Re: NT AUTHORITY\ANONYMOUS LOGON
From: Eric Fitzgerald [MS] (ericf@online.microsoft.com)
Date: 10/04/02
- Next message: Eric Fitzgerald [MS]: "Re: How would you log logins?"
- Previous message: Eric Fitzgerald [MS]: "Re: audit copy"
- In reply to: 3ah90lb001@sneakemail.com: "Re: NT AUTHORITY\ANONYMOUS LOGON"
- Next in thread: Brad Moser: "Re: NT AUTHORITY\ANONYMOUS LOGON"
- Reply: Brad Moser: "Re: NT AUTHORITY\ANONYMOUS LOGON"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Eric Fitzgerald [MS]" <ericf@online.microsoft.com> Date: Thu, 3 Oct 2002 19:58:27 -0700
Usually it's someone looking for shares, such as someone clicking "Network
Neighborhood", seeing your computer, and double-clicking it. It could also
be account enumeration, which in your case would mean a hacker is sniffing
around your machine.
Either way, the advice is the same:
1. Make sure that all your user accounts have strong passwords on them
(start/run lusrmgr.msc)
2. Set RestrictAnonymous=1
3. Eliminate any unnecessary shares, and tighten permissions on all your
shares. You should never have a share with "Everyone:Full" permissions- and
you should only have change or full control permissions when you absolutely
must have them.
4. Disable the guest account.
Microsoft Baseline Security Analyzer will help you set all these settings:
http://www.microsoft.com/technet/security/tools/Tools/MBSAhome.asp
Eric
<3ah90lb001@sneakemail.com> wrote in message
news:1qKm9.41750$Eu.946892@twister1.libero.it...
> What does it mean "It's not uncommon to be enumerated."? What is happening
> when I get such a new record in the Event Viewer?
>
> Thanks
> GIo
>
> --
> -----------------------------------------------------
> Protect yourself from spam, use http://sneakemail.com
> "Eric Fitzgerald [MS]" <ericf@online.microsoft.com> ha scritto nel
messaggio
> news:3d9b30e8$1@news.microsoft.com...
> > It's not uncommon to be enumerated. If you're concerned you can set the
> > "RestrictAnonymous" registry value (see the Knowledge Base for more
> > details). If this is a DC, then that will not be sufficient.
> >
> > Eric
> >
> > <3ah90lb001@sneakemail.com> wrote in message
> > news:NaBm9.38814$Eu.886536@twister1.libero.it...
> > > Hi!
> > >
> > > I noticed in Event Viewer's Security Log of a Windows 2000 Server PC
the
> > > following records repeated a lot of times.
> > >
> > > Event Type: Success Audit
> > > Event Source: Security
> > > Event Category: Logon/Logoff
> > > Event ID: 538
> > > Date: 10/2/2002
> > > Time: 1:21:08 PM
> > > User: NT AUTHORITY\ANONYMOUS LOGON
> > > Computer: W2KSERVER
> > > Description:
> > > User Logoff:
> > > User Name: ANONYMOUS LOGON
> > > Domain: NT AUTHORITY
> > > Logon ID: (0x0,0xC6773A)
> > > Logon Type: 3
> > >
> > > Logon ID changes from one record to another, e.g.:
> > > Logon ID: (0x0,0xC100FB)
> > >
> > > Logon ID: (0x0,0xB7073C)
> > >
> > > That server is connected to the Internet via a DSL line through a DSL
> > router
> > > ans has only a private IP address.
> > > I noticed that with Zone Alarm installed those records no longer
appear.
> > >
> > > Who is actually logging on/off? Someone from the Internet? Should I
> worry
> > > about it? All the defined users have passwords.
> > >
> > > Gio
> > >
> > >
> > > --
> > > -----------------------------------------------------
> > > Protect yourself from spam, use http://sneakemail.com
> > >
> > >
> >
> >
>
>
- Next message: Eric Fitzgerald [MS]: "Re: How would you log logins?"
- Previous message: Eric Fitzgerald [MS]: "Re: audit copy"
- In reply to: 3ah90lb001@sneakemail.com: "Re: NT AUTHORITY\ANONYMOUS LOGON"
- Next in thread: Brad Moser: "Re: NT AUTHORITY\ANONYMOUS LOGON"
- Reply: Brad Moser: "Re: NT AUTHORITY\ANONYMOUS LOGON"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
