Anonymous Logon's

W

Walter Callahan

I was browsing my event logs today and I'm just courious.
My server isn't running IIS, or FTP.
Why are there Anonymous Logons?


Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 10/18/2003
Time: 7:25:42 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: COMPUTER
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID:
Logon Type: 3
 
S

Steven L Umbach

Those are "null sessions" used by the operating system for various networking
processes including maintaining the browse list and certain password change activity.
Null sessions can be exploited to enumerate the sam and shares which is one reason a
firewall is needed to block access to netbios/cifs ports from untrusted networks. See
the KB link below for details of some more processes it uses and ramifications of
limiting. -- Steve

http://support.microsoft.com/?kbid=246261
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Successive Anonymous Logon events in security log 3
anonymous logon 5
Unexplained 540 Events in Security log on W2K workstation in a dom 0
Event Error Logs with Event ID 538 and 540 1
ANONYMOUS LOGON without logoff 4
Windows 2003 Server, Constant Logon/Logoff in my Security Log - does this mean something is worng? 0
537 errors due to manual services being started 0
Security log shows multiple ANONYMOUS LOGON 2

Top