Re: WIN2K Server Mysterious NT Authority/Anon Logoffs

From: Mike (mike@nospam)
Date: 05/20/02 

From: "Mike" <mike@nospam>
Date: Mon, 20 May 2002 09:39:20 -0400

"S. Pidgorny [MVP]" <slavickp@yahoo.com> wrote in message
news:uSkiuD8$BHA.2200@tkmsftngp02...
> Interesting. Do you have successfull anonymous _logon_ mesages?

No. I also do not have any users on the server other than administrator and
the anonymous IIS account (IIS is turned off.)

> Do you run Windows 2000 AD domain?

Nope

>
> As it is a network logoff event (logon type 3), a network traffic capture
> will show the initiator.
>
> --
> Svyatoslav Pidgorny, MS MVP, MCSE
> -= F1 is the key =-
>
> "Mike" <mike@nospam> wrote in message
> news:uebj4oib0fgc43@corp.supernews.com...
> > Anyone have any idea whether the anonymous logoff messages from NT
> Authority
> > listed below with no cooresponding login is normal behavior for Win2k?
I
> > have the server locked down, with IIS disabled and no users on it
enabled
> > other than the IIS iusr account and administrator. I am getting about 4
> of
> > these messages an hour. The server is currently only running MS DNS and
> > Network Ice intrusion detection. I also have SP2 installed with all the
> > latest security updates. A technet search and web search did not turn
up
> > much either.
> >
> > Event Type: Success Audit
> > Event Source: Security
> > Event Category: Logon/Logoff
> > Event ID: 538
> > Date: 5/17/2002
> > Time: 11:10:37 PM
> > User: NT AUTHORITY\ANONYMOUS LOGON
> > Computer: WXX
> > Description:
> > User Logoff:
> > User Name: ANONYMOUS LOGON
> > Domain: NT AUTHORITY
> > Logon ID: (0x0,0x1C5763)
> > Logon Type: 3
> >
> >
> >
> >
>
>

Relevant Pages

  • Re: Please help refresh my memory on AD DC
    ... When I boot my Laptop I reach the Logon screeen for XP Laptop and here I am ... administrator account. ... account to be able to Login so I can control it from the DC. ... A Server has websites already hosted on it in a Workgroup and now I join it ...
    (microsoft.public.windows.server.active_directory)
  • Re: Please help refresh my memory on AD DC
    ... "WEB308\administrator" does not longer exist, because DC's have no local administrator. ... The computer is now member of the domain, if you mean this and still has the local user account. ... "in order to add the server or pc I would have to have a user on the domain to logon to the domain. ... To Logon locally I would use the admin account of the Server 2003 machine. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Please help refresh my memory on AD DC
    ... they just get the result of that what the domain administrator ... They however cannot logon directly to the physical DC machine. ... administrator account. ... A Server has websites already hosted on it in a Workgroup and now I ...
    (microsoft.public.windows.server.active_directory)
  • Re: Please help refresh my memory on AD DC
    ... The users will not see anything of that basically, they just get the result of that what the domain administrator or equivalent configures there. ... They however cannot logon directly to the physical DC machine. ... administrator account. ... A Server has websites already hosted on it in a Workgroup and now I ...
    (microsoft.public.windows.server.active_directory)
  • Re: Remote Desktop Logon to Server
    ... User Rights assignments under Local Policies. ... > person to logon to the server in a restricted mode. ... > change (this was before I put them into the Administrator ...
    (microsoft.public.win2000.networking)