Re: NtLmSsp -- Login

From: Greg (greg_68_at_hotmail.com)
Date: 07/13/03 

Date: Sat, 12 Jul 2003 18:52:17 -0700

Thanks for the info. I know port 445 is blocked by the firewall, not sure
about netbios... I'll have to look into that.

Greg

"Steven Umbach [MVP]" <n9rou@comcast.com> wrote in message
news:e22Qa.44975$sY2.20242@rwcrnsc51.ops.asp.att.net...
> The anonymous logon/null sesssion is used by Windows operating
> system for communications among computers on a network for a variety of
> reasons including browser list communications, certain rras processes, and
> downlevel clients for password changes. As long as you have a properly
> configured firewall that also blocks netbios and 445 ports to the internet
> these events should not be of any great concern - go to
> http://scan.sygatetech.com/ to check.However if you see a large number of
> failed audits from known user accounts, then somebody may have used a null
> session to enumerate your users and groups - possibly from your lan. Logon
> type three is a network logon. --- Steve
>
> http://is-it-true.org/nt/atips/atips155.shtml -- Logon event ID
> explanations.
> http://support.microsoft.com/?kbid=246261 -- Describes some anonymous
> account uses.
> http://www.somarsoft.com/ --- Dumpsec tool that can expolit null session.
>
> "Greg" <greg_68@hotmail.com> wrote in message
> news:#5F#WpMSDHA.2128@TK2MSFTNGP12.phx.gbl...
> > I was looking through the security section of the event viewer and found
a
> > login and was hoping someone could tell me how the login was done
(remote
> > login or local login).:
> >
> > Successful Network Logon:
> > User Name:
> > Domain:
> > Logon ID: (0x0,0xA3B6)
> > Logon Type: 3
> > Logon Process: NtLmSsp
> > Authentication Package: NTLM
> > Workstation Name:
> > Logon GUID: -
> > Caller User Name: -
> > Caller Domain: -
> > Caller Logon ID: -
> > Caller Process ID: -
> > Transitted Services: -
> > Source Network Address: -
> > Source Port: -
> >
> > The event viewer title for this event shows Anonymous login. What login
> > process is NtLmSsp?
> >
> > Thanks.
> >
> >
>
>

Relevant Pages

  • Re: hacking attempts acting as denial of service for vpn users
    ... Check your firewall logs and rules for TCP and UDP 135 ... Other companies run VPN without running into ... authenticate to or get netbios traffic to or from your domain controllers. ... >> If you have a VPN connection for the users to login with, ...
    (microsoft.public.win2000.security)
  • Re: Blue Screen - Can not login to system
    ... to the desktop since I'm not able to login at all per my post details. ... message I shared in my post is when I am attempting to do a repair ... > I suggest you Disable automatic restart on system failure. ... > You can access Event Viewer by selecting Start, Administrative Tools, ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Windows Firewall Invisible
    ... Internet Connection Sharing" service. ... Event viewer - info, warning or errors. ... to just install the Firewall part of SP2, ... I found the Firewall control to be invisible. ...
    (microsoft.public.windowsxp.general)
  • Re: Blue Screen - Can not login to system
    ... Can you access using the recovery console and use System Restore to take you ... > to the desktop since I'm not able to login at all per my post details. ... >> I suggest you Disable automatic restart on system failure. ... >> You can access Event Viewer by selecting Start, Administrative Tools, ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Netbios over Sonicwall tz170 VPN Connection
    ... >have been having trouble getting to mapped drives via Netbios name. ... >change login scripts to map to IP addresses instead of netbios names ... >the clients laptops I login to Windows using cached domain credentials ...
    (comp.security.firewalls)