Re: Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON

From: joescat <joescat.2a32ub@xxxxxxxxxxxx>
Date: Tue, 27 Jun 2006 08:05:28 -0500

/.dz wrote:

*The security event log on our W2K, SP4 server has hundreds of the
above
messages in it. There are no associated 'logon' events, just the
'logoff'
events.

File and Print sharing is enabled on this server.
*

Fascinating thread! Yes, it is from a long time ago, but still a great
read.

I have a related issue I'm trying to solve, which landed me here.

I have a Server 2003 member server (in an NT domain), for file and
printer sharing. I have auditing enabled for "logon events", I really
wish to capture logons _for users_. Which works fine, but I also get a
much greater load of event 540, NT AUTHORITY\ANONYMOUS LOGON events.
There is no user name, it's a "computer" logon, listing the computer
name, ip address, etc. I want to eliminate those, and keep the user
logons.

I've played a bit with the auditing settings, and it seems I get either
all or nothing.

I've also changed settings in local group policy, but again have not
achieved the desired effect.
For example, "Network Access: Do not allow anonymous enumeration of SAM
accounts and shares" is enabled. "Network Access: Do not allow anonymous
enumeration of SAM account" is enabled.
Yet, I'm not exactly sure why the "anonymous" success logon events are
occurring (they do not change to failure events).

Any help would be greatly appreciated. Maybe it's simply not possible
to achieve the settings I want, but I haven't given up yet.

--
joescat
------------------------------------------------------------------------
Posted via http://www.mcse.ms
------------------------------------------------------------------------
View this thread: http://www.mcse.ms/message1479326.html

.

Follow-Ups:
- Re: Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON
  - From: Steven L Umbach

Prev by Date: EFS and CERT_SYSTEM_STORE_SERVICES
Next by Date: Re: Implementing a Password Policy
Previous by thread: EFS and CERT_SYSTEM_STORE_SERVICES
Next by thread: Re: Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON
Index(es):
- Date
- Thread

Relevant Pages

Re: Logon Server Unavailable
... There are currently no logon servers available to service ... You use a office laptop to connect the office VPN, when you map a network ... you may receive this message: "This account is the ... The server is not configured for transactions"> "A domain controller for your domain could not be contacted" ...
(microsoft.public.windows.server.general)
Re: Logon Server Unavailable
... There are currently no logon servers available to service ... You use a office laptop to connect the office VPN, when you map a network ... you may receive this message: "This account is the ... The server is not configured for transactions"> "A domain controller for your domain could not be contacted" ...
(microsoft.public.windows.server.dns)
Re: Logon Server Unavailable
... There are currently no logon servers available to service ... You use a office laptop to connect the office VPN, when you map a network ... you may receive this message: "This account is the ... The server is not configured for transactions"> "A domain controller for your domain could not be contacted" ...
(microsoft.public.windows.server.networking)
RE: Problems with 529 Events
... attempting to logon on some services on the SBS server. ... and then click Account Lockout Policy. ...
(microsoft.public.windows.server.sbs)
Re: ISA SERVER NOT STARTING
... I delete the nat/basic firewall and stop and started the RRAS an tried to ... There were no critical events in the DNS Server Log in the last 24 hours. ... An error occurred during logon ... Caller User Name: - ...
(microsoft.public.windows.server.sbs)