Anonymous Logons

[Jason Hurley]

When I check my security log in the event viewer I
sometimes see "Success Audit" for user "ANONYMOUS LOGON".
I know that it is a system group but what is triggering
ANONYMOUS LOGON to happen? Do I have a security Breach?

Environment: Windows 2000 Active Directry

Anyone help?
Thanks,
Jason

 

[Steven L Umbach]

You probably do not have a security breach if just anonymous access is showing in the
logs. Anonymous access or "null" sessions are used in Windows networking for things
like maintaining the browse list [probably main reason] , and users changing
passwords before expiring. If you have downlevel clients you may see more than in a
all W2K/XP Pro network. A security breach would be indicated more by lots of
unexplained failed logons in the security log, particularly of the administrator
account, and account lockouts. The link below can explain more. I am not advocating
you make the change it discusses on domain controllers, but read the paste under the
link. --- Steve

http://support.microsoft.com/?kbid=246261

"The following tasks are restricted when the RestrictAnonymous registry value is set
to 2 on a Windows 2000-based domain controller:
a.. Down-level member workstations or servers are not able to set up a netlogon
secure channel.
b.. Down-level domain controllers in trusting domains are not be able to set up a
netlogon secure channel.
c.. Microsoft Windows NT users are not able to change their passwords after they
expire. Also, Macintosh users are not able to change their passwords at all.
d.. The Browser service is not able to retrieve domain lists or server lists from
backup browsers, master browsers or domain master browsers that are running on
computers with the RestrictAnonymous registry value set to 2. Because of this, any
program that relies on the Browser service does not function properly"

 

[Jason Hurley]

Thanks for the info.

However, my Boss is being a royal pain and now wants to
know exactlly why we see "Anonymous Logon". I've tried
looking it up in FAQ but nothing that helps comes up. Can
someone help here?

Windows 2000, AD, IIS.

JH

-----Original Message-----
You probably do not have a security breach if just

anonymous access is showing in the

logs. Anonymous access or "null" sessions are used in Windows networking for things
like maintaining the browse list [probably main reason] , and users changing
passwords before expiring. If you have downlevel clients you may see more than in a
all W2K/XP Pro network. A security breach would be indicated more by lots of
unexplained failed logons in the security log,

particularly of the administrator

account, and account lockouts. The link below can explain more. I am not advocating
you make the change it discusses on domain controllers, but read the paste under the
link. --- Steve

http://support.microsoft.com/?kbid=246261

"The following tasks are restricted when the

RestrictAnonymous registry value is set

 

[Steven L Umbach]

It is a fact of life in a Windows network using file and print sharing and netbios
over tcp/ip. Disabling netbios over tcp/ip and/or file and print sharing on a
computer will drastically reduce or eliminate those events. If you disable netbios
over tcp/ip then you will not be able to use My Network Places anymore but could use
strictly Active Directory to publish and find shares. Of course you would want to
make sure all of your applications do not rely on netbios over tcp/ip. You can not
disable file and print sharing on domain controllers and any computer you disable it
on will no longer be able to offer shares or be remotely manageable. I suggest you
run Ethereal on a computer for a while to capture those null sessions to show your
boss what they are for. Most likely they will show up using port 138 udp and
sometimes 139 tcp. Be sure your firewall blocks access to those ports from the
internet. The article below explains null sessions fairly well. If your domain
structure will allow it and still allow user access, you can remove "everyone" from
user rights such as access this computer from the network and from share/ntfs
permissions using authenticated users instead. In Windows 2000 you can also configure
the security option for "additional restrictions for anonymous connections". It has
three settings. Usually the middle setting for "do not allow anonymous enumeration of
sam and shares" is safe to set on all computers though the most restrictive setting
of "no access without explicit anonymous permissions" should be used with caution,
particularly on domain controllers. --- Steve

http://www.sans.org/rr/papers/index.php?id=286

Thanks for the info.

However, my Boss is being a royal pain and now wants to
know exactlly why we see "Anonymous Logon". I've tried
looking it up in FAQ but nothing that helps comes up. Can
someone help here?

Windows 2000, AD, IIS.

JH

-----Original Message-----
You probably do not have a security breach if just

anonymous access is showing in the

logs. Anonymous access or "null" sessions are used in Windows networking for things
like maintaining the browse list [probably main reason] , and users changing
passwords before expiring. If you have downlevel clients you may see more than in a
all W2K/XP Pro network. A security breach would be indicated more by lots of
unexplained failed logons in the security log,

particularly of the administrator

account, and account lockouts. The link below can explain more. I am not advocating
you make the change it discusses on domain controllers, but read the paste under the
link. --- Steve

http://support.microsoft.com/?kbid=246261

"The following tasks are restricted when the

RestrictAnonymous registry value is set

to 2 on a Windows 2000-based domain controller:
a.. Down-level member workstations or servers are not able to set up a netlogon
secure channel.
b.. Down-level domain controllers in trusting domains are not be able to set up a
netlogon secure channel.
c.. Microsoft Windows NT users are not able to change their passwords after they
expire. Also, Macintosh users are not able to change their passwords at all.
d.. The Browser service is not able to retrieve domain lists or server lists from
backup browsers, master browsers or domain master browsers that are running on
computers with the RestrictAnonymous registry value set to 2. Because of this, any
program that relies on the Browser service does not function properly"





.