M
Max Burke
I have the following appearing regularly in the event viewer security
log; I have been trying to track down why and what (if anything) I can
or need to do about this anonymous logon.....
So far all the web sites (including Microsoft's) only talk about Win 2K,
NT, and XP Professional....
None of them mention XP Home at all except for vague references about it
can be caused by having the welcome screen enabled, and that this was
fixed in XP SP1. My computer is fully up to date with all updates and
patches.
There are some other vague references (mostly talking about Win2K again)
that it also can/does happen with LAN connected computers (I have an old
486 running Win95a connected through a LAN to this computer) and that
it's some sort of system logon event that allows LAN connections to
work.....
[ XXXXXX = computer name, logon names, etc]
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 18/10/2003
Time: 6:24:27 p.m.
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: XXXXXXXXX
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x11ED0)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}
On a related note I'm also seeing every so often:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Management
Event ID: 627
Date: 18/10/2003
Time: 8:57:51 p.m.
User: XXXXXXXX\XXXX
Computer: XXXXXXX
Description:
Change Password Attempt:
Target Account Name: HelpAssistant
Target Domain: XXXXXXX
Target Account ID: XXXXXXX\HelpAssistant
Caller User Name: XXXXXXX
Caller Domain: XXXXXXXXX
Caller Logon ID: (0x0,0xC55E)
Privileges: -
This failure happens for all registered user accounts;
Me. (my logon)
The hidden admistrator account.
The help assistant account.
The hidden support account.
The guest account.
Most often it's when the computer is turned on or rebooted, but
occasionally after the computer has been running for several hours. Most
of the time I'm not connected to the internet when it happens. Also I am
the only one who has physical access to both computers. (They're sitting
next to each other on my desk)
I have Zone alarm installed on my system, and also have ICF running; I
run PC-cillian 2002 and keep up to date their virus def files. I have
turned off all unneeded services, MBSA report no unnecessary services
are running. I do regularly scans (weekly using Ad-Aware and Spybot
S&D) and run Trojan scanners once a week as well.....
Again I haven't been able to find out anything helpful on any websites,
mostly they talk about Win2K, and XP Professional and about setting
security policies for logons which cant be done in XP Home.....
Is there anything I can do to track down what this audit failure means
and what I need to do (if anything) to stop the attempted password
changes from happening....
One last question;
When the guest account is turned of in Control Panel / User Accounts /
Guest account [off] why does it still show as logging on in the security
event viewer log?
log; I have been trying to track down why and what (if anything) I can
or need to do about this anonymous logon.....
So far all the web sites (including Microsoft's) only talk about Win 2K,
NT, and XP Professional....
None of them mention XP Home at all except for vague references about it
can be caused by having the welcome screen enabled, and that this was
fixed in XP SP1. My computer is fully up to date with all updates and
patches.
There are some other vague references (mostly talking about Win2K again)
that it also can/does happen with LAN connected computers (I have an old
486 running Win95a connected through a LAN to this computer) and that
it's some sort of system logon event that allows LAN connections to
work.....
[ XXXXXX = computer name, logon names, etc]
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 18/10/2003
Time: 6:24:27 p.m.
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: XXXXXXXXX
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x11ED0)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}
On a related note I'm also seeing every so often:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Management
Event ID: 627
Date: 18/10/2003
Time: 8:57:51 p.m.
User: XXXXXXXX\XXXX
Computer: XXXXXXX
Description:
Change Password Attempt:
Target Account Name: HelpAssistant
Target Domain: XXXXXXX
Target Account ID: XXXXXXX\HelpAssistant
Caller User Name: XXXXXXX
Caller Domain: XXXXXXXXX
Caller Logon ID: (0x0,0xC55E)
Privileges: -
This failure happens for all registered user accounts;
Me. (my logon)
The hidden admistrator account.
The help assistant account.
The hidden support account.
The guest account.
Most often it's when the computer is turned on or rebooted, but
occasionally after the computer has been running for several hours. Most
of the time I'm not connected to the internet when it happens. Also I am
the only one who has physical access to both computers. (They're sitting
next to each other on my desk)
I have Zone alarm installed on my system, and also have ICF running; I
run PC-cillian 2002 and keep up to date their virus def files. I have
turned off all unneeded services, MBSA report no unnecessary services
are running. I do regularly scans (weekly using Ad-Aware and Spybot
S&D) and run Trojan scanners once a week as well.....
Again I haven't been able to find out anything helpful on any websites,
mostly they talk about Win2K, and XP Professional and about setting
security policies for logons which cant be done in XP Home.....
Is there anything I can do to track down what this audit failure means
and what I need to do (if anything) to stop the attempted password
changes from happening....
One last question;
When the guest account is turned of in Control Panel / User Accounts /
Guest account [off] why does it still show as logging on in the security
event viewer log?