anonymous logon

[Sandy]

I'm getting a lot of these messages on my webserver ---
the guest account is disabled but obviously IUSR_, IWAM_
is enabled..

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 2/8/2004
Time: 12:44:08 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: NS4
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x1895F3E)
Logon Type: 3


Any insight would be appreciated - as this is VERY
unnerving
Thanks

 

[Steven Umbach]

These may be normal and are "null" sessions used by Windows networking for
various processes such as maintaining the browse list [you can try to create one
by using net use \\servername\ipc$ """" /u:"" ]. They can be exploited from
untrusted networks to try to enumerate user/group info on the computer which
would be indicated by a large number of failed logon attempts using non default
user names. To protect yourself, a properly configured firewall is needed. If
you have file and print sharing enabled on your server make sure it is disabled
on the external/public nic or better yet uninstall it from the server if it is
not needed to offer shares or remotely manage the computer via Computer
Management. If this is also not a domain controller, you may try configuring the
security option in Local Security Policy for additional restrictions for
anonymous connections to be "no access without explicit anonymous permissions".
In addition, if you have not done so it would be a good idea to run Microsoft
Baseline Security Analyzer on your server and the highly recommended IISLockdown
tool, but only after backing up the server and IIS configuration using the IIS
Management Console/servername/action/backup & restore configuration since if you
do not pay close attention, wanted virtual directories may be deleted during the
process. --- Steve

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/locktool.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/iis/DEFAULT.asp

 

[Sandy Ryan]

Thanks Steve - is is also common for anonymous logon to have a lot of these
events...
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 562
Date: 2/9/2004
Time: 5:21:02 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: NS4
Description:
Handle Closed:
Object Server: Security Account Manager
Handle ID: 21144872
Process ID: 268

or this
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 562
Date: 2/9/2004
Time: 5:21:02 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: NS4
Description:
Handle Closed:
Object Server: Security Account Manager
Handle ID: 21144872
Process ID: 268


Thanks Sandy

These may be normal and are "null" sessions used by Windows networking for
various processes such as maintaining the browse list [you can try to create one
by using net use \\servername\ipc$ """" /u:"" ]. They can be exploited from
untrusted networks to try to enumerate user/group info on the computer which
would be indicated by a large number of failed logon attempts using non default
user names. To protect yourself, a properly configured firewall is needed. If
you have file and print sharing enabled on your server make sure it is disabled
on the external/public nic or better yet uninstall it from the server if it is
not needed to offer shares or remotely manage the computer via Computer
Management. If this is also not a domain controller, you may try configuring the
security option in Local Security Policy for additional restrictions for
anonymous connections to be "no access without explicit anonymous permissions".
In addition, if you have not done so it would be a good idea to run Microsoft
Baseline Security Analyzer on your server and the highly recommended IISLockdown
tool, but only after backing up the server and IIS configuration using the IIS
Management Console/servername/action/backup & restore configuration since if you
do not pay close attention, wanted virtual directories may be deleted during the
process. --- Steve

http://www.microsoft.com/technet/tr...rl=/technet/security/prodtech/iis/DEFAULT.asp

I'm getting a lot of these messages on my webserver ---
the guest account is disabled but obviously IUSR_, IWAM_
is enabled..

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 2/8/2004
Time: 12:44:08 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: NS4
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x1895F3E)
Logon Type: 3


Any insight would be appreciated - as this is VERY
unnerving
Thanks

 

[Steven L Umbach]

Hi Sandy.

I do not normally audit object access, but my understanding is that yes
these events may be normal particualry on a domain controller where for
instance when a user changes their password an anonymous lookup to the sam
may be used. If this is not a domain controller, I don't know how many of
these events you should see. It looks like this computer may be a dns
server, and if it is you may also want to inquire on the win2000.dns or
win2000.active_directory newsgroups to see if they can offer more on the
subject there. I tend to think that these should not be much of a concern
unless you see a lot of logon failures, particualry in rapid fashion. ---
Steve

Thanks Steve - is is also common for anonymous logon to have a lot of these
events...
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 562
Date: 2/9/2004
Time: 5:21:02 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: NS4
Description:
Handle Closed:
Object Server: Security Account Manager
Handle ID: 21144872
Process ID: 268

or this
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 562
Date: 2/9/2004
Time: 5:21:02 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: NS4
Description:
Handle Closed:
Object Server: Security Account Manager
Handle ID: 21144872
Process ID: 268


Thanks Sandy

These may be normal and are "null" sessions used by Windows networking for
various processes such as maintaining the browse list [you can try to create one
by using net use \\servername\ipc$ """" /u:"" ]. They can be exploited from
untrusted networks to try to enumerate user/group info on the computer which
would be indicated by a large number of failed logon attempts using non default
user names. To protect yourself, a properly configured firewall is needed. If
you have file and print sharing enabled on your server make sure it is disabled
on the external/public nic or better yet uninstall it from the server if it is
not needed to offer shares or remotely manage the computer via Computer
Management. If this is also not a domain controller, you may try configuring the
security option in Local Security Policy for additional restrictions for
anonymous connections to be "no access without explicit anonymous permissions".
In addition, if you have not done so it would be a good idea to run Microsoft
Baseline Security Analyzer on your server and the highly recommended IISLockdown
tool, but only after backing up the server and IIS configuration using

the

IIS
Management Console/servername/action/backup & restore configuration

since
if you

do not pay close attention, wanted virtual directories may be deleted during the
process. --- Steve

http://www.microsoft.com/technet/tr...rl=/technet/security/prodtech/iis/DEFAULT.asp

 

[nandkisham]

Hi Steve:

can you explain me what exaclty this command does

net use \\servername\ipc$ """" /u:""

i mean, what us 'ipc' and 'u:'

thanks,

nandu.

please send the reply to (e-mail address removed)

*These may be normal and are "null" sessions used by Window
networking for
various processes such as maintaining the browse list [you can try t
create one
by using net use \\servername\ipc$ """" /u:"" ]. They can b
exploited from
untrusted networks to try to enumerate user/group info on th
computer which
would be indicated by a large number of failed logon attempts usin
non default
user names. To protect yourself, a properly configured firewall i
needed. If
you have file and print sharing enabled on your server make sure i
is disabled
on the external/public nic or better yet uninstall it from the serve
if it is
not needed to offer shares or remotely manage the computer vi
Computer
Management. If this is also not a domain controller, you may tr
configuring the
security option in Local Security Policy for additional restriction
for
anonymous connections to be "no access without explicit anonymou
permissions".
In addition, if you have not done so it would be a good idea to ru
Microsoft
Baseline Security Analyzer on your server and the highly recommende
IISLockdown
tool, but only after backing up the server and IIS configuratio
using the IIS
Management Console/servername/action/backup & restore configuratio
since if you
do not pay close attention, wanted virtual directories may be delete
during the
process. --- Steve

http://tinyurl.com/swcx
http://tinyurl.com/4lm94

I'm getting a lot of these messages on my webserver ---
the guest account is disabled but obviously IUSR_, IWAM_
is enabled..

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 2/8/2004
Time: 12:44:08 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: NS4
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x1895F3E)
Logon Type: 3


Any insight would be appreciated - as this is VERY
unnerving
Thanks

-
nandkisha

 

[Steven L Umbach]

It creates a "null" sessions to the target computer. Ipc$ is the inter
process communication share [I think that is the name] which the operating
system uses legitimately for null/unauthenticated sessions for tasks like
maintaining the browse list. If you run the net share command on a computer
you will see the ipc$ share if file and print sharing is enabled. The /u
specifies the username for the connection to the share and the "" indicates
anonymous connection. A malicious user can use null sessions to enumerate
information about a computer such as the users, groups, and shares on it
which is one reason why you want to protect your computer from the internet
with a firewall. The links below will explain in more detail. --- Steve

http://support.microsoft.com/?kbid=246261 -- description on some of the
uses of anonymous sessions.
http://www.sans.org/rr/papers/index.php?id=286 -- good paper on null
sessions.

Hi Steve:

can you explain me what exaclty this command does

net use \\servername\ipc$ """" /u:""

i mean, what us 'ipc' and 'u:'

thanks,

nandu.

please send the reply to (e-mail address removed)

*These may be normal and are "null" sessions used by Windows
networking for
various processes such as maintaining the browse list [you can try to
create one
by using net use \\servername\ipc$ """" /u:"" ]. They can be
exploited from
untrusted networks to try to enumerate user/group info on the
computer which
would be indicated by a large number of failed logon attempts using
non default
user names. To protect yourself, a properly configured firewall is
needed. If
you have file and print sharing enabled on your server make sure it
is disabled
on the external/public nic or better yet uninstall it from the server
if it is
not needed to offer shares or remotely manage the computer via
Computer
Management. If this is also not a domain controller, you may try
configuring the
security option in Local Security Policy for additional restrictions
for
anonymous connections to be "no access without explicit anonymous
permissions".
In addition, if you have not done so it would be a good idea to run
Microsoft
Baseline Security Analyzer on your server and the highly recommended
IISLockdown
tool, but only after backing up the server and IIS configuration
using the IIS
Management Console/servername/action/backup & restore configuration
since if you
do not pay close attention, wanted virtual directories may be deleted
during the
process. --- Steve

http://tinyurl.com/swcx
http://tinyurl.com/4lm94

I'm getting a lot of these messages on my webserver ---
the guest account is disabled but obviously IUSR_, IWAM_
is enabled..

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 2/8/2004
Time: 12:44:08 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: NS4
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x1895F3E)
Logon Type: 3


Any insight would be appreciated - as this is VERY
unnerving
Thanks *