Re: anonymous logon

From: Steven L Umbach (n9rou_at_nscomcast.net)
Date: 02/09/04 

Date: Mon, 09 Feb 2004 18:57:02 GMT

Hi Sandy.

I do not normally audit object access, but my understanding is that yes
these events may be normal particualry on a domain controller where for
instance when a user changes their password an anonymous lookup to the sam
may be used. If this is not a domain controller, I don't know how many of
these events you should see. It looks like this computer may be a dns
server, and if it is you may also want to inquire on the win2000.dns or
win2000.active_directory newsgroups to see if they can offer more on the
subject there. I tend to think that these should not be much of a concern
unless you see a lot of logon failures, particualry in rapid fashion. ---
Steve

"Sandy Ryan" <sryan@seewolf.com> wrote in message
news:usBu0tw7DHA.3704@tk2msftngp13.phx.gbl...
> Thanks Steve - is is also common for anonymous logon to have a lot of
these
> events...
> Event Type: Success Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 562
> Date: 2/9/2004
> Time: 5:21:02 AM
> User: NT AUTHORITY\ANONYMOUS LOGON
> Computer: NS4
> Description:
> Handle Closed:
> Object Server: Security Account Manager
> Handle ID: 21144872
> Process ID: 268
>
> or this
> Event Type: Success Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 562
> Date: 2/9/2004
> Time: 5:21:02 AM
> User: NT AUTHORITY\ANONYMOUS LOGON
> Computer: NS4
> Description:
> Handle Closed:
> Object Server: Security Account Manager
> Handle ID: 21144872
> Process ID: 268
>
>
> Thanks Sandy
>
> "Steven Umbach" <n9rou@n0spam-comcast.net> wrote in message
> news:0NAVb.256585$na.417032@attbi_s04...
> > These may be normal and are "null" sessions used by Windows networking
for
> > various processes such as maintaining the browse list [you can try to
> create one
> > by using net use \\servername\ipc$ """" /u:"" ]. They can be exploited
> from
> > untrusted networks to try to enumerate user/group info on the computer
> which
> > would be indicated by a large number of failed logon attempts using non
> default
> > user names. To protect yourself, a properly configured firewall is
> needed. If
> > you have file and print sharing enabled on your server make sure it is
> disabled
> > on the external/public nic or better yet uninstall it from the server if
> it is
> > not needed to offer shares or remotely manage the computer via Computer
> > Management. If this is also not a domain controller, you may try
> configuring the
> > security option in Local Security Policy for additional restrictions for
> > anonymous connections to be "no access without explicit anonymous
> permissions".
> > In addition, if you have not done so it would be a good idea to run
> Microsoft
> > Baseline Security Analyzer on your server and the highly recommended
> IISLockdown
> > tool, but only after backing up the server and IIS configuration using
the
> IIS
> > Management Console/servername/action/backup & restore configuration
since
> if you
> > do not pay close attention, wanted virtual directories may be deleted
> during the
> > process. --- Steve
> >
> >
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/locktool.asp
> >
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/iis/DEFAULT.asp
> >
> > "Sandy" <anonymous@discussions.microsoft.com> wrote in message
> > news:cb6301c3ee7b$f20ad490$a001280a@phx.gbl...
> > > I'm getting a lot of these messages on my webserver ---
> > > the guest account is disabled but obviously IUSR_, IWAM_
> > > is enabled..
> > >
> > > Event Type: Success Audit
> > > Event Source: Security
> > > Event Category: Logon/Logoff
> > > Event ID: 538
> > > Date: 2/8/2004
> > > Time: 12:44:08 PM
> > > User: NT AUTHORITY\ANONYMOUS LOGON
> > > Computer: NS4
> > > Description:
> > > User Logoff:
> > > User Name: ANONYMOUS LOGON
> > > Domain: NT AUTHORITY
> > > Logon ID: (0x0,0x1895F3E)
> > > Logon Type: 3
> > >
> > >
> > > Any insight would be appreciated - as this is VERY
> > > unnerving
> > > Thanks
> >
> >
>
>

Relevant Pages

  • RE: Cant set Local Security policies. They fail to save
    ... predefined Security Template on SBS 2003 to restore security groups ... run "gpupdate.exe /force" under command prompt to force the policy ... reboot the Server to test. ... and then logon to client computer to test if user can save system logs. ...
    (microsoft.public.windows.server.sbs)
  • Re: FOR A SKILLED IT EXPERT - WIN2K SERVER - DOMAIN CONTROLLER
    ... Windows Server 2003 one can, but not from a safe mode boot). ... boots up on cached profile only) The interactive logon problem has applied ... manual security reset. ... If you had not tried the reset we could have pulled you out of this, ...
    (microsoft.public.win2000.security)
  • RE: Logon Issue - could someone explain please
    ... I understand that you get security event 540 ... When a user connects to the shared folder on the SBS server, ... logon auditing, ...
    (microsoft.public.windows.server.sbs)
  • Re: Unknown Domain user - domain authentication appears limited
    ... (using cached login). ... Microsoft MVP (Windows Server System: Security) ... > due to the following error: Logon failure: the user has not been granted ...
    (microsoft.public.windows.server.security)
  • Re: Moved & Deleted Files
    ... share will not go to the recycle bin on the server. ... For Windows 2000 you can enable auditing of object access in the Local ... Security Policy or Domain Controller Security Policy for domain controllers ... and then audit folders for user access. ...
    (microsoft.public.security)