Re: Anonymous Login in the eventvwr

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 03/08/05 

Date: Tue, 8 Mar 2005 14:23:31 -0600

Anonymous logons can be normal in a security log though if you are not using
a firewall it is possible attackers are creating null sessions to try and
enumerate users and groups on your server. Be sure that the computer is
behind a firewall that blocks all access other than allowed ports and
disable file and print sharing on it's network adapters assuming it does not
need to have file and print sharing enabled. File and print sharing should
never be enabled on a network adapter exposed to the internet. Anonymous
access events are regularly recorded on computers that have file and print
sharing and the computer browser service enabled. --- Steve

"Armin Oppliger" <beeasy43@hotmail.com> wrote in message
news:395ds2F5st8d5U1@individual.net...
> Hello NG, I just recently set up a Windows 2003 Server Standart Editon.
> This server is the second server in a dmz and will be configured as a
> application server (access from the Internet to somekind of a apache
> Server).
>
> Now I see several (100 - 200) entries in the security tab (eventvwr)
> regarding logons/logoffs ...
>
> I'm really not sure but has this server allready been hacked ...?
> I'm quite sure this server has not been used by other users.
> Or what else do these entries mean?
> Can someone help?
> Thank you, Armin
>
>
>
> Enry 1:
> -----------
>
> Successful Network Logon:
> User Name: Domain: Logon ID: (0x0,0x339285)
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name: A Server (S001) in the same (DMZ) Network
> Logon GUID: -
> Caller User Name: -
> Caller Domain: -
> Caller Logon ID: -
> Caller Process ID: -
> Transited Services: -
> Source Network Address: 192.168.x.x (IP ADress of S001)
> Source Port: 0
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
> Enry 2:
> ------------
>
> User Logoff:
> User Name: ANONYMOUS LOGON
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x339285)
> Logon Type: 3
>
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
>
>

Relevant Pages

  • Re: Please help refresh my memory on AD DC
    ... When I boot my Laptop I reach the Logon screeen for XP Laptop and here ... admin account to be able to Login so I can control it from the DC. ... A domain user can by default logon to any domain computer, except Domain controllers. ... A Server has websites already hosted on it in a Workgroup and now I ...
    (microsoft.public.windows.server.active_directory)
  • Re: Logon Server Unavailable
    ... There are currently no logon servers available to service ... You use a office laptop to connect the office VPN, when you map a network ... you may receive this message: "This account is the ... The server is not configured for transactions"> "A domain controller for your domain could not be contacted" ...
    (microsoft.public.windows.server.dns)
  • Re: Logon Server Unavailable
    ... There are currently no logon servers available to service ... You use a office laptop to connect the office VPN, when you map a network ... you may receive this message: "This account is the ... The server is not configured for transactions"> "A domain controller for your domain could not be contacted" ...
    (microsoft.public.windows.server.networking)
  • RE: Problems with 529 Events
    ... attempting to logon on some services on the SBS server. ... and then click Account Lockout Policy. ...
    (microsoft.public.windows.server.sbs)
  • Re: Logon Server Unavailable
    ... There are currently no logon servers available to service ... You use a office laptop to connect the office VPN, when you map a network ... you may receive this message: "This account is the ... The server is not configured for transactions"> "A domain controller for your domain could not be contacted" ...
    (microsoft.public.windows.server.general)
Quantcast