Re: Event ID 577 & 578 are filling Security Event Logs

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 04/28/05 

Date: Wed, 27 Apr 2005 18:29:19 -0700

Also, review the accounts that are generating the event messages.
Often it is not that the privilege is actually being used, but that the
user token is being adjusted to reflect the privilege is granted.
Perhaps accounts are over-allocated rights ?? or individuals
should be using less privileged accounts for "normal" activities. 

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:%23Qf6YP4SFHA.2916@TK2MSFTNGP15.phx.gbl...
> Privilege use will generate a ton of events in the security log. Review
your
> policy to see if you can possibly audit only failures instead of success
and
> failure. If that is not possible you will need to increase the size of the
> security logs substantially. I know of no other workaround.  -- Steve
>
>
> "timcapp" <timothy.cappiello@gd-ais.com> wrote in message
> news:1114627448.748559.303680@g14g2000cwa.googlegroups.com...
> > We have quite a few windows 2000 SP4 systems running that are
> > continually logging event ID 577 and 578 to the Security Event log . I
> > understand that a workaround to this is to turn off the privilege use
> > auditing policy, but this is not possible due to security requirements.
> > Is anyone aware of a workaround/patch to resolve this issue?  It is
> > causing the event logs to grow to an unmanageable size.
> >
> > Thanks
> > Tim
> >
>
>

Relevant Pages

  • Re: create and modify user, but not delete
    ... user accounts, but we want to prevent him from being able to delete ... Presumably you do not want the operator to create and modify accounts ... The OPER privilege is sufficient to handle almost any queue manipulation ... The best way to handle this is with a batch job, ...
    (comp.os.vms)
  • RE: Restricting access to directory.
    ... > applicable to all the accounts (accounts which have BYPASS privilege) ... There is no way to protect a file from an account holding BYPASS ... I don't speak for Smiths, and Smiths doesn't speak for me. ...
    (comp.os.vms)
  • Re: How to allow authenticated user to impersonate
    ... > operating system" privilege to the account that will try to impersonate. ... I have created a few other accounts on the machine that I intend ... >> others to use to authenticate themselves. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Dare I Say...Crystal?
    ... privilege, as a euroamerican middle class woman. ... the teller at the bank I've been banking at asked to see picture ID to let me transfer funds from one of my accounts to another one of my accounts. ... I'm not saying one shouldn't have ID, I'm saying it's not legally required. ... Elizabeth (white middle class middle aged college professor) ...
    (soc.singles.moderated)
  • Re: security log in event viewer is constantly growing
    ... You might also want to change Logging settings to something less strict ... > My security log in event viewer is constantly growing. ... > Event Category: Privilege Use ... > Client User Name: - ...
    (microsoft.public.windowsxp.security_admin)