Client Domain:            -
       Client Logon ID:      -
       Privileges:      SeIncreaseBasePriorityPrivilege

For more information, see Help and Support Center at
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hi arahming,

windows firewall is shi******!!!! dont even bother with it

but if you insist on using it

start - run - cmd
netsh firewall add allowedprogram LSASS \ C:\WINDOWS\system32\lsass.exe
This will allow lsass.exe outbound, and will get rid of these messages


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
arahmingAuthor Commented:
Any idea if this could happen b setting up auditing on the domain or a virus we set up auditing recently  that the only change
possible virus but i dont know of any as yet
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.