Here is the event 540 and from NT AUTHORITY\ANONYMOUS LOGON 10.0.0.1 Evt id: 540 security successful network logon: user name: domain: logon id: (0x1,0xe4ca5650) logon type: 3 logon process: ntlmssp authentication package: ntlm workstation name: 91dde38f0a954b2 logon guid: - caller user name: - caller domain: - caller logon id: - caller process id: - transited services: - source network address: 91.77.181.155 source port: 0 This above event id is quickly followed by a event id 538 ( I guess logoff).This is getting me little bit nervous, looks like there are successful logons and then immediate logoff from various IP address from all over the globe. Can someone explain what exactly is going on here and how can I block these. Fyi: in the local securitypolicy the "Do not allow anonymous enumeration of SAM accounts" is set toENABLEDthankscbcbcb

hello,actually even any server enables some kind of Anonymous access although most of the services require at least authentication. for instance, even AD (LDAP) enables anonymous enumeration of RootDSE object (which for example tells you the name of the domain the DC hodld) etc. If you also checked the Local Security Policy, you would see a list of anonymously enumerable shares, pipes etc. It is commont thatsome small servicemust be accessible even anonymously, but it is usuablly assumed that these services would be access only from a local network, not from public internet as is apperently your case.The point here so, is to know on what port (your local listening port/service) is this happening. And possibly, blocking the access if the port is not to be accessible from the internet. You could for instance download Microsoft Network Monitor a run a trace of what is happening on your public network, what traffic is trying the anonymous logons.This would be either file sharing on 137/138/139/445 or LDAP on 389, 636, 3268, 3269 or some RPC on 135, may be even RDP on 3389 or quite a lot of others.Just determine what traffic is coming.Then determine, if you should have this enabledIf not, install/enable a firewall blocking the ports in question.ondrej

thanks, I review it thru "netstat -a " command and I saw machines trying to connect on microsoft-ds and was able to lock it down further, I have resolved this issue.thanks for the pointers.cbcbcbcb