windows 2003 domain, security failure audits with event 861 and 577

Posted on 2006-04-14
Last Modified: 2007-12-19
We are running a Windows 2003 domain with many XP Pro clients. This morning, several stations only allowed a login from a "Security administrator". The stations' security event log was at the max filesize and full of failure audits of 577 and 861 events. 577 was appearing only on stations with the Windows firewall turned on. 861 events appeared on all stations.

This started this morning, with no viruses or malware detected (yet).

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Detailed Tracking
Event ID:      861
Date:            4/14/2006
Time:            8:31:43 AM
User:            NT AUTHORITY\SYSTEM
Computer:      COMP-03
The Windows Firewall has detected an application listening for incoming traffic.
Name: -
Path: C:\WINDOWS\system32\lsass.exe
Process identifier: 704
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 1091 <----- port number varies
Allowed: No
User notified: No

For more information, see Help and Support Center at

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Privilege Use
Event ID:      577
Date:            4/14/2006
Time:            8:59:36 AM
User:            DOMAINNAME\username
Computer:      COMP-03
Privileged Service Called:
       Server:            Security
       Service:            -
       Primary User Name:      username
       Primary Domain:            DOMAINNAME
       Primary Logon ID:      (0x0,0xA6EF6)
       Client User Name:      -
       Client Domain:            -
       Client Logon ID:      -
       Privileges:      SeIncreaseBasePriorityPrivilege

For more information, see Help and Support Center at
Question by:arahming
    LVL 48

    Accepted Solution

    Hi arahming,

    windows firewall is shi******!!!! dont even bother with it

    but if you insist on using it

    start - run - cmd
    netsh firewall add allowedprogram LSASS \ C:\WINDOWS\system32\lsass.exe
    This will allow lsass.exe outbound, and will get rid of these messages

    LVL 1

    Author Comment

    Any idea if this could happen b setting up auditing on the domain or a virus we set up auditing recently  that the only change
    LVL 48

    Expert Comment

    possible virus but i dont know of any as yet

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    I have never ceased to be amazed how many problems you can encounter on a fresh install of a Windows operating system.  This is certainly case in point& Unable to complete ANY MSI installation.  This means Windows Updates are failing and I can't …
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now