General discussion

Locked

Anonymous log on

By dmont ·
When checking event view I found an anonymous log on. I HAVE NOT INSTALLED IIS so FTP and Web server are not running. How can there be an anonymous logon?

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Anonymous log on

by Ann777 In reply to Anonymous log on

Windows NT uses anonymous access to the password policy to provide users with meaningful error message such as in the case of when an user changes his password before login in.

Service Pack 3 added the ability to restrict anonymous users from obtaining information about the system. Even with SP3 installed anonymous users are able to retrieve the systems password policy.

To fix this vulnerability, apply the lsa2-fix hotfix from Microsoft

Collapse -

Anonymous log on

by Ann777 In reply to Anonymous log on

For more info:

http://support.microsoft.com/default.aspx?scid=kb;en-us;143474

Collapse -

Anonymous log on

by dmont In reply to Anonymous log on

Poster rated this answer

Collapse -

Anonymous log on

by Curious_George In reply to Anonymous log on

Keep in mind that EVERY connection to a server is anon, until it is authenticated, that is why you cannot restrict anon connections to domain controllers, otherwise no one could logon.

Entries to the event log are made after logon attempts are completed. Therefore a users connection is converted from anon to the users logon name prior to logging and is then logged. Users that are denied access or do not have an account are posted as anon, but it does not mean that they got access to anythingother than a logon screen.

You really need to turn on auditing of all resourcesl; files, printers, and registry in order to determine what level of access this anon user acheived. The defaults auditing settings are barely useful. However, the more auditing you turn on, the more system resources are consumed to log the audit records. Even on high powered servers, performance can be seriously impacted by excessive auditing.

A best practive is to disable the guest account and to change all ACL lists not related to logons (i.e. file, print, and registry perms) from the everyone group to the users group. The everyone group is recognized, industry-wide as a HUGE security hole, that MS continues to ignore.

Collapse -

Anonymous log on

by dmont In reply to Anonymous log on

Poster rated this answer

Collapse -

Anonymous log on

by dmont In reply to Anonymous log on

This question was closed by the author

Back to Windows Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums