RE: Security Event Check - ANONYMOUS LOGON
- From: v-chacez@xxxxxxxxxxxxx (chace zhang)
- Date: Tue, 14 Nov 2006 06:04:33 GMT
Hi,
Thank you for posting here.
From your post I understand that you received many security event 540, 538,576 from the event viewer.
Based on my knowledge, this is an expected behavior in SBS 2003.
In SBS 2003, the full security audit is enabled by default so that you are
able to monitor the server and network access events if needed. It's normal
that many logon/logoff events are logged because one logon/logoff procedure
can generate several events. The logon/logoff procedures are always
performed by service startup/shutdown, shared file accessing, network
accessing, users'' logon/logoff etc. Event 540 indicates a successful
logon; event 538 indicates a successful logoff.
Anonymous logon means that it is a null session. AUTHORITY\ANONYMOUS LOGON
is just a pseudonym for a Null Session. User connections should never come
in under AUTHORITY\ANONYMOUS LOGON since this isn't really an account; it
just means that no credentials were supplied.
There are a few conditions known to cause null session connections. The
Server Service registers an Anonymous logon after service startup every
time. Besides the network connections from other computers, some system
built-in services, such as Automatic Windows Update, Internet Time Sync,
etc, also will contact the Internet servers; some data is needed to be
uploaded to the servers in the background, and your computer may also need
to receive some data. Such Internet interaction will be recorded as this
"NT AUTHORITY\ANONYMOUS LOGON" Event Log, but it is not caused by any
hacker.
A password change from a down level client after a password has expired
will also cause this. Anonymous Internet connections should show up under
the context of IUSR_SERVERNAME (for IIS may also use NTLM Authentication).
In some cases if you have a trust between two domains, the system uses
anonymous connection to enumerate shares. Windows NT networks that use
multiple domains may require anonymous user logon to list account
information.
In a word, you may safely ignore this kind of event logs.
Hope this helps, if anything unclear please feel free to let me know.
Have a nice day!
Best Regards,
Chace Zhang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: Security Event Check - ANONYMOUS LOGON
| thread-index: AccHa9sEWLKSro4qRJKyUHgn7f7T9Q==
| X-WBNR-Posting-Host: 64.59.144.22
| From: =?Utf-8?B?Um9i?= <Rob@xxxxxxxxxxxxxxxxxxxxxxxxx>
| Subject: Security Event Check - ANONYMOUS LOGON
| Date: Mon, 13 Nov 2006 13:37:02 -0800
| Lines: 44
| Message-ID: <6B72EC8A-B21B-47C5-8465-652A2C91B1F9@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| Newsgroups: microsoft.public.windows.server.sbs
| Path: TK2MSFTNGXA01.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:312344
| NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Hi All,
|
| I hope someone can help me with this. I was recently checking the
security
| event logs and came across an anonymous logon. The logon type is 3 -
| network. I think it is a program on the computer as some of these logons
| came at 3am etc. Any idea what I should be looking for?
|
| Thanks
|
| Rob
|
| PS Here is the event log:
| Event Type: Success Audit
| Event Source: Security
| Event Category: Logon/Logoff
| Event ID: 540
| Date: 13/11/2006
| Time: 1:18:21 PM
| User: NT AUTHORITY\ANONYMOUS LOGON
| Computer: Server
| Description:
| Successful Network Logon:
| User Name:
| Domain:
| Logon ID: (0x0,0x1F5D589)
| Logon Type: 3
| Logon Process: NtLmSsp
| Authentication Package: NTLM
| Workstation Name: Workstation ID
| Logon GUID: -
| Caller User Name: -
| Caller Domain: -
| Caller Logon ID: -
| Caller Process ID: -
| Transited Services: -
| Source Network Address: 192.168.16.25
| Source Port: 0
|
|
| For more information, see Help and Support Center at
| http://go.microsoft.com/fwlink/events.asp.
|
|
|
|
.
- Prev by Date: Re: Security Event Check - ANONYMOUS LOGON
- Next by Date: Brooktrout TR1034
- Previous by thread: Re: Security Event Check - ANONYMOUS LOGON
- Next by thread: Brooktrout TR1034
- Index(es):
Relevant Pages
|
