Anonymous Logon's

  • Thread starter Thread starter Walter Callahan
  • Start date Start date
W

Walter Callahan

I was browsing my event logs today and I'm just courious.
My server isn't running IIS, or FTP.
Why are there Anonymous Logons?


Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 10/18/2003
Time: 7:25:42 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: COMPUTER
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID:
Logon Type: 3
 
Those are "null sessions" used by the operating system for various networking
processes including maintaining the browse list and certain password change activity.
Null sessions can be exploited to enumerate the sam and shares which is one reason a
firewall is needed to block access to netbios/cifs ports from untrusted networks. See
the KB link below for details of some more processes it uses and ramifications of
limiting. -- Steve

http://support.microsoft.com/?kbid=246261
 
Back
Top