Re: Anonymous user logons in security logs

From: Karl Levinson [x y] mvp (jamescagney90210@excite.com)
Date: 01/31/03 

From: "Karl Levinson [x y] mvp" <jamescagney90210@excite.com>
Date: Fri, 31 Jan 2003 09:40:50 -0500

I could be wrong, but my guess is that these are NetBIOS null sessions which
are necessary for Windows domain authentication. If the source is from a
computer on your network, that's probably OK. If the source is ever from an
unknown computer not on your nework, then some network connection [possibly
your firewall] is probably allowing NetBIOS from a place that it shouldn't
be allowed [such as the internet].

Note that Windows does not log the IP address here unless you are using XP
with the ICF firewall or .NET server. Third party firewall or sniffer
software can help you try to capture this and correlate it to your Windows
event logs to try to determine the source IP address.

http://securityadmin.info/faq.htm#sniffer
http://securityadmin.info/faq.htm#firewall

"Emdee" <mikeDONTSPAM@webheat.co.uk> wrote in message
news:3e3a8220$0$2559$afc38c87@news.easynet.co.uk...
> My company has a domain of 7 machines:
> 2 x DCs - Windows 2000 Server
> 3 x WWW Servers (load balancing done via another non-windows box) -
Windows
> 2000 Server
> 2 x Clustered DB servers, active/passive -Windows 2000 Advanced Server
>
> I check the logs daily and since their going live (possibly before) there
> are daily entries in the secutiry log for:
> NT AUTHORITY\ANONYMOUS LOGON
>
> My question is this:
> Are these entries from normal behaviour or is it likely to be something
more
> suspicious?
>
> If it's something more suspicious then what/where should I go looking?
>
> Entries usually like so (computer names etc have been changed):
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 538
> Date: 31/01/2003
> Time: 13:55:14
> User: NT AUTHORITY\ANONYMOUS LOGON
> Computer: DC1
> Description:
> User Logoff:
> User Name: ANONYMOUS LOGON
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x39B9BCE2)
> Logon Type: 3
>
> ----------------------------------------------------------
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 538
> Date: 31/01/2003
> Time: 13:54:50
> User: NT AUTHORITY\ANONYMOUS LOGON
> Computer: DC1
> Description:
> User Logoff:
> User Name: ANONYMOUS LOGON
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x39B9B7ED)
> Logon Type: 3
>
> ----------------------------------------------------------
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 538
> Date: 31/01/2003
> Time: 13:54:40
> User: DOMAINNAME\WWWSRV3$
> Computer: DC1
> Description:
> User Logoff:
> User Name: WWWSRV$
> Domain: DOMAINNAME
> Logon ID: (0x0,0x39B9B173)
> Logon Type: 3
>
> ----------------------------------------------------------
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Privilege Use
> Event ID: 576
> Date: 31/01/2003
> Time: 13:54:30
> User: NT AUTHORITY\ANONYMOUS LOGON
> Computer: DC1
> Description:
> Special privileges assigned to new logon:
> User Name:
> Domain:
> Logon ID: (0x0,0x39B9BCE2)
> Assigned: SeChangeNotifyPrivilege
>
> ----------------------------------------------------------
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Privilege Use
> Event ID: 576
> Date: 31/01/2003
> Time: 13:53:45
> User: NT AUTHORITY\ANONYMOUS LOGON
> Computer: DC1
> Description:
> Special privileges assigned to new logon:
> User Name:
> Domain:
> Logon ID: (0x0,0x39B9B7ED)
> Assigned: SeChangeNotifyPrivilege
>
> ----------------------------------------------------------
>
> Many thanks
> Emdee
>
> 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.449 / Virus Database: 251 - Release Date: 1/27/2003
Loading