Re: NtLmSsp -- Login

From: Steven Umbach [MVP] (n9rou_at_comcast.com)
Date: 07/13/03 

Date: Sun, 13 Jul 2003 00:51:22 GMT

            The anonymous logon/null sesssion is used by Windows operating
system for communications among computers on a network for a variety of
reasons including browser list communications, certain rras processes, and
downlevel clients for password changes. As long as you have a properly
configured firewall that also blocks netbios and 445 ports to the internet
these events should not be of any great concern - go to
http://scan.sygatetech.com/ to check.However if you see a large number of
failed audits from known user accounts, then somebody may have used a null
session to enumerate your users and groups - possibly from your lan. Logon
type three is a network logon. --- Steve

http://is-it-true.org/nt/atips/atips155.shtml -- Logon event ID
explanations.
http://support.microsoft.com/?kbid=246261 -- Describes some anonymous
account uses.
http://www.somarsoft.com/ --- Dumpsec tool that can expolit null session.

"Greg" <greg_68@hotmail.com> wrote in message
news:#5F#WpMSDHA.2128@TK2MSFTNGP12.phx.gbl...
> I was looking through the security section of the event viewer and found a
> login and was hoping someone could tell me how the login was done (remote
> login or local login).:
>
> Successful Network Logon:
> User Name:
> Domain:
> Logon ID: (0x0,0xA3B6)
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name:
> Logon GUID: -
> Caller User Name: -
> Caller Domain: -
> Caller Logon ID: -
> Caller Process ID: -
> Transitted Services: -
> Source Network Address: -
> Source Port: -
>
> The event viewer title for this event shows Anonymous login. What login
> process is NtLmSsp?
>
> Thanks.
>
>

Relevant Pages

  • Re: Recording and/or logging XP Login duration and activity
    ... X amount of time to the login duration. ... Are they connected to a network at the time or no netowrk? ... credentials screen until the CPU usage stabilizes at < 5%. ... Well - you could timestamp their logon scripts. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Network Cable Disconnection and Elevated Access
    ... if they are logging on as only plain users then they should ... if the network is disconnected during the login. ... "Always wait for the network at computer startup and logon" ...
    (microsoft.public.security)
  • Re: Unable to login locally or via domain ?
    ... We are unable to logon to the PC at all - whether on the network or not, have tried the domain admin account etc to no avail. ... Yesterday morning one of the users was unable to login to the domain, or even locally, but this somehow fixed itself. ... I have tried deleting his computer from the server and re-adding, also deleting the address lease, still with no access. ...
    (microsoft.public.windows.server.sbs)
  • Re: Unable to login locally or via domain ?
    ... We are unable to logon to the PC at all - whether on the network or not, have tried the domain admin account etc to no avail. ... Yesterday morning one of the users was unable to login to the domain, or even locally, but this somehow fixed itself. ...
    (microsoft.public.windows.server.sbs)
  • Security Audit Log
    ... Successful Network Logon: ... And here is also the login by myself: ... 3 is a network logon. ... time of writing have not yet looked at the Event Viewer ...
    (microsoft.public.windowsxp.security_admin)