Re: Anon Logon Events 538/540
From: ScareCrowe (nospam_at_nospam.com)
Date: 03/04/05
- Next message: JW: "Re: XP2 Admin shares"
- Previous message: steph2: "Anti-spyware software."
- In reply to: Frances [MSFT]: "RE: Anon Logon Events 538/540"
- Next in thread: Frances [MSFT]: "Re: Anon Logon Events 538/540"
- Reply: Frances [MSFT]: "Re: Anon Logon Events 538/540"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 4 Mar 2005 13:19:12 -0600
I do realize that the logons are (usually) followed immedietely by a logoff,
indicative of communation channel creation. However, after some of these
events appear, there are also events from the same computers attemting to
access other resources as shown by event ids 680, 529 & 534 typically
showing:
Event Id : 529
Logon Failure:
Reason: Unknown user name or password
User Name: Administrator
Domain: AV
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: AV
These will usually start with Administrator, show a few failures, then
progress through the domain users.
I am assuming these boxes are connecting & grabbing user info despite my
setting 'Do not enumerate...' in LSP. I have even specified "Anonymous
Logon" as denied for all LSPs starting with 'Deny logon *' and 'Deny access
from network'.
I'm concerned because not all logon events are accompanied by a logoff
event. This makes me wonder if the remote user has been able to access my
shares or whatnot and can now do so whenever they wish.
> As for your question, I would like to answer them in order.
>
> Q1: I can't seem to find any log info concerning the IPs of these remote
> connections. Does XP store these someplace?
>
> A: Since it will take much disk space to have the logs, Windows don't have
> related logs concerning the IPs of the remote connections. However, you
can
> download a tool named Network Monitor and use it to capture the data you
> desire.
>
Yes, Netmon is one of the several tools I utilize to stay aware of what's
going on with my boxes.
I have however seen posts from same issue where the Event Viewer also
displays the connecting IP address. I have XP Pro & 2ksvr and neither show
the IP info, so perhaps it's 2003 that does?
>
> Q2: The NTLM, is it possible to enforce some authorization that will only
> validate PCs that I specifically allow, ignoring any connection request
> from a PC not listed??
>
> A: You can use group policy to specify the users or computers which can
log
> on to your system.
>
This I am not familiar with. I was hoping that because I have a non-typical
setup as a home user, that I would be able to use it to my advantage to
filter out unwanted connections. I have a 5 IP static block, all members of
same domain, IP range from xxx.xxx.xxx.146 thru xxx.xxx.xxx.150. I would be
interested in setting up some type of authentication that would compare the
IP and Domain also before allowing any connections. I would probably be
better off only doing this on workstations, as configuring this on a server
may cause problems.
Anywho, thanks much Francis for the thorough explanation!
--ScareCrowe
- Next message: JW: "Re: XP2 Admin shares"
- Previous message: steph2: "Anti-spyware software."
- In reply to: Frances [MSFT]: "RE: Anon Logon Events 538/540"
- Next in thread: Frances [MSFT]: "Re: Anon Logon Events 538/540"
- Reply: Frances [MSFT]: "Re: Anon Logon Events 538/540"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
