March 30th, 2004, 04:08 PM
Event viewer logging ANON LOGON
I'm trying to understand my event-viewer entries (please make it stop!).
I keep seeing ANONYMOUS LOGON events being logged to my systems. The event is 538/type 3 and 540/type 3. Which, according to M$ is: "A user or computer logged on to this computer from the network." But I have both systems locked down (no anonymous enum, additional restrictions, etc.). I know it's not an actual person attaching to the system, but what is it? A service?
I'm seeing this in both 2K and XP.
As I'm writing this, two more entries (538) popped up, one after the other (110 seconds), which, according to M$: "This event record indicates that a user has logged off."
Oh, and while were at it can anyone remind me the difference in auditing settings between "Audit account logon events" and "Audit logon events"? Both explanations appear to be pretty much the same
March 30th, 2004, 05:22 PM
Are you sure you don't have an unpassworded share? If you did, that'd explain it.
March 30th, 2004, 07:15 PM
Possitive, no hidden shares (other than the defaults).
In fact, Messenger and Browser services are disabled.
I can turn off Server (net stop server) and as soon as I turn it back on (net start server) an entry (540) is placed in Even Viewer, ANONYMOUS LOGON.
It's not that I'm really concerned about this, I'm just trying to understand the underlying M$ mythology at work here. Plus, it's real annoying when I'm trying to be security concious and seeing multiple anonymous connections when I review the logs...
March 30th, 2004, 07:19 PM
Check out www.eventid.net. They usually offer vaious different causes of almost every entry log out there. Maybe you'll find what you're looking for there.
March 30th, 2004, 08:09 PM
Excellant source, thanks.
And it came up with a possible answer:
540: -- generated whenever Server service starts
"This event indicates that a remote user has successfully connected from the network to a local resource on the server, generating a token for the network user. ..."
538: -- generated whenever Server service stops
"This event indicates a user logged off. The corresponding logon event (528) can be found by comparing the <logon id> field. "
. . .
"In many cases, the user listed for this event will be "ANONYMOUS LOGON" from "NT AUTHORITY" domain. This logon is used by processes that use the null session logons ... Any program or service that is using the System user account is in fact logging in with null credentials. ... One typical example is a computer that register itself with the Master Browser for that network segment at startup. This registration will generate several logon/logoffs from "ANONYMOUS USER". Since the registration is renewed by default every 12 minutes, such events will occur at regular intervals."
Ok, Browser service is disabled, so is Messenger. It can't be registering itself to any Browser service, and no one is registering with it. It's not allowing anonymous null (IPC$)...
Oh, man. My head hurts. You know, I really don't care anymore what's causing this... I need an aspirin and a nap.