Re: anonymous logon
From: Steven Umbach (n9rou_at_n0spam-comcast.net)
Date: 02/09/04
- Next message: Steven Umbach: "Re: Local security Lockout."
- Previous message: Steven Umbach: "Re: Tracking Down A Sender. Virus? Trojan?"
- In reply to: Sandy: "anonymous logon"
- Next in thread: Sandy Ryan: "Re: anonymous logon"
- Reply: Sandy Ryan: "Re: anonymous logon"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 09 Feb 2004 00:47:56 GMT
These may be normal and are "null" sessions used by Windows networking for
various processes such as maintaining the browse list [you can try to create one
by using net use \\servername\ipc$ """" /u:"" ]. They can be exploited from
untrusted networks to try to enumerate user/group info on the computer which
would be indicated by a large number of failed logon attempts using non default
user names. To protect yourself, a properly configured firewall is needed. If
you have file and print sharing enabled on your server make sure it is disabled
on the external/public nic or better yet uninstall it from the server if it is
not needed to offer shares or remotely manage the computer via Computer
Management. If this is also not a domain controller, you may try configuring the
security option in Local Security Policy for additional restrictions for
anonymous connections to be "no access without explicit anonymous permissions".
In addition, if you have not done so it would be a good idea to run Microsoft
Baseline Security Analyzer on your server and the highly recommended IISLockdown
tool, but only after backing up the server and IIS configuration using the IIS
Management Console/servername/action/backup & restore configuration since if you
do not pay close attention, wanted virtual directories may be deleted during the
process. --- Steve
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/locktool.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/iis/DEFAULT.asp
"Sandy" <anonymous@discussions.microsoft.com> wrote in message
news:cb6301c3ee7b$f20ad490$a001280a@phx.gbl...
> I'm getting a lot of these messages on my webserver ---
> the guest account is disabled but obviously IUSR_, IWAM_
> is enabled..
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 538
> Date: 2/8/2004
> Time: 12:44:08 PM
> User: NT AUTHORITY\ANONYMOUS LOGON
> Computer: NS4
> Description:
> User Logoff:
> User Name: ANONYMOUS LOGON
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x1895F3E)
> Logon Type: 3
>
>
> Any insight would be appreciated - as this is VERY
> unnerving
> Thanks
- Next message: Steven Umbach: "Re: Local security Lockout."
- Previous message: Steven Umbach: "Re: Tracking Down A Sender. Virus? Trojan?"
- In reply to: Sandy: "anonymous logon"
- Next in thread: Sandy Ryan: "Re: anonymous logon"
- Reply: Sandy Ryan: "Re: anonymous logon"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
