Event 538 with no corresponding logon

[Michael]

Hi all,

I know that this has come up in some past threads, but I can't find them and
this is the first time I ever see this problem. I have 2 Windows 2000 Server
member servers that are running Terminal Services and Citrix MetaFrame. They
both have RestrictAnonymous set to 2 (I just verified it). They were
installed in December of last year and have been running fine until a couple
of days ago. Now all of a sudden the security logs are being filled with
Event 538 ANONYMOUS LOGON from NT AUTHORITY of type 3 and there is no
corresponding logon for any of the events. I've been searching on KB,
EventID.net and everywhere else, and in NO place does it actually explain
why this occurs, only that it occurs. The comments on EventID.net only
allude to the fact that this event can "happen" with no associated logon,
but doesn't actually explain why or how to stop it. Another site brings up
this problem along with another one, but then only goes into detail on the
other problem.

By the way, the only thing we changed on these systems in the last couple of
days was move them to a switch from a hub, and change all the network cards
and switch ports to 100/full duplex. These events seem to have started right
after this change.

Can anyone shed some light on this?

Thanks in advance.

Michael S.

 

[Steven Umbach]

I don't really know but I notice when using Ethereal to capture packet traffic
that a lot of times null sessions are used by the computer browser service.
Maybe your computer became a master browser suddenly?? You can use nbtstat -n to
see if it is. You could try using Ethereal to try and see what kind of traffic
is causing such activity [what ports, etc]. You could correlate the Ethereal
capture with the security log by time to narrow down the search and maybe use a
filter if you know what computer or computers are initiating those null
sessions. --- Steve