Re: Anonomous Logon

From: Alistair Gillespie (alistg@hotmail.com)
Date: 01/05/03 

From: "Alistair Gillespie" <alistg@hotmail.com>
Date: Sun, 5 Jan 2003 19:07:18 +0000 (UTC)

I think this is the normal behaviour as a result of the NT Authentication
process.

"Logon Type 3" is a network logon (so an attempt is being made to access the
machine "N301-01" over the network)

When an authentication attempt is made, winlogon.exe creates a logon session
to see if the supplied credentials are correct. If so it destroys the logon
session and then provides access to the real session.

What you're seeing is an audit event logged as a result of the logoff from
the session created by winlogon (note the username "NT AUTHORITY\ANONYMOUS
LOGON")

You will probably see another logon Event (e.g. Event 540 if it was
successful or 529 if unsuccessful) near this one with the actual username
who attempted the network connection

best regards
- Alistair

"C. Tekin" <ctekin@itekin.com> wrote in message
news:078801c2b33a$5c5bf280$d7f82ecf@TK2MSFTNGXA14...
> I keep getting these anonymous logon entries in my
> security logs. Here are
> two one such entries, one a log on and one a log off:
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 538
> Date: 1/2/2003
> Time: 10:26:12 AM
> User: NT AUTHORITY\ANONYMOUS LOGON
> Computer: N301-01
> Description:
> User Logoff:
> User Name: ANONYMOUS LOGON
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x733FAB4)
> Logon Type: 3
>
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 538
> Date: 1/2/2003
> Time: 9:02:03 AM
> User: NT AUTHORITY\ANONYMOUS LOGON
> Computer: N301-01
> Description:
> User Logoff:
> User Name: ANONYMOUS LOGON
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x72A0BD9)
> Logon Type: 3
>
> What's generating these entries? I don't allow any
> anonymous access (at
> least I don't think I do).
>
> Thanks.
> Cihat
>

Relevant Pages