Re: NT AUTORITY/ANONIMOYS LOGIN events in Event Viewer

From: Rajkumar Mohanram [MSFT] (rajkm_at_online.microsoft.com)
Date: 04/14/04 

Date: Tue, 13 Apr 2004 15:57:36 -0700

If you see an error message that indicates that the login has failed for NT
AUTHORITY\ANONYMOUS, this indicates that the identity on the Web server does
not have any network credentials and is attempting to access the remote
computer.
Identify which account is being used by the Web application for remote
resource access and confirm that it has network credentials. If the Web
application is impersonating, this requires either Kerberos delegation (with
suitably configured accounts) or Basic authentication at the Web server.

See
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch13.asp
for more info. 

-- 
Rajkumar Mohanram [MSFT]
Windows Core Security
This posting is provided "AS IS" with no warranties, and confers no rights. 
Use of included script samples are subject to the terms specified at 
http://www.microsoft.com/info/cpyright.htm
---------------------
"Gene" <gene_golub@hotmail.com> wrote in message 
news:261057CC-0AAB-428C-A351-3858062A5F1A@microsoft.com...
> Folks
>
> I recently noticed plenty of login event records made by user from domain: 
> NT AUTORITY, user ANONIMOYS LOGIN in the Event Viewer.
> I can not figure out whether it's legitimate system event or somebody 
> broke into my pc. I enabled all possible audits and all I see is a series 
> of login/logout events by above user which happen with interval of few 
> seconds within 10 - 20 min randomly.
>
> Does anybody have a clue what it could be? Thank you for your input.

Relevant Pages

  • Re: WebBrowser
    ... With this type of security you may be able to access the ... > If the login page is a Username / Password textbox with a Submit or Login ... > send requests to a web server and get some type of response / data back. ... Sign the petition to Microsoft. ...
    (microsoft.public.vb.controls)
  • Re: edit and/or copy/paste access with prudent security also
    ... If you login as the web server - local administrator, ... check NTFS permission again. ... >> Basically you need to use an account from the web server. ...
    (microsoft.public.inetserver.iis.security)
  • ssh_exchange_identification
    ... My ssh is not working today; every time I try to login to our web server I get following error message. ... I tried to login using both remote server host name and IP address, I observed that IP address of our web server has been changed so I removed all the previous entries for the web server in my /root/.ssh/known_hosts file and tried once again, but still getting the same error message. ...
    (Fedora)
  • Re: Bank Of America - sign on process - how is this secure?
    ... >> that the login is sent via https, ... >> page requesting your login is sent to you unencrypted, ... The point here is that you *don't* have to "assume that the web server ... DNS entries could be faked to point the web site name to an entirely ...
    (comp.security.misc)
  • Re: Login Loop
    ... The security settings are Integrated Windows Authentication & Basic ... Re-appearing login prompts are never issues with the web server ... and I do not recommend wasting time with indirect methods. ...
    (microsoft.public.inetserver.iis.security)