Windows Thread, Event ID 578 SeTcbPrivilege in Technical; I'm seeing this event on one of our servers, Web and print server it has only started recently and i'm ...
30th January 2008, 10:47 AM #1
Event ID 578 SeTcbPrivilege
I'm seeing this event on one of our servers, Web and print server it has only started recently and i'm pretty sure that nothing has changed. I'm having a bit of trouble identifying the source has anyone had this before?
This is on a 2003 R2server with SP2.
Event ID 578
Privileged object operation:
Object Server: Security
Object Handle: 0
Process ID: 2520
Primary User Name: user
Primary Domain: BCS
Primary Logon ID: (0x0,0x3B06C)
Client User Name: -
Client Domain: -
Client Logon ID: -
This is what MS say i've checked and no one has the "Act as part of the operating system" rights the same as on our other 2003 servers. The username in the faliure event is the domain admin account.
Act as part of the operating system
Look for Event ID 577 or 578 with the SeTcbPrivilege access privilege indicated. The user account
that made use of the user right is identified in the event details. This event can indicate a user's
attempt to elevate security privileges by acting as part of the operating system. For example, the
GetAdmin attack, where a user attempts to add their account to the Administrators group uses this
privilege. The only entries for this event should be for the System account, and any service
accounts assigned this user right.
30th January 2008, 11:24 AM #2
Is the webserver accessible externally?
30th January 2008, 11:35 AM #3
No it's only an intranet server.
Last Post: 2nd October 2008, 02:45 PM
By Jobos in forum Windows
Last Post: 10th September 2007, 01:48 PM
By Rozzer in forum Windows
Last Post: 3rd September 2007, 02:52 AM
By russdev in forum General EduGeek News/Announcements
Last Post: 30th September 2005, 04:22 PM
By ninjabeaver in forum Links
Last Post: 24th June 2005, 02:34 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)