Odd NT event log entry
Results 1 to 9 of 9

Thread: Odd NT event log entry

  1. #1
    Senior Member
    Join Date
    Mar 2003
    Posts
    372

    Odd NT event log entry

    I was going through some of our NT machines event logs here today (yes I'm bored) and I came across an odd entry that I had not seen before.

    Code:
    43  SEC,11/17/03,06:51:04,Security,528,Success,Logon/Logoff ,NT AUTHORITY\ANONYMOUS LOGON,MACHINE_NAME,Successful Logon:^`   User
     Name:  ^`      Domain:         ^`      Logon ID:               (0x0 0x1CCF)^`  Logon Type:     3^`     Logon Process:  KSecDD^`
        Authentication Package:     MICROSOFT_AUTHENTICATION_PACKAGE_V1_0^`         Workstation Name:        ^M
    This happened right after a failed login of a user on that machine that was trying to log in local (he forgets his password on a regular basis ). I have checked that machine and verified that guest is disabled, and of course guest is disabled in the domain. Also there is no IIS/web/ftp server running on that box. It's just a plain basic NT 4.0 workstation with some monitoring software running on it (for our product). Also right after that event happened the following occured:

    Code:
    44  SEC,11/17/03,06:51:04,Security,576,Success,Privilege Use ,NT AUTHORITY\ANONYMOUS LOGON,MACHINE_NAME,Special privileges assigned to new logon:^`
          User Name:      ^`      Domain:         ^`      Logon ID:               (0x0 0x1CCF)^`  Assigned:
        SeChangeNotifyPrivilege ^M
    Then I don't see Anonymous log off the machine at all, nor do I see any more activity by Anonymous in the logs.

    How exactly do you log in local as anonymous? Did the logs just wig out and report things wrong? The machine in question does not see the outside world at all (not even email).

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    What else is running on the box besides NT? (Applications, services, etc.)
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Senior Member
    Join Date
    Jan 2003
    Posts
    1,499
    I have a configuration of NT here that has that also.

    As far as I can see its perhaps (perhaps not had time to test before this post)

    When the user uses a valid login but instead of hitting domain or network logs onto the local machine either successfully or ne

  4. #4
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    Ms. Mittens. It just has the basic services running:

    Computer Browser
    Defwatch
    Eventlog
    Net Logon
    Norton AV
    Protected Storage
    Schedule
    Server
    Spooler
    VNC Server
    Workstation

    The only application running on this box is the monitoring tool for the software we developed. It is pretty much a plain vanilla install with a few services turned off. It's only used to monitor accounts in the application I mentioned.



    mark_boyle2002:

    But even if they are logging in local vs domain/network it should say the user account. Something like:

    Code:
    9  SEC,11/17/03,05:03:49,Security,528,Success,Logon/Logoff ,LOCAL_MACHINE_NAME\USER_ID,Successful Logon:^`     User Name:
        USER_ID^`         Domain:         ^`      Logon ID:               (0x0 0x478558)^`        Logon Type:     2^`     Logo
    n Process:      User32  ^`      Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0^`         Workstation Name:       MACHINE_NAME ^M
    or at least that is the way I have seen it in the past. Perhaps something is busted on this machine?


    ***EDIT***
    edited for santiation of log information

    /EDIT

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

  5. #5
    Senior Member
    Join Date
    Jan 2003
    Posts
    1,499
    [suggestion]
    Does VNC not now base its self on ms security.

    Do you have a password for the same and have it running as a service
    [/suggestion]

  6. #6
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    I also notice a difference in the Logon Process used between a successful (authenticated) login which uses User32 and the Anonymous login which uses KSecDD. Also the Logon Type is different. Authenticated user is Logon Type 2, Anonymous is Logon Type 3.

    Is that something along the lines of a IPC$ connection that is happening from the domain controller to the workstation? I've never seen it before, but it's the only thing I can think of... it looks like some kind of machine/process based login.


    mark_boyle_2002 - We are using an older version of WinVNC which does not use MS security. It's all based on the application itself, which is something I'm slowly changing around this place. Good suggestion though

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

  7. #7
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,019
    THe only thing I can find that might ven be remotely helpful to you is here: http://support.microsoft.com/default...NoWebContent=1

    You probably already looked at it. The reason it stuck out was the following quote:

    CAUSE
    Windows XP attempts a limited logon for each account that is displayed on the Welcome screen to determine whether to prompt the user for a password. An attempted logon is logged for each account displayed.

    ??

    Probably not what you need, but hey, I learned something!!!

  8. #8
    Senior Member
    Join Date
    Jan 2003
    Posts
    1,499
    o.k, Idea

    Run zonealarm on the machine as a serice. view the log for entries connecting to your server

    Is it possible you have a share on your machine and another machine connects to it as anonymous ?

  9. #9
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    aha! Google IS your friend

    Microsoft's Knowledgebase was next to useless on this so I decided to googlize this event and see what I could find...

    http://www.eventid.net/display.asp?e...=538&eventno=7

    It's a pretty nifty site if you are trying to make heads or tails of NT event IDs.

    Anyway, I was on the right track with my last speculation. It is machine/process based, or someone connecting via a NULL session which isn't happening on that machine. It was just a bit of log entry that piqued my curiosity because of the Anonymous part (which makes most security folks a little paranoid, or it should).

    Thanks for the suggestions, and thanks for listening to me work this problem out in my own head. lol, I probably should have googled it first instead of posting on AO off the bat huh?

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides