Re: NT AUTHORITY\ANONYMOUS LOGON

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Gordon Fecyk (gordonf_at_pan-am.ca)
Date: 05/19/04 

Date: Wed, 19 May 2004 18:57:05 -0500

> Date 5/12/2004 Source: Security
> Time 4:43:03 PM Category Logon/Logoff
> Type: Success A Event ID: 540
> User: NT AUTHORITY\ANONYMOUS LOGON
> Computer: MAIL
[snip]
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name: ZMAN
[snip]
> Source Network Address: 192.168.5.198
[Is this for certain one of your machines? And what OS?]

Windows machines have to connect anonymously to servers to enumerate shares
on the server, among other things. Mostly pre-Win2K machines use anonymous
pipes to do this but Win2K and later can authenticate with the machine's
account - machines as well as users have accounts in NTLM and AD domains.

You can prevent anonymous logons entirely by using the RestrictAnonymous
setting in the Registry or in the Local Security Policy console. Go to
Local Policies / Security Options and change the "Additional Restrictions
for anonymous" settings. If you get stuck, use the MS Baseline Security
Analyzer <http://www.microsoft.com/mbsa/> and it will point out the setting
that needs changing.

You can set this as a domain-wide policy as well, so all machines and users
have to authenticate before doing anything. But there are some badly
written services (*ahem*backupexec*ahem*) that won't work without allowing
some level of anonymous access. Try the first setting "do not allow
enumeration of SAM accounts and shares" and test your services before trying
the second setting "no access without explicit anonymous permissions". And
bug your vendors for fixes for broken services if necessary.

ObExchange2K: Exchange 2000 works with the stronger setting but I believe
client machines will need to be Win2K or later. I'm not sure if there's a
version of Outlook required to work properly with this setting. 

-- 
PGP key (0x0AFA039E): <http://www.pan-am.ca/consulting@pan-am.ca.asc>
What's a PGP Key?  See <http://www.pan-am.ca/free.html>
GOD BLESS AMER, er, THE INTERNET. <http://vmyths.com/rant.cfm?id=401&page=4>

Relevant Pages

  • Re: Local Security Policy in Windows XP Home
    ... the logon profiles and have disabled the guest account. ... It's a network component that should be checked ... >> machines and a 2Wire router. ... I can access shared files from Charlie to Alpha ...
    (microsoft.public.security)
  • unknown user name / dropping authentication
    ... The only way to reconnect to the server is logoff/logon or reboot. ... Profiles) something called User Unknown as a profile on all the machines, ... Logon Failure: ... Caller User Name: - ...
    (microsoft.public.windows.server.sbs)
  • Re: Native Mode possible problems...help!
    ... their password will still be able to logon to an NT 4.0 - but using their ... Windows 2003/2000/NT ... > They NT 4.0 domain controllers will still be able to authenticate users, ... > Why not just upgrade the BDCs to Windows 2000 Server? ...
    (microsoft.public.windows.server.general)
  • Re: intermittent problems with software install via GPO
    ... netdiag on one of the problem machines. ... > No Domain Controller is available for domain LONGWOOD due to the ... > There are currently no logon servers available to service the logon ...
    (microsoft.public.win2000.security)
  • Re: Child Domain access
    ... > You wrote...."So you logon TO A PC using a set of credentials from a ... > should be able to authenticate in the child domain with domain / ent admin ... > account which exists in the TRUSTED parent domain? ... So if the PC is in the child domain you can logon to IT ...
    (microsoft.public.windows.server.active_directory)