+ Post New Thread
Results 1 to 3 of 3
Windows Thread, Event ID 578 SeTcbPrivilege in Technical; I'm seeing this event on one of our servers, Web and print server it has only started recently and i'm ...
  1. #1
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74

    Event ID 578 SeTcbPrivilege

    I'm seeing this event on one of our servers, Web and print server it has only started recently and i'm pretty sure that nothing has changed. I'm having a bit of trouble identifying the source has anyone had this before?

    This is on a 2003 R2server with SP2.

    Faliure
    Source: Security
    Event ID 578
    Privileged object operation:
    Object Server: Security
    Object Handle: 0
    Process ID: 2520
    Primary User Name: user
    Primary Domain: BCS
    Primary Logon ID: (0x0,0x3B06C)
    Client User Name: -
    Client Domain: -
    Client Logon ID: -
    Privileges: SeTcbPrivilege

    This is what MS say i've checked and no one has the "Act as part of the operating system" rights the same as on our other 2003 servers. The username in the faliure event is the domain admin account.

    Act as part of the operating system
    Look for Event ID 577 or 578 with the SeTcbPrivilege access privilege indicated. The user account
    that made use of the user right is identified in the event details. This event can indicate a user's
    attempt to elevate security privileges by acting as part of the operating system. For example, the
    GetAdmin attack, where a user attempts to add their account to the Administrators group uses this
    privilege. The only entries for this event should be for the System account, and any service
    accounts assigned this user right.

  2. #2

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224
    Is the webserver accessible externally?

  3. #3
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    No it's only an intranet server.

SHARE:
+ Post New Thread

Similar Threads

  1. GPO Error in Event Viewer
    By in forum Windows
    Replies: 4
    Last Post: 2nd October 2008, 01:45 PM
  2. Stopped security event log
    By Jobos in forum Windows
    Replies: 3
    Last Post: 10th September 2007, 12:48 PM
  3. DNS Problems Event ID 4004
    By Rozzer in forum Windows
    Replies: 5
    Last Post: 3rd September 2007, 01:52 AM
  4. EduGeek Event 2005
    By russdev in forum General EduGeek News/Announcements
    Replies: 64
    Last Post: 30th September 2005, 03:22 PM
  5. Event ID WebSite
    By ninjabeaver in forum Links
    Replies: 0
    Last Post: 24th June 2005, 01:34 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •