I am having an issue on my WS2008R2 Domain. I am getting ALOT of network logons with ANONYMOUS as the username. This is creating a problem for my barracuda web filter, because it uses those logs to authenticate users. The barracuda sees the anonymous and doesn't authenticate, so the user is blocked from the internet. Can you help me understand why i am getting so many Anonymous logins? There are roughly 800 users, 2 x 2008 R2 DC's, and my security log is loaded with anonymous logins. Here is an Example New Logon: Security ID: ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x5ce0026 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: STU-R96E5RD Source Network Address: 10.30.208.149 Source Port: 64108 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 128

Hi, There are a few conditions known to cause null session connections. The Server Service registers an Anonymous logon after service startup every time. A password change from a down level client after a password has expired will also cause this. Anonymous Internet connections should show up under the context of IUSR_SERVERNAME (for IIS). We may find some clues according to the value of logon type in the event log. 2 Interactive - Intended for users who will be interactively using the machine, such as a user being logged on by a terminal server, remote shell, or similar process. 3 Network - Intended for high performance servers to authenticate clear text passwords. LogonUser does not cache credentials for this logon type. 4 Batch - Intended for batch servers, where processes may be executing on behalf of a user without their direct intervention; or for higher performance servers that process many clear-text authentication attempts at a time, such as mail or web servers. LogonUser does not cache credentials for this logon type. 5 Service - Indicates a service-type logon. The account provided must have the service privilege enabled. 6 Proxy - Indicates a proxy-type logon. 7 Unlock - This logon type is intended for GINA DLLs logging on users who will be interactively using the machine. This logon type allows a unique audit record to be generated that shows when the workstation was unlocked. (0 & 1 are invalid) Hope this helps. Regards, Bruce

Hi, There are a few conditions known to cause null session connections. The Server Service registers an Anonymous logon after service startup every time. A password change from a down level client after a password has expired will also cause this. Anonymous Internet connections should show up under the context of IUSR_SERVERNAME (for IIS). We may find some clues according to the value of logon type in the event log. 2 Interactive - Intended for users who will be interactively using the machine, such as a user being logged on by a terminal server, remote shell, or similar process. 3 Network - Intended for high performance servers to authenticate clear text passwords. LogonUser does not cache credentials for this logon type. 4 Batch - Intended for batch servers, where processes may be executing on behalf of a user without their direct intervention; or for higher performance servers that process many clear-text authentication attempts at a time, such as mail or web servers. LogonUser does not cache credentials for this logon type. 5 Service - Indicates a service-type logon. The account provided must have the service privilege enabled. 6 Proxy - Indicates a proxy-type logon. 7 Unlock - This logon type is intended for GINA DLLs logging on users who will be interactively using the machine. This logon type allows a unique audit record to be generated that shows when the workstation was unlocked. (0 & 1 are invalid) Hope this helps. Regards, Bruce