These may be normal and are "null" sessions used by Windows networking for
various processes such as maintaining the browse list [you can try to create one
by using net use \\servername\ipc$ """" /u:"" ]. They can be exploited from
untrusted networks to try to enumerate user/group info on the computer which
would be indicated by a large number of failed logon attempts using non default
user names. To protect yourself, a properly configured firewall is needed. If
you have file and print sharing enabled on your server make sure it is disabled
on the external/public nic or better yet uninstall it from the server if it is
not needed to offer shares or remotely manage the computer via Computer
Management. If this is also not a domain controller, you may try configuring the
security option in Local Security Policy for additional restrictions for
anonymous connections to be "no access without explicit anonymous permissions".
In addition, if you have not done so it would be a good idea to run Microsoft
Baseline Security Analyzer on your server and the highly recommended IISLockdown
tool, but only after backing up the server and IIS configuration using the IIS
Management Console/servername/action/backup & restore configuration since if you
do not pay close attention, wanted virtual directories may be deleted during the
process. --- Steve
http://www.microsoft.com/technet/tr...rl=/technet/security/prodtech/iis/DEFAULT.asp
Sandy said:
I'm getting a lot of these messages on my webserver ---
the guest account is disabled but obviously IUSR_, IWAM_
is enabled..
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 2/8/2004
Time: 12:44:08 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: NS4
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x1895F3E)
Logon Type: 3
Any insight would be appreciated - as this is VERY
unnerving
Thanks