-
Anonymous Logins
Hey All, perhaps I haven't had enough coffee yet but I have some of these in my event log. They started a few nights ago and I just caught them today. Always at night so that in itself is malicious since they are after 5 and before 8 am, outside of working hours. I wouldn't be posting except I do not have the built in Guest and Anonymous type account enabled and I am NOT running IIS as this is a domain controller for Active Directory, platform: Windows Server 2k, mixed mode with no additional proggies loaded. Thought I would open up some suggestions while I look at it. Sometime I miss the obvious in the normal storm of day to day IT.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 10/21/2004
Time: 6:10:24 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SERVER
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x93B47D7)
Logon Type: 3
WTF is this? //EDIT I know that's not a lot of info. Just tossing it our in case someone can tell by experience.
-
I know you can see these if you have a network share being disconnected and reconnected due to a bad NIC or switchport or similar problem. Also power management may turn off a NIC only to turn it back on (on demand) through the night...Is a network application running that might do this?
Just a few guesses..
SGS
-
Interesting
Hmmm,
Very interesting , I would presume it's some sort of application (like exchange 2000 ) that uses the anonymous account , as talked about in this article :
Event 538
It also talks about tightening the security some more for the anonymous account but this has some consequences .
the logon type 3 means : Network logon - network mapping (net use/net view) so this could also be used by an application I would think.
This Microsoft article also talks about event ID 538.
If I find anything else I'll let you know ...
I know it's all abit vage but , then again it's a vage subject :D ;)
C.
-
IIRC, the "Anonymous" login/logoff is the System itself for items it has to do. Microsoft has some info. These Knowledge Base articles -- Part 1 and Part 2 -- might also help.
Although at first I thought you were having a huge rodent problem (based on the title). :D
-
I was concerned by those a year or three ago and dug into them.... It's a system issue and you don't need to worry about... I just don't remember the details.... :rolleyes:
-
The more I looked the less concerned I became. It is noteworthy that they are happening at night so I'll dig a little more for fun. On a side thanks for the articles and time. I might put a packet sniffer off the nic just to see if anything funny is going on. Cheers. :)
\\EDIT Rodents? Ah yes "mouse" lol I tried to change it but it was too late. Any Mouse will do. Or in this case and anonymous Mouse.