Re: Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 03/17/05
- Next message: Paul Adare: "Re: Offline Root Certificate Server and subordinate CA"
- Previous message: Steven L Umbach: "Re: Monitor Computer/File Access"
- In reply to: /.dz: "Re: Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON"
- Next in thread: /.dz: "Re: Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON"
- Reply: /.dz: "Re: Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 17 Mar 2005 00:12:14 -0600
I am experiencing something different than you are [ as shown below]. As
long as the security option for additional restrictions for anonymous access
is NOT set to no access without explicit anonymous permissions I am able to
create a null session. When I do have no access without explicit anonymous
permissions enabled I can not create a null session and I simply get a
system error 5 has occurred - access is denied. Even when access was denied
to my null session an Event ID 538 is recorded in the security log of my
server for successful anonymous logoff which indicates that these events may
be recorded even if a null session is denied. You might want to see if you
have any current sessons to your server before you try null session with "
net use " command and delete them if there are any and try again. I doubt
Client for Microsoft Networks enabled on your server is causing the null
sessions to be created to your server. If your server does not need to logon
to a domain or access shares/resources on other computers then you should be
able to diable it with no ill effect. A dedicated web server for instance
would not need to use Client for Microsoft Networks. --- Steve
D:\Documents and Settings\Steve>net use \\192.168.1.105\ipc$ "" /u:""
The command completed successfully.
D:\Documents and Settings\Steve>net use \\192.168.1.105\ipc$ "" /u:""
System error 5 has occurred.
Access is denied.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 3/16/2005
Time: 11:56:16 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SERVER1-2000
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x2CFBA3)
Logon Type: 3
"/.dz" <dz@discussions.microsoft.com> wrote in message
news:1D63D35D-431D-4A78-83BD-AE4A2E8EE0D1@microsoft.com...
> Steve:
> First thanks very much for the response. I've noticed that your name is
> on
> a lot of the responses in this forum and I appreciate the help as much as
> I'm
> sure the other people do as well.
>
> So anytime you get tired of this thread, it will probably die -- but I
> will
> continue to ask questions as long as you continue to respond.
>
> In your response, you mentioned 'null sessions'. In other articles I've
> read, there is a reference to using the statement [net use
> \\servername\ipc$
> """" /u:""] to check if null sessions are able to be created. When I
> attempted this statement from my workstation, targetting the 'servername'
> being discussed in this posting, I received the "Logon failure: unknown
> user
> name or bad password" message at the workstation, and the server logged an
> event 529 Logon failure, explicitly indicating my userid, workstation, and
> domain. From this info, I'm assuming that the 'null sessions' discussion
> does not apply to my situation. Is that a valid conclusion? Also, the
> Computer Browser service is disabled (and has been since installation) on
> the
> server. Am I also 'on-track' here in that these two items are directly
> related? (That is, 'null sessions' are enabled - i.e., required - for the
> Computer Browser service to function)
>
> I want to ask about the other items in your response as well, but to keep
> the dialog within reasonable bounds, I'm electing to go through it one
> item
> at a time --- starting (I think) with the most clearcut.
>
> Also in this thread, I need to about the 'Client for Microsoft Networks' .
> The server has this protocol enabled. Two further questions: a) This
> client
> is only necessary if the computer (the server in this case) wants to
> access
> other NETBIOS resources on the net; it is not required for other computers
> on
> the net to reach its (the server's) resources. Is this correct? b) the
> 'Client for Microsoft Networks' is not responsible for the 538 logout
> events
> mentioned in the original post?
>
> Any further dialog is greatly appreciated.
> ./dz
>
> "Steven L Umbach" wrote:
>
>> It is common to see those Events on computers using Windows networking
>> and
>> that have file and print sharing and Client for Microsoft networks
>> enabled.
>> Those often are null sessions used by the computer browser service. While
>> null sessions can be used to enumerate users, groups, and shares you can
>> mitigate the risk by using a firewall to prevent internet access to null
>> sessions, enforcing strong passwords on your network, and making sure
>> your
>> share/folder permissions only allow authorized users access.
>>
>> There are things you can do to reduce there occurrence as ling as the
>> changes do not interfere with your network access for users. For instance
>> disabling netbios over tcp/ip, disabling the computer browser service,
>> and
>> configuring the security option for "additional restrictions for
>> anonymous
>> access" to be " no access without explicit anonymous permissions". If
>> you
>> disable netbios over tcp/ip on a computer it will no longer show in or be
>> able to use My Network Places but access to shares can still be done via
>> fully qualified domain name or possibly even netbios name as long as dns
>> can
>> resolve the non FQDN by appending parent suffix to the request. The link
>> below explains anonymous access more and the security option to restrict
>> it
>> along with possible consequences of doing such. --- Steve
>>
>> http://support.microsoft.com/?kbid=246261
>>
>> "/.dz" </.dz@discussions.microsoft.com> wrote in message
>> news:480AE832-9FE3-4740-A265-6F6CA5A898FD@microsoft.com...
>> > The security event log on our W2K, SP4 server has hundreds of the above
>> > messages in it. There are no associated 'logon' events, just the
>> > 'logoff'
>> > events.
>> >
>> > File and Print sharing is enabled on this server.
>> >
>> > There are several published file shares (all hidden); and there are
>> > individuals who are authorized to use those shares. The security log
>> > does
>> > contain 540/538 'pairs' that reflect the credentials of these known
>> > users
>> > (user/domain). (These are also 'Logon Type 3') But the number of 538
>> > NT
>> > AUTHORITY/ANONYMOUS LOGON events absolutely dwarfs the number of "known
>> > user"
>> > logon/logoff events.
>> >
>> > The server itself is not a domain controller. It was until recently a
>> > member of a NT domain, and now is under AD (I don't know how to state
>> > that
>> > with any accuracy). 'Known user' logon/logoff events are present for
>> > both
>> > the 'older' NT domain, and the newer 'AD' whatever).
>> >
>> > I've scoured newsgroups and the MS web site without any luck
>> > whatsoever.
>> > Any feedback would be greatly appreciated.
>> >
>>
>>
>>
- Next message: Paul Adare: "Re: Offline Root Certificate Server and subordinate CA"
- Previous message: Steven L Umbach: "Re: Monitor Computer/File Access"
- In reply to: /.dz: "Re: Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON"
- Next in thread: /.dz: "Re: Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON"
- Reply: /.dz: "Re: Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
