Security log shows multiple ANONYMOUS LOGON

[Shon]

I am looking at the security log of a server and notice
multiple instances of NT AUTHORITY\ANONYMOUS LOGON. How
can I find out where this is coming from? This is event
id of 538 - logoff success.

 

[Shon]

-----Original Message-----
I am looking at the security log of a server and notice
multiple instances of NT AUTHORITY\ANONYMOUS LOGON. How
can I find out where this is coming from? This is event
id of 538 - logoff success.
.

This server is not running IIS or any other such services -
is only a file server. I have checked the services, what
else can I look at?

 

[Steven L Umbach]

Those are normal in a Windows network. Many processes are done without authenticating
[null session] using an account/password. Processes such as the browse service,
changing passwords on downlevel clients, NT4 ras servers, intraforest trusts, and
others. You would have to spend a lot of time with Netmon to find more info on these
events. I would not be too concerned about them if your network is properly secured
with a firewall and good password/account policies. Null sessions can be exploited to
extract user, groups, and share information. If you see unusual amounts of logon
failures from known user accounts, that may tip you off to that happening which can
also happen from inside the network where at least you will know what machine the
attempts are coming from. --- Steve

http://support.microsoft.com/?kbid=246261 -- description of anonymous account uses.