Re: Webserver Security Logs

From: Steven L Umbach (n9rou_at_attbi.com)
Date: 06/13/03 

Date: Fri, 13 Jun 2003 02:03:48 GMT

         It may be normal for some of those events to show up - usually
NT/Authority type I believe. The browser service and other network services
use null sessions to communicate between computers. There should be a
workstation name associated with the event I believe. If workstation is one
on your network I would not be too concerned. However if this computer can
be accessed from the internet, then somebody may be using null sessions to
try to enumerate users/groups if there is no or an improperly configured
firewall. You could [and should] disable file and print sharing on the
webserver, if you have it running and I believe those events will go away.
You may also consider changing the security option for additional
restrictions for anonymous connections to "no access without explicit
anonymous permissions" if it will not interfere with functionality. You can
read more about that in the free Windows 2000 Security Hardening Guide.
Microsoft also has the free IIS Lockdown Tool and Urlscan Security Tool
available at their website. --- Steve

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
prodtech/windows/win2khg/default.asp
http://support.microsoft.com/?kbid=246261
http://scan.sygatetech.com/ -- Basic firewall test.

"SWE" <none@none> wrote in message
news:017601c330f8$650624f0$a101280a@phx.gbl...
> I recently setup a webserver for my company but have yet
> to host any sites on it - still in the testing phase. I've
> noticed a lot of entries in the security log for:
>
> Logon/Logoff 538 ANONYMOUS LOGON
> Privilege Use 576 ANONYMOUS LOGON
>
> If nobody that we know of is accessing the webserver, are
> these entries something that we should be concerned about.
> We already had a problem with somebody hacking into the
> server and dumping a lot of their files on there. We have
> since resolved that issue, but want to make sure that
> these security entries aren't cause for concern before we
> go live.
>
> I look forward to your feedback.

Relevant Pages

  • Paradigms II
    ... Secure Systems Revisited ... Performing the following very basic security evaluation on your system ... (server or workstation); however, they can be easily adapted to any other ... control over that information. ...
    (comp.security.misc)
  • Re: Paradigms II
    ... > are not about trying to circumvent security. ... > (server or workstation); however, they can be easily adapted to any other ... > to have at least a vague idea what security, and a secure environment, ...
    (comp.security.misc)
  • RE: [Full-Disclosure] Insecurity in Finnish parlament (computers)
    ... > It is unlikely that all the computers have the same security ... > (both in TeliaSonera and in our parlament). ... Red herring. ...
    (Full-Disclosure)
  • Re: Basic Security Help
    ... a network is weak or no passwords followed by malicious user on your ... -- Use password policy to enforce strong passwords in the domain by enabling ... -- Be sure that computers are kept current of critical security updates from ... Windows Updates or using a SUS server to authorize and distribute security ...
    (microsoft.public.security)
  • RE: Why Easy To Use Software Is Putting You At Risk
    ... Can Easy To Use Software Also Be Secure ... Anyone who has been working with computers for a long time will have noticed ... because DNS does not configure properly or security permissions are relaxed ... guarantee that no one really knows for sure, not even Microsoft developers. ...
    (Security-Basics)