Re: anonymous logon

From: Steven Umbach (n9rou_at_n0spam-comcast.net)
Date: 02/09/04 

Date: Mon, 09 Feb 2004 00:47:56 GMT

These may be normal and are "null" sessions used by Windows networking for
various processes such as maintaining the browse list [you can try to create one
by using net use \\servername\ipc$ """" /u:"" ]. They can be exploited from
untrusted networks to try to enumerate user/group info on the computer which
would be indicated by a large number of failed logon attempts using non default
user names. To protect yourself, a properly configured firewall is needed. If
you have file and print sharing enabled on your server make sure it is disabled
on the external/public nic or better yet uninstall it from the server if it is
not needed to offer shares or remotely manage the computer via Computer
Management. If this is also not a domain controller, you may try configuring the
security option in Local Security Policy for additional restrictions for
anonymous connections to be "no access without explicit anonymous permissions".
In addition, if you have not done so it would be a good idea to run Microsoft
Baseline Security Analyzer on your server and the highly recommended IISLockdown
tool, but only after backing up the server and IIS configuration using the IIS
Management Console/servername/action/backup & restore configuration since if you
do not pay close attention, wanted virtual directories may be deleted during the
process. --- Steve

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/locktool.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/iis/DEFAULT.asp

"Sandy" <anonymous@discussions.microsoft.com> wrote in message
news:cb6301c3ee7b$f20ad490$a001280a@phx.gbl...
> I'm getting a lot of these messages on my webserver ---
> the guest account is disabled but obviously IUSR_, IWAM_
> is enabled..
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 538
> Date: 2/8/2004
> Time: 12:44:08 PM
> User: NT AUTHORITY\ANONYMOUS LOGON
> Computer: NS4
> Description:
> User Logoff:
> User Name: ANONYMOUS LOGON
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x1895F3E)
> Logon Type: 3
>
>
> Any insight would be appreciated - as this is VERY
> unnerving
> Thanks

Relevant Pages

  • RE: Cant set Local Security policies. They fail to save
    ... predefined Security Template on SBS 2003 to restore security groups ... run "gpupdate.exe /force" under command prompt to force the policy ... reboot the Server to test. ... and then logon to client computer to test if user can save system logs. ...
    (microsoft.public.windows.server.sbs)
  • Re: FOR A SKILLED IT EXPERT - WIN2K SERVER - DOMAIN CONTROLLER
    ... Windows Server 2003 one can, but not from a safe mode boot). ... boots up on cached profile only) The interactive logon problem has applied ... manual security reset. ... If you had not tried the reset we could have pulled you out of this, ...
    (microsoft.public.win2000.security)
  • RE: Logon Issue - could someone explain please
    ... I understand that you get security event 540 ... When a user connects to the shared folder on the SBS server, ... logon auditing, ...
    (microsoft.public.windows.server.sbs)
  • Re: Unknown Domain user - domain authentication appears limited
    ... (using cached login). ... Microsoft MVP (Windows Server System: Security) ... > due to the following error: Logon failure: the user has not been granted ...
    (microsoft.public.windows.server.security)
  • Re: Users no longer authenticate on W2k-svr
    ... Policy and go to security settings/local policies/user rights and make sure ... auditing of logon events on that server and then view the logs in Event Viewer ...
    (microsoft.public.win2000.networking)