blocking workstation logons

G

Guest

Hello,

I would like to know how to block workstations from logging onto my xp pro
machine. I have a dsl connection, zone alarm and the guest account is locked
out. I keep seeing this log on in the event viewer....

Type: Success A Event ID: 540
User: NT AUTHORITY\ANONYMOUS LOGON

Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x41460)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: HOD
Logon GUID: {00000000-0000-0000-0000-000000000000}

For more information, see Help and Support Center at

i see this log on in the event viewer everyday and i want to stop it
permanantly.

Thank You
 
C

Chuck

Hello,

I would like to know how to block workstations from logging onto my xp pro
machine. I have a dsl connection, zone alarm and the guest account is locked
out. I keep seeing this log on in the event viewer....

Type: Success A Event ID: 540
User: NT AUTHORITY\ANONYMOUS LOGON

Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x41460)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: HOD
Logon GUID: {00000000-0000-0000-0000-000000000000}

For more information, see Help and Support Center at

i see this log on in the event viewer everyday and i want to stop it
permanantly.

Thank You
Click to expand...

Eliot,

Are you missing a patch? This says it's for NT V4.0. NOT V5.1.
http://www.microsoft.com/technet/security/bulletin/MS01-008.mspx

Try doing a Google or Yahoo search for "NtLmSsp".

Is your computer directly connected to DSL? Check your ZA settings, make sure
that ZA doesn't show ANYTHING in the Trusted Zone! It sounds like your network
neighbors looking at you in Network Neighborhood (My Network Places). Can you
see anything there? Look under all 3 branches of Entire Network too.

Take a look at registry key [HKLM\System\CurrentControlSet\Control\Lsa], value
restrictanonymous.
<http://www.microsoft.com/windows200...2000/techinfo/reskit/en-us/regentry/46688.asp>
<http://www.jsifaq.com/subf/tip2600/rh2625.htm>

The above articles refer to Windows 2000. Remember WinXP is NT V5.1, and Win2K
is NT V5.0.

Have you used the Registry Editor before? If not, it's a scary tool, but it's
pretty simple once you get used to it. Here are a couple articles that might
help:
<http://www.microsoft.com/windowsxp/...home/using/productdoc/en/tools_regeditors.asp>
<http://www.annoyances.org/exec/show/registry>

Just remember to backup the key (create a registry patch) for
[HKLM\System\CurrentControlSet\Control\Lsa] before making any changes, if
appropriate.

From the Annoyances article:
You can create a Registry patch by opening the Registry Editor, selecting a
branch, and choosing Export from the File menu. Then, specify a filename, and
press OK. You can then view the Registry patch file by opening it in Notepad
(right-click on it and select Edit). Again, just double-click on a Registry
patch file (or use Import in the Registry Editor's File menu) to apply it to the
registry.

If you do this, you might not see your computer in Network Neighborhood any
more. So make sure you create the backup patch.

Please let us know what you find out. This could be interesting.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
 
G

Guest

Thanks Chuck, I applied the registry setting and now I wll sit back and wait
to see what happens. Thanks for your help there was alot of useful info in
your post.

Chuck said:
Hello,

I would like to know how to block workstations from logging onto my xp pro
machine. I have a dsl connection, zone alarm and the guest account is locked
out. I keep seeing this log on in the event viewer....

Type: Success A Event ID: 540
User: NT AUTHORITY\ANONYMOUS LOGON

Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x41460)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: HOD
Logon GUID: {00000000-0000-0000-0000-000000000000}

For more information, see Help and Support Center at

i see this log on in the event viewer everyday and i want to stop it
permanantly.

Thank You
Click to expand...

Eliot,

Are you missing a patch? This says it's for NT V4.0. NOT V5.1.
http://www.microsoft.com/technet/security/bulletin/MS01-008.mspx

Try doing a Google or Yahoo search for "NtLmSsp".

Is your computer directly connected to DSL? Check your ZA settings, make sure
that ZA doesn't show ANYTHING in the Trusted Zone! It sounds like your network
neighbors looking at you in Network Neighborhood (My Network Places). Can you
see anything there? Look under all 3 branches of Entire Network too.

Take a look at registry key [HKLM\System\CurrentControlSet\Control\Lsa], value
restrictanonymous.
<http://www.microsoft.com/windows200...2000/techinfo/reskit/en-us/regentry/46688.asp>
<http://www.jsifaq.com/subf/tip2600/rh2625.htm>

The above articles refer to Windows 2000. Remember WinXP is NT V5.1, and Win2K
is NT V5.0.

Have you used the Registry Editor before? If not, it's a scary tool, but it's
pretty simple once you get used to it. Here are a couple articles that might
help:
<http://www.microsoft.com/windowsxp/...home/using/productdoc/en/tools_regeditors.asp>
<http://www.annoyances.org/exec/show/registry>

Just remember to backup the key (create a registry patch) for
[HKLM\System\CurrentControlSet\Control\Lsa] before making any changes, if
appropriate.

From the Annoyances article:
You can create a Registry patch by opening the Registry Editor, selecting a
branch, and choosing Export from the File menu. Then, specify a filename, and
press OK. You can then view the Registry patch file by opening it in Notepad
(right-click on it and select Edit). Again, just double-click on a Registry
patch file (or use Import in the Registry Editor's File menu) to apply it to the
registry.

If you do this, you might not see your computer in Network Neighborhood any
more. So make sure you create the backup patch.

Please let us know what you find out. This could be interesting.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
Click to expand...
 
C

Chuck

Thanks Chuck, I applied the registry setting and now I wll sit back and wait
to see what happens. Thanks for your help there was alot of useful info in
your post.
Click to expand...

YW, Eliot. Were you able to "see" "Hod" in My Network Places?

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
 
G

Guest

No, I haven't seen hair nor hide of "HOD" since i applyed the registry tweek.
As a matter of fact I have not had any anonymous logon attempts snce then and
i have not lost any connectivity to any of the workstations i was able to
access or are those worlkstations having any trouble accessing me...the ones
i allow.

Thanks Again!!
 
C

Chuck

No, I haven't seen hair nor hide of "HOD" since i applyed the registry tweek.
As a matter of fact I have not had any anonymous logon attempts snce then and
i have not lost any connectivity to any of the workstations i was able to
access or are those worlkstations having any trouble accessing me...the ones
i allow.

Thanks Again!!
Click to expand...

Excellent, Eliot. Thanks for the update. It's good to see the positive purpose
of the restrictanonymous policy.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Why are there repeated Event 540 and Event 538 entries every 10 minutes? 2
Account Logon in Event Viewer... 1
anonymous logon 5
How to disable "ANONYMOUS LOGON" in XP Home? 1
Event Viewer 5
Anonymous users successfully logging into my pc 4
NT AUTHORITY\ANONYMOUS LOGON 1
ANONYMOUS LOGON without logoff 4

Top