RE: Anon Logon Events 538/540
From: Frances [MSFT] (v-franhe_at_microsoft.com)
Date: 03/04/05
- Next message: Rod P.: "Software Firewalls"
- Previous message: Jupiter Jones [MVP]: "Re: How to Secure specific Folder in WIndows XP Home"
- In reply to: ScareCrowe: "Anon Logon Events 538/540"
- Next in thread: ScareCrowe: "Re: Anon Logon Events 538/540"
- Reply: ScareCrowe: "Re: Anon Logon Events 538/540"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 04 Mar 2005 10:07:33 GMT
Hello,
Thanks for your post.
According to your message, I understand you have event 538/540.
The event 540 logs the Successful Network Logon and the event 538 logs the
Successful Network Logoff. Please rest assured they are not security
issues, only for the network communication authentications. Some network
applications use the ANONYMOUS LOGON process to create a communication
channel with your computer. Therefore, these security logs can be ignored.
The information on this particular security event can be found within the
following documentation:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/p
roddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/stan
dard/proddocs/en-us/518.asp
Anonymous logon means that it is a null session. NT Auth/Anonymous is just
a pseudonym for a Null Session. The NTAuth/Anonymous isn't really an
account; it just means that no credentials were supplied. There are many
conditions known to cause a null session connection which makes it
difficult to tell the exact cause of these particular events. This
Anonymous logon is instance was caused by the service NTLMSSP. For more
information about the NTLMSSP, please refer to the following link:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/com/securit
y_9qgg.asp
If the logon authenticate with NTLM, it will show the workstation name. The
computer name HOD is not the real computer name, I assume the machine may
be infected with virus, so it is masked under the identity of HOD for the
machine name.
Please don't worry about it.
As for your question, I would like to answer them in order.
Q1: I can't seem to find any log info concerning the IPs of these remote
connections. Does XP store these someplace?
A: Since it will take much disk space to have the logs, Windows don't have
related logs concerning the IPs of the remote connections. However, you can
download a tool named Network Monitor and use it to capture the data you
desire.
About Network Monitor 2.0
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmon/netm
on/about_network_monitor_2_0.asp
To obtain a time-bombed version of Network Monitor, visit the following
Microsoft Web site:
ftp://ftp.microsoft.com/pss/tools/netmon
Notes:
1) Netmon2.zip contains Netmon 2.0 (Netmon 2.0 runs on Windows NT 4.0,
Windows 2000, and Windows XP)
2) Netmon1.zip contains Netmon 1.0 (Netmon 1.0 runs on Windows NT 4.0,
Windows 98, and Windows 95)
3) The current password to unzip is "trace".
Q2: The NTLM, is it possible to enforce some authorization that will only
validate PCs that I specifically allow, ignoring any connection request
from a PC not listed??
A: You can use group policy to specify the users or computers which can log
on to your system.
Hope this helps. If you have any further questions, don't hesitate to get
in touch!
Best regards,
Frances He
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
- Next message: Rod P.: "Software Firewalls"
- Previous message: Jupiter Jones [MVP]: "Re: How to Secure specific Folder in WIndows XP Home"
- In reply to: ScareCrowe: "Anon Logon Events 538/540"
- Next in thread: ScareCrowe: "Re: Anon Logon Events 538/540"
- Reply: ScareCrowe: "Re: Anon Logon Events 538/540"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
