Windows 2000 Security Log

[Guest]

I use Windows 2000 Professional SP4

I need to know if the following event description is somethiung that I
should worry about. If not, why not?

Category: Privilege Use
Success: Event ID: 576
User: NT AUTHORITY/ANONYMOUS LOGON

User Name:
Domain:
Logon ID: (0X0,0XCC77)
Assigned: SecChangeNotifyPrivilege

I see this after I logon using my admin/or power user account and sometimes
randomly. Most of my concern stems from the "ANONYMOUS LOGON" portion.

Any guidance that you have would be greatly appreciated

Thanks in advance

 

[Steven L Umbach]

The operating system does use null sessions for more than a few functions
mostly related to networking and browse list activity. I would not worry
about them as long as you have a firewall protecting your network to prevent
internet users from trying to enumerate user names and then access your
computer using them by guessing their password and your user are using
strong passwords and protecting access to network resources using principle
of least privilege. I have seen anonymous access in the logs of about every
computer I have checked. For instance if you try to access another computer
through my Network Places you most likely will then see anonymous access in
events on the computer you are trying to access and the master browser or
backup browser. Computers that have the guest account enabled to allow
anonymous user access to shares or XP Home will show lots of anonymous
access type 3 logon events. I hope you have the guest account disabled
unless you have a good reason not to.--- Steve

http://support.microsoft.com/?kbid=246261 --- info on anoymous access for
Windows 2000

 

[Guest]

Steve

First thank you for the quick response.

Yes, the Guest account is disabled. However, I did not assign a password to
it, would that make a difference?

I'm using a firewall. Actually my computer sits behind 2.

And in Local Group Policy under Security Options

Additional restrictions for anonymous connections

Do Not allow enumeration of SAM accounts is set for Local and Effective
Setting

So, basically you're saying not to worry. But, why am I seeing it everytime
someone logs on?

tks

 

[Steven L Umbach]

It would not matter if the guest account has a password or not. I would not
worry as you know these events are caused by normal logons. Offhand I am not
sure why in Windows 2000 that you see anonymous logon gets the privilege for
SecChangeNotifyPrivilege which is bypass traverse checking which by default
everyone gets anyhow as shown in Local Security Policy. Possibly the
operating system grants that user right before the user is authenticated at
logon for some reason which may be performance reasons. If you want to
tighten anonymous network access even further set the security option you
mention to no access without explicit anonymous permissions assuming it will
not break anything which mostly happened when enabled on domain controllers.
Again proper firewall protection, strong passwords, disabling the guest
account, and properly configured access control lists such as share/NTFS
permissions will mitigate risk of anonymous access. What would be of concern
if you see a lot of unexplained logon failures in your security logs that
could indicate an attack attempt particularly if the administrator account
is shows. --- Steve