Re: Event ID 560
From: Kumar Pandit [MS] (kumarp@microsoft.com)Date: 01/09/02
- Previous message: Pawel: "security of files"
- In reply to: viciousdog: "Event ID 560"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: kumarp@microsoft.com (Kumar Pandit [MS]) Date: 09 Jan 2002 14:28:05 -0800
Hi,
The event indicates an attempt at enumerating accounts and/or creating
groups over a null (anonymous) connection. Anonymous enumerations are
usually the first step in remotely hacking a machine. You should
disable anonymous access if you do not need it. See the article
"Restricting Information Available to Anonymous Logon Users" in MSDN
for more information.
"viciousdog" <viciousdog@zdnetonebox.com> writes:
> I keep getting Security Log entries for failed object access attempts by
> NTAUTHORITY\ANONYMOUS for Event ID 560 and this description:
>
> Object Open:
> Object Server: Security Account Manager
> Object Type: SAM_DOMAIN
> Object Name: <mydomain>
> New Handle ID: -
> Operation ID: {0,7260117} this ID varies from entry to entry
> Process ID: 2161210400
> Primary User Name: SYSTEM
> Primary Domain: NT AUTHORITY
> Primary Logon ID: (0x0,0x3E7)
> Client User Name:
> Client Domain:
> Client Logon ID: (0x0,0x295B)
> Accesses CreateGlobalGroup
> LookupIDs
>
> Privileges -
>
>
> There doesn't appear to be any pattern to the times the entries occur.
>
> Any ideas on what could be causing it?
>
>
-- Kumar Pandit Microsoft Security Developer(This posting is provided "AS IS" with no warranties, and confers no rights.)
- Next message: ME: "Re: need help deleting strange files!!!"
- Previous message: Pawel: "security of files"
- In reply to: viciousdog: "Event ID 560"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
