Re: Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON
From: /.dz (dz_at_discussions.microsoft.com)
Date: 03/17/05
- Next message: EN: "Logging start up programs"
- Previous message: Steven L Umbach: "Re: create support admin user"
- In reply to: Steven L Umbach: "Re: Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON"
- Next in thread: Steven L Umbach: "Re: Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON"
- Reply: Steven L Umbach: "Re: Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 17 Mar 2005 11:03:05 -0800
Again, thanks. Here's what I know now that I didn't prior to your response --
Your version of the 'null session' command has two less ""s in it. And that
makes it work! So now I can indeed verify that I am able to establish a null
session with my server; and 'yes' it apparently does log a 538 upon session
termination. But allow me a further quesiton: Since I have the 'Computer
Browser' service disabled on the server, why are 'null sessions' still
allowed? I was under the impression that null sessions only existed to
facilitate the 'enumeration' of resouces that the browsing capability
supports; and therefore by disabling the Computer Browser service I would
effectively prevent 'null sessions' from occurring. ??
"Steven L Umbach" wrote:
> I am experiencing something different than you are [ as shown below]. As
> long as the security option for additional restrictions for anonymous access
> is NOT set to no access without explicit anonymous permissions I am able to
> create a null session. When I do have no access without explicit anonymous
> permissions enabled I can not create a null session and I simply get a
> system error 5 has occurred - access is denied. Even when access was denied
> to my null session an Event ID 538 is recorded in the security log of my
> server for successful anonymous logoff which indicates that these events may
> be recorded even if a null session is denied. You might want to see if you
> have any current sessons to your server before you try null session with "
> net use " command and delete them if there are any and try again. I doubt
> Client for Microsoft Networks enabled on your server is causing the null
> sessions to be created to your server. If your server does not need to logon
> to a domain or access shares/resources on other computers then you should be
> able to diable it with no ill effect. A dedicated web server for instance
> would not need to use Client for Microsoft Networks. --- Steve
>
> D:\Documents and Settings\Steve>net use \\192.168.1.105\ipc$ "" /u:""
> The command completed successfully.
>
>
> D:\Documents and Settings\Steve>net use \\192.168.1.105\ipc$ "" /u:""
> System error 5 has occurred.
>
> Access is denied.
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 538
> Date: 3/16/2005
> Time: 11:56:16 PM
> User: NT AUTHORITY\ANONYMOUS LOGON
> Computer: SERVER1-2000
> Description:
> User Logoff:
> User Name: ANONYMOUS LOGON
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x2CFBA3)
> Logon Type: 3
>
>
> "/.dz" <dz@discussions.microsoft.com> wrote in message
> news:1D63D35D-431D-4A78-83BD-AE4A2E8EE0D1@microsoft.com...
> > Steve:
> > First thanks very much for the response. I've noticed that your name is
> > on
> > a lot of the responses in this forum and I appreciate the help as much as
> > I'm
> > sure the other people do as well.
> >
> > So anytime you get tired of this thread, it will probably die -- but I
> > will
> > continue to ask questions as long as you continue to respond.
> >
> > In your response, you mentioned 'null sessions'. In other articles I've
> > read, there is a reference to using the statement [net use
> > \\servername\ipc$
> > """" /u:""] to check if null sessions are able to be created. When I
> > attempted this statement from my workstation, targetting the 'servername'
> > being discussed in this posting, I received the "Logon failure: unknown
> > user
> > name or bad password" message at the workstation, and the server logged an
> > event 529 Logon failure, explicitly indicating my userid, workstation, and
> > domain. From this info, I'm assuming that the 'null sessions' discussion
> > does not apply to my situation. Is that a valid conclusion? Also, the
> > Computer Browser service is disabled (and has been since installation) on
> > the
> > server. Am I also 'on-track' here in that these two items are directly
> > related? (That is, 'null sessions' are enabled - i.e., required - for the
> > Computer Browser service to function)
> >
> > I want to ask about the other items in your response as well, but to keep
> > the dialog within reasonable bounds, I'm electing to go through it one
> > item
> > at a time --- starting (I think) with the most clearcut.
> >
> > Also in this thread, I need to about the 'Client for Microsoft Networks' .
> > The server has this protocol enabled. Two further questions: a) This
> > client
> > is only necessary if the computer (the server in this case) wants to
> > access
> > other NETBIOS resources on the net; it is not required for other computers
> > on
> > the net to reach its (the server's) resources. Is this correct? b) the
> > 'Client for Microsoft Networks' is not responsible for the 538 logout
> > events
> > mentioned in the original post?
> >
> > Any further dialog is greatly appreciated.
> > ./dz
> >
> > "Steven L Umbach" wrote:
> >
> >> It is common to see those Events on computers using Windows networking
> >> and
> >> that have file and print sharing and Client for Microsoft networks
> >> enabled.
> >> Those often are null sessions used by the computer browser service. While
> >> null sessions can be used to enumerate users, groups, and shares you can
> >> mitigate the risk by using a firewall to prevent internet access to null
> >> sessions, enforcing strong passwords on your network, and making sure
> >> your
> >> share/folder permissions only allow authorized users access.
> >>
> >> There are things you can do to reduce there occurrence as ling as the
> >> changes do not interfere with your network access for users. For instance
> >> disabling netbios over tcp/ip, disabling the computer browser service,
> >> and
> >> configuring the security option for "additional restrictions for
> >> anonymous
> >> access" to be " no access without explicit anonymous permissions". If
> >> you
> >> disable netbios over tcp/ip on a computer it will no longer show in or be
> >> able to use My Network Places but access to shares can still be done via
> >> fully qualified domain name or possibly even netbios name as long as dns
> >> can
> >> resolve the non FQDN by appending parent suffix to the request. The link
> >> below explains anonymous access more and the security option to restrict
> >> it
> >> along with possible consequences of doing such. --- Steve
> >>
> >> http://support.microsoft.com/?kbid=246261
> >>
> >> "/.dz" </.dz@discussions.microsoft.com> wrote in message
> >> news:480AE832-9FE3-4740-A265-6F6CA5A898FD@microsoft.com...
> >> > The security event log on our W2K, SP4 server has hundreds of the above
> >> > messages in it. There are no associated 'logon' events, just the
> >> > 'logoff'
> >> > events.
> >> >
> >> > File and Print sharing is enabled on this server.
> >> >
> >> > There are several published file shares (all hidden); and there are
> >> > individuals who are authorized to use those shares. The security log
> >> > does
> >> > contain 540/538 'pairs' that reflect the credentials of these known
> >> > users
> >> > (user/domain). (These are also 'Logon Type 3') But the number of 538
> >> > NT
> >> > AUTHORITY/ANONYMOUS LOGON events absolutely dwarfs the number of "known
> >> > user"
> >> > logon/logoff events.
> >> >
> >> > The server itself is not a domain controller. It was until recently a
> >> > member of a NT domain, and now is under AD (I don't know how to state
> >> > that
> >> > with any accuracy). 'Known user' logon/logoff events are present for
> >> > both
> >> > the 'older' NT domain, and the newer 'AD' whatever).
> >> >
> >> > I've scoured newsgroups and the MS web site without any luck
> >> > whatsoever.
> >> > Any feedback would be greatly appreciated.
> >> >
> >>
> >>
> >>
>
>
>
- Next message: EN: "Logging start up programs"
- Previous message: Steven L Umbach: "Re: create support admin user"
- In reply to: Steven L Umbach: "Re: Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON"
- Next in thread: Steven L Umbach: "Re: Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON"
- Reply: Steven L Umbach: "Re: Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
