Re: Anonymous Logons

From: Steven L Umbach (n9rou_at_nsattbi.com)
Date: 06/17/03

• Next message: Daniel: "Re: Any takers for a challenge?"
• Previous message: Steven L Umbach: "Re: dir & file level permissions printout"
• In reply to: Jeff: "Anonymous Logons"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 17 Jun 2003 21:08:34 GMT

          Anonymous logon is used by computers in the network for such things as maintaining the browse list and non kerberos domain trusts. It can be expolited though, and it you see a large amount of failures for audit logon events then that may be the case. The greatest danger of the anonymous logon, is if it is exploited outside of your network - particularly the internet where you would probably see strange/unknown workstations/domains in the audit failures. A null session can be used to extract much information from your network including user and group names. A properly configured firewall should prevent such attacks. See links to further information and a tool that can be used to expolit null session. --- Steve

http://www.sans.org/rr/paper.php?id=286 -- Sans article on null sessions.
http://support.microsoft.com/?kbid=246261 -- Limit Anonymous connections.
http://www.somarsoft.com/ -- Free Dumpsec tool.
http://scan.sygatetech.com/ -- Scan your firewall. Any netbios/445 ports open?
  "Jeff" <jeff_dawn_roth@hotmail.com> wrote in message news:OJLge2QNDHA.4024@tk2msftngp13.phx.gbl...
  My server's security log has several entries for an anonymous logon. Can anyone tell me how I can stop these logons, or what exactly they are? I have included the text from the security below.
   
  Thank you
   
  Event Type: Success Audit
  Event Source: Security
  Event Category: Logon/Logoff
  Event ID: 538
  Date: 6/17/2003
  Time: 11:27:29 AM
  User: NT AUTHORITY\ANONYMOUS LOGON
  Computer: MYSEVER
  Description:
  User Logoff:
    User Name: ANONYMOUS LOGON
    Domain: NT AUTHORITY
    Logon ID: (0x0,0x5672ED9)
    Logon Type: 3
   

• Next message: Daniel: "Re: Any takers for a challenge?"
• Previous message: Steven L Umbach: "Re: dir & file level permissions printout"
• In reply to: Jeff: "Anonymous Logons"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Rogue Workstation? ... I noticed the following entries in the Security log of one of my Windows ... Event Type: Failure Audit ... The logon to account: Administrator ... (microsoft.public.windows.server.active_directory) Re: Help - RPC over http credential issue ... I am showing the following errors in my DC event security log: ... Event Type: Failure Audit ... Logon Failure: ... (microsoft.public.exchange.setup) Re: Security failures ... I send a copy of the text to the security people who contact the person at the noted workstation and tell them not to run scripts or programs which check every machine on every domain in the world. ... Event Type: Failure Audit ... An unexpected error occurred during logon ... (microsoft.public.win2000.general) Re: Help with Security Logs ... Security" means that the event was generated by the security ... Primary User is the user context that actually performed the access; ... Client User is the user on behalf of whom the file was accessed. ... The Logon ID fields for Primary User and Client User identify a unique logon ... (microsoft.public.security) RE: Logon Issue - could someone explain please ... I understand that you get security event 540 ... When a user connects to the shared folder on the SBS server, ... logon auditing, ... (microsoft.public.windows.server.sbs)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint