RE: lsass.exe Failure audits on XP Clients
- From: v-yanniw@xxxxxxxxxxxxxxxxxxxx ("Jenny wu [MSFT]")
- Date: Fri, 12 Aug 2005 07:29:22 GMT
Hi Joe,
Thanks for posting here!
For your description, I understand that the issue is there are some Failure
Audit events logged in Windows XP. If I am off base, please don't hesitate
to let me know.
Based on my research, this behavior is normal. If the computers are working
fine, we can simply ignore these events. We cannot prevent the LSASS to
listen on certain ports, since there is not only LSASS needs to listen on
port, but also a lot of other processes need to listen on ports.
There is way to prevent these Failure Audit event be logged. Please refer
to the following steps modify the Group Policy.
1. On the Domain Controller, Open the GPO which is applied to the domain.
2. Navigate to Computer Configuration\Windows Settings\Security
Settings\Local Policies\Audit Policy.
3. Double-click Audit process tracking, and then click to clear the check
boxes of Success and Failure.
4. Start | Run, type "secedit /refreshpolicy machine_policy", and then
click OK.
Restart the Windows XP computer, the Detailed Tracking event log will not
be logged any more, however the other auditing event log will still be
logged.
Hope the information can be helpful. If anything is unclear or you have any
concerns on the issue, please feel free to let me know. I am looking
forward to you!
Have a nice day!
Best Regards,
Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>From: "fordtuff98" <josef.adams@xxxxxxxxxxxxxxxxx>
>Newsgroups: microsoft.public.windows.server.sbs
>Subject: lsass.exe Failure audits on XP Clients
>Date: 11 Aug 2005 07:13:45 -0700
>Organization: http://groups.google.com
>Lines: 42
>Message-ID: <1123769625.073419.199770@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
>NNTP-Posting-Host: 216.61.185.10
>Mime-Version: 1.0
>Content-Type: text/plain; charset="iso-8859-1"
>X-Trace: posting.google.com 1123769630 25175 127.0.0.1 (11 Aug 2005
14:13:50 GMT)
>X-Complaints-To: groups-abuse@xxxxxxxxxx
>NNTP-Posting-Date: Thu, 11 Aug 2005 14:13:50 +0000 (UTC)
>User-Agent: G2/0.2
>Complaints-To: groups-abuse@xxxxxxxxxx
>Injection-Info: z14g2000cwz.googlegroups.com; posting-host=216.61.185.10;
> posting-account=W-DGdw0AAAAcKOTBq5wr9W9I1C5X12ZI
>Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
ne.de!news.glorb.com!postnews.google.com!z14g2000cwz.googlegroups.com!not-fo
r-mail
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:143387
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
>I have been reading all of these posts, but no one has said anything
>about making an exeption in the windows firewall for lsass.exe. The
>problem we are having on several newly installed machines is that the
>event logs are filling up with these messages which blocks the user
>from logging on. We then have to go in and clear the logs. I really
>dont want to have to do that all the time, and i dont want to do the
>"ovewrite as needed thing" These are coming in at about 2-3 every
>second.... Any suggestions? Is it good practice to make and exception
>for lsass.exe? Here is an example of just one of many..
>
>Any help is appreciated!
>Joe
>
>
>Event Type: Failure Audit
>Event Source: Security
>Event Category: Detailed Tracking
>Event ID: 861
>Date: 8/11/2005
>Time: 9:10:26 AM
>User: NT AUTHORITY\SYSTEM
>Computer: XXXXXXXXXX
>Description:
>The Windows Firewall has detected an application listening for incoming
>traffic.
>
>Name: -
>Path: C:\WINDOWS\system32\lsass.exe
>Process identifier: 584
>User account: SYSTEM
>User domain: NT AUTHORITY
>Service: Yes
>RPC server: No
>IP version: IPv4
>IP protocol: UDP
>Port number: 2013
>Allowed: No
>User notified: No
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>
>
.
- References:
- lsass.exe Failure audits on XP Clients
- From: fordtuff98
- lsass.exe Failure audits on XP Clients
- Prev by Date: RE: Remote to TS box keeps dropping
- Next by Date: RE: Help please
- Previous by thread: lsass.exe Failure audits on XP Clients
- Next by thread: Admin User
- Index(es):
Relevant Pages
|
Loading
