Re: Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 03/12/05
- Next message: Steven L Umbach: "Re: Setting up new users"
- Previous message: Steven L Umbach: "Re: IP Address change"
- In reply to: /.dz: "Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON"
- Next in thread: /.dz: "Re: Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON"
- Reply: /.dz: "Re: Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 11 Mar 2005 21:42:55 -0600
It is common to see those Events on computers using Windows networking and
that have file and print sharing and Client for Microsoft networks enabled.
Those often are null sessions used by the computer browser service. While
null sessions can be used to enumerate users, groups, and shares you can
mitigate the risk by using a firewall to prevent internet access to null
sessions, enforcing strong passwords on your network, and making sure your
share/folder permissions only allow authorized users access.
There are things you can do to reduce there occurrence as ling as the
changes do not interfere with your network access for users. For instance
disabling netbios over tcp/ip, disabling the computer browser service, and
configuring the security option for "additional restrictions for anonymous
access" to be " no access without explicit anonymous permissions". If you
disable netbios over tcp/ip on a computer it will no longer show in or be
able to use My Network Places but access to shares can still be done via
fully qualified domain name or possibly even netbios name as long as dns can
resolve the non FQDN by appending parent suffix to the request. The link
below explains anonymous access more and the security option to restrict it
along with possible consequences of doing such. --- Steve
http://support.microsoft.com/?kbid=246261
"/.dz" </.dz@discussions.microsoft.com> wrote in message
news:480AE832-9FE3-4740-A265-6F6CA5A898FD@microsoft.com...
> The security event log on our W2K, SP4 server has hundreds of the above
> messages in it. There are no associated 'logon' events, just the 'logoff'
> events.
>
> File and Print sharing is enabled on this server.
>
> There are several published file shares (all hidden); and there are
> individuals who are authorized to use those shares. The security log does
> contain 540/538 'pairs' that reflect the credentials of these known users
> (user/domain). (These are also 'Logon Type 3') But the number of 538 NT
> AUTHORITY/ANONYMOUS LOGON events absolutely dwarfs the number of "known
> user"
> logon/logoff events.
>
> The server itself is not a domain controller. It was until recently a
> member of a NT domain, and now is under AD (I don't know how to state that
> with any accuracy). 'Known user' logon/logoff events are present for
> both
> the 'older' NT domain, and the newer 'AD' whatever).
>
> I've scoured newsgroups and the MS web site without any luck whatsoever.
> Any feedback would be greatly appreciated.
>
- Next message: Steven L Umbach: "Re: Setting up new users"
- Previous message: Steven L Umbach: "Re: IP Address change"
- In reply to: /.dz: "Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON"
- Next in thread: /.dz: "Re: Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON"
- Reply: /.dz: "Re: Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
