Re: Webserver Security Logs

From: SWE (none_at_none)
Date: 06/19/03 

Date: Thu, 19 Jun 2003 10:45:20 -0400

delayed response, here but just wanted to share in case someone else has the
same problem.

i turned off file & print sharing as suggested and that did it. left it over
the weekend to see what kind of log entries, and no ANONYMOUS ones anymore.
thanks a bunch.

"Steven L Umbach" <n9rou@attbi.com> wrote in message
news:8iaGa.967656$Zo.219878@sccrnsc03...
         It may be normal for some of those events to show up - usually
NT/Authority type I believe. The browser service and other network services
use null sessions to communicate between computers. There should be a
workstation name associated with the event I believe. If workstation is one
on your network I would not be too concerned. However if this computer can
be accessed from the internet, then somebody may be using null sessions to
try to enumerate users/groups if there is no or an improperly configured
firewall. You could [and should] disable file and print sharing on the
webserver, if you have it running and I believe those events will go away.
You may also consider changing the security option for additional
restrictions for anonymous connections to "no access without explicit
anonymous permissions" if it will not interfere with functionality. You can
read more about that in the free Windows 2000 Security Hardening Guide.
Microsoft also has the free IIS Lockdown Tool and Urlscan Security Tool
available at their website. --- Steve

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
prodtech/windows/win2khg/default.asp
http://support.microsoft.com/?kbid=246261
http://scan.sygatetech.com/ -- Basic firewall test.

"SWE" <none@none> wrote in message
news:017601c330f8$650624f0$a101280a@phx.gbl...
> I recently setup a webserver for my company but have yet
> to host any sites on it - still in the testing phase. I've
> noticed a lot of entries in the security log for:
>
> Logon/Logoff 538 ANONYMOUS LOGON
> Privilege Use 576 ANONYMOUS LOGON
>
> If nobody that we know of is accessing the webserver, are
> these entries something that we should be concerned about.
> We already had a problem with somebody hacking into the
> server and dumping a lot of their files on there. We have
> since resolved that issue, but want to make sure that
> these security entries aren't cause for concern before we
> go live.
>
> I look forward to your feedback.

Relevant Pages

  • Re: Webserver Security Logs
    ... > webserver, if you have it running and I believe those events will go away. ... > read more about that in the free Windows 2000 Security Hardening Guide. ... > Microsoft also has the free IIS Lockdown Tool and Urlscan Security Tool ... >> these entries something that we should be concerned about. ...
    (microsoft.public.win2000.security)
  • Re: Gallery 1.3.3
    ... I am forwarding this response from the Author of Gallery who posted ... Recently there was a post on BugTraq, that referred to a security hole ... was refers to is the fact that on a shared webserver it's possible for ... webserver is managing data for you via a web interface and your ISP ...
    (Bugtraq)
  • Security Help Question.
    ... Subject: Security Help Question. ... remote webserver I administer. ... Some of the people on the server run the scripts such as Postnuke.. ...
    (Security-Basics)
  • Re: Audit Object Access
    ... object access can generate a lot of entries because W2K will do auto ... security policy for the effective setting under security options for "audit ... > Object Server: Security ...
    (microsoft.public.win2000.security)
  • Re: Deleting a Registry Entry
    ... Errare Humanum Est ... Security Tips for Everyone, from PC Magazine ... cleanout unneeded registry entries. ...
    (microsoft.public.windowsxp.help_and_support)