Hi
I have a new installation of Windows Server 2019 Version 1809 (Build 17763). I am seeing loads of Event ID 4763 in the Security section of the Event Viewer as below. (Yes, I have Audit Sensitive Privilege Use on). Question is why I am seeing the failure.
I have
Subject:
Security ID: SYSTEM
Account Name: <COMPUTERNAME>$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Service:
Server: NT Local Security Authority / Authentication Service
Service Name: LsaRegisterLogonProcess()
Process:
Process ID: 0x25c
Process Name: C:\Windows\System32\lsass.exe
Service Request Information:
Privileges: SeTcbPrivilege
I actually added SYSTEM to the 'Act as part of the Operating System' right, although I understood that was granted implicitly anyway... So first question... what's likely going on here?
Secondly, I am also seeing even more of the following:
A privileged service was called.
Subject:
Security ID: <COMPUTERNAME>\<LocalAdministratorUser>
Account Name: LocalAdministratorUser
Account Domain: <COMPUTERNAME>
Logon ID: 0x445DE
Service:
Server: Security
Service Name: -
Process:
Process ID: 0x4a4
Process Name: C:\Windows\System32\svchost.exe
Service Request Information:
Privileges: SeTcbPrivilege
Obviously I don't want to add the Admin account to that role, but something tells me there is a problem here... why is the system blocking whatever is being attempted on a clean-deploy OS like this?
Obviously I could turn off auditing but that would just mean I never heard about these problems... rather than actually resolving the root cause of the issue. Also, turning off auditing means I may not learn about other more relevant (and correct) attempts to use privileged rights.
Any thoughts?
Thanks,
Clive