Query regarding event id 577 Expand / Collapse
Author
Message
Posted 10/4/2010 5:07:19 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 5/27/2011 5:31:05 AM
Posts: 8, Visits: 13
Hi all,

I've just started analyzing windows event viewer logs (Windows server 2003) and I'm trying to find out instances of elevated privileges being accessed by respective users. From the various descriptions of the events that i found out, I got the understanding that event ids 577 and 578 can be used for this. However, I have also seen Microsoft's statutory warning that these two events can fill the event viewer logs very quickly and can also lead to degraded performance.

Can someone please tell me what are the event ids that one must monitor to look for elevated privileges instances? Is it event id 577 and 578?

Your response will be very welcome. Feel free to correct me at any point if required.

Regards,

Mv.

Post #491
Posted 11/4/2010 6:19:08 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
Forget about 577 and 578.  They are pretty much junk and that is from the security log guy at MS.  See "Bottom Line" at https://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/OVERVIEW-Audit-Privilege-Use 
Post #514
Posted 11/8/2010 5:25:48 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 5/27/2011 5:31:05 AM
Posts: 8, Visits: 13
Hi Randy,

Even I thought on these lines; but there are still some QSAs that recommend turning on Privilege Use to track elevated access instances.

If I were to forget about these two event ids, then which event ids should i focus on in order to track instances of elevated access on Windows 2003 server?

Regards,

Mv.

Post #521
Posted 11/8/2010 5:29:06 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 5/27/2011 5:31:05 AM
Posts: 8, Visits: 13
Hi Randy,

If I were to forget about these two event ids, then which event ids should i focus on in order to track instances of elevated access on Windows 2003 server?

Regards,

Mv.

Post #522
Posted 11/8/2010 5:31:01 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 5/27/2011 5:31:05 AM
Posts: 8, Visits: 13
mohitvohra109 (11/8/2010)
Hi Randy,

Even I thought on these lines; but there are still some QSAs that recommend turning on Privilege Use to track elevated access instances.

Please ignore the above lines in my second-last post.

Post #523
Posted 11/9/2010 9:15:37 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
Monitoring 576 tells you when anyone with "admin equivalent" authority logs on...
Post #528
Posted 11/10/2010 5:33:56 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 5/27/2011 5:31:05 AM
Posts: 8, Visits: 13
Hi Randy,

Using the description in event id 576 from your encyclopedia:

Most user rights are not logged by event 576 and instead are logged at the actual time they are exercised using either event 577 or 578..

What I'm looking for is to capture instances when the privileges were actually 'used', so as to determine whether the user is authorized to invoke that privilege or not; which I can get by monitoring event id 577/578.

The reason I wrote this post is because I was confused by the Bottom line mentioned by microsoft. It appears to me a very hazy subject: some folks suggest turning Privilege Use auditing on to track elevated access in Windows whereas Microsoft says to forget about the very same event ids.

Is there any other event id apart from 576/7/8 that can be used to track elevated privileges in Windows 2003? Also I'd like to thank you for providing your valuable guidance in this matter.

Regards,

Mohit.

Post #532
Posted 11/11/2010 11:46:32 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
nothing else that those 3 events
Post #533
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 8:29am