General discussion

Locked

Anonymous logons?

By joy ·
On a W2K Advanced Server with Terminal Services, I am auditing successful and failed logins. In that log, roughly half of the audited logons are: NT AUTHORITY\ANONYMOUS LOGON. They seem to only be making successful LOGOFF entries, no LOGON entries. What is causing these, are they normal, is there any way to stop them?

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Anonymous logons?

by Joseph Moore In reply to Anonymous logons?

By default, Windows allows anonymous connections to some services. With an unsecured Win2k server, you can connect to it anonymously (without having to specify a valid username and password), and get some information like the entire user account list, shared folder, age of accounts, and some other info. This info can then be used to launch attacks at your server, and/or attempts at gaining illegal access. This can be done from internal users AND external users.
Say for example, your server is 10.1.1.1. You could craft a NET USE command to connect to your server anonymously with the following command:

NET USE \\10.1.1.1\IPC$ "" /U:""

Do that, and you will probably get the message:
The command completed successfully.

So, I wouldcheck out from what machines these connection attempts come from. If they are internal, then check out when and see who was logged in at that time and see what in the heck the users were doing. If these originate from external users (from machines you don't recognize), then you and any security people you have on staff have some work to do.
Remember, TCP port 139 open can be dangerous on Windows!

hope this helps

Collapse -

Anonymous logons?

by joy In reply to Anonymous logons?

The question was auto-closed by TechRepublic

Collapse -

Anonymous logons?

by Able-Admin In reply to Anonymous logons?

logged when the password is expired and the user tries to change it during logon. Thus you get no User Name but NT AUTHORITY \ ANONYMOUS written in the log.

Check for event ID 642. Records the PDCs change of secure channel passwords .

Collapse -

Anonymous logons?

by joy In reply to Anonymous logons?

The question was auto-closed by TechRepublic

Collapse -

Anonymous logons?

by joy In reply to Anonymous logons?

This question was auto closed due to inactivity

Back to Windows Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums