Re: Event 538 with no corresponding logon
From: Steven Umbach (n9rou_at_n0spam-comcast.net)
Date: 07/01/04
- Next message: David Jensen: "Re: How to hide folders that a user doesn't have access to"
- Previous message: Steven Umbach: "Re: Win 2K Server 'Hidden' from Browse list"
- In reply to: Michael: "Event 538 with no corresponding logon"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 01 Jul 2004 18:03:12 GMT
I don't really know but I notice when using Ethereal to capture packet traffic
that a lot of times null sessions are used by the computer browser service.
Maybe your computer became a master browser suddenly?? You can use nbtstat -n to
see if it is. You could try using Ethereal to try and see what kind of traffic
is causing such activity [what ports, etc]. You could correlate the Ethereal
capture with the security log by time to narrow down the search and maybe use a
filter if you know what computer or computers are initiating those null
sessions. --- Steve
"Michael" <nospam@nospam.no> wrote in message
news:eybLw90XEHA.3664@TK2MSFTNGP12.phx.gbl...
> Hi all,
>
> I know that this has come up in some past threads, but I can't find them and
> this is the first time I ever see this problem. I have 2 Windows 2000 Server
> member servers that are running Terminal Services and Citrix MetaFrame. They
> both have RestrictAnonymous set to 2 (I just verified it). They were
> installed in December of last year and have been running fine until a couple
> of days ago. Now all of a sudden the security logs are being filled with
> Event 538 ANONYMOUS LOGON from NT AUTHORITY of type 3 and there is no
> corresponding logon for any of the events. I've been searching on KB,
> EventID.net and everywhere else, and in NO place does it actually explain
> why this occurs, only that it occurs. The comments on EventID.net only
> allude to the fact that this event can "happen" with no associated logon,
> but doesn't actually explain why or how to stop it. Another site brings up
> this problem along with another one, but then only goes into detail on the
> other problem.
>
> By the way, the only thing we changed on these systems in the last couple of
> days was move them to a switch from a hub, and change all the network cards
> and switch ports to 100/full duplex. These events seem to have started right
> after this change.
>
> Can anyone shed some light on this?
>
> Thanks in advance.
>
> Michael S.
>
>
- Next message: David Jensen: "Re: How to hide folders that a user doesn't have access to"
- Previous message: Steven Umbach: "Re: Win 2K Server 'Hidden' from Browse list"
- In reply to: Michael: "Event 538 with no corresponding logon"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
