da2loo
asked on
How to stop the Security Log being flooded with Event ID 577?
I'm running Windows Server 2003 with a Cluster File Service.
The security log is being flooded with Failure Audit Event ID 577 entries.
Example:
When a user opens a folder on the network drive on this server it creates about 80 exact same log entries at once:
Event Type: Failure Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 577
Date: 16.12.2013
Time: 11:30:31
User: DOMAIN\USER
Computer: SERVERNAME
Description:
Privileged Service Called:
Server: Security
Service: -
Primary User Name: SERVERNAME$
Primary Domain: DOMAIN
Primary Logon ID: LOGONID
Client User Name: USER
Client Domain: DOMAIN
Client Logon ID: LOGONID
Privileges: SeBackupPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
The local policies are Setup as below and can't be changed as set by the Domain:
Security Option: Audit the use of Backup and Restore privilege - Enabled
Audit Policy: Audit privilege use - Success and Failure
The security log is being flooded with Failure Audit Event ID 577 entries.
Example:
When a user opens a folder on the network drive on this server it creates about 80 exact same log entries at once:
Event Type: Failure Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 577
Date: 16.12.2013
Time: 11:30:31
User: DOMAIN\USER
Computer: SERVERNAME
Description:
Privileged Service Called:
Server: Security
Service: -
Primary User Name: SERVERNAME$
Primary Domain: DOMAIN
Primary Logon ID: LOGONID
Client User Name: USER
Client Domain: DOMAIN
Client Logon ID: LOGONID
Privileges: SeBackupPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
The local policies are Setup as below and can't be changed as set by the Domain:
Security Option: Audit the use of Backup and Restore privilege - Enabled
Audit Policy: Audit privilege use - Success and Failure
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Third party agents - AV maybe?
https://www.lumension.com/kb/Home/L-E-M-S-S-/L-E-M-S-S--SeBackupPrivilege-fills-the-Windows-Sec.aspx
Also a bad GPO may cause this:
http://msdn.microsoft.com/en-us/library/windows/desktop/bb530716%28v=vs.85%29.aspx
https://www.lumension.com/kb/Home/L-E-M-S-S-/L-E-M-S-S--SeBackupPrivilege-fills-the-Windows-Sec.aspx
Also a bad GPO may cause this:
http://msdn.microsoft.com/en-us/library/windows/desktop/bb530716%28v=vs.85%29.aspx
ASKER
One user opening one folder produces 80 event log entries with the exactly same information all at once, is this normal with these policies enabled?
Any idea what could cause all normal users accessing the files/folders on the server attempting to use SeBackupPrivilege in the first place?