Hi All, I have a Terminal Server part of our domain and when reviewing the security event log I see a large number of Events. Event ID's: 538,540 one after another consecutively for the User ANONYMOUS LOGON for multiple servers. The events occur so often that after a few days the event log fills and I am prompted with a warning and manually need to clear the event log. I do not suspect this is a security threat as the logons are coming from other servers part of the domain. What I am having trouble is working out: 1. Why are request being made to the TS from other servers on the domain. 2. Why is it using the ANONYMOUS LOGON to access the server and what for. 3. How to suppress/stop these events logging and flooding the security log. If anyone could provide some insight as to how I can get more information or resolve this it would be greatly appreciated. Examples are: Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 538 Date: 30/05/2012 Time: 11:17:05 AM User: NT AUTHORITY\ANONYMOUS LOGON Computer: MUMBOJUMBO Description: User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0x129DC36) Logon Type: 3 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 540 Date: 30/05/2012 Time: 11:17:05 AM User: NT AUTHORITY\ANONYMOUS LOGON Computer: MUMBOJUMBO Description: Successful Network Logon: User Name: Domain: Logon ID: (0x0,0x129DC43) Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: BOB Logon GUID: - Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 192.168.100.4 Source Port: 0 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Hi, Do you want to restrict the logon user? Please refer the following policy settings: Allow log on locally http://technet.microsoft.com/en-us/library/cc756809(v=WS.10).aspx Allow Logon through Terminal Services http://blogs.technet.com/b/askperf/archive/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group.aspx Hope this helps! Best Regards Elytis ChengElytis Cheng TechNet Community Support

Hi, Do you want to restrict the logon user? Please refer the following policy settings: Allow log on locally http://technet.microsoft.com/en-us/library/cc756809(v=WS.10).aspx Allow Logon through Terminal Services http://blogs.technet.com/b/askperf/archive/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group.aspx Hope this helps! Best Regards Elytis ChengElytis Cheng TechNet Community Support

a) reconfigure the logs to rewrite automatically b) this is normal, the Security log grows veeery quickly c) anonymous connections are used often by some services to query for features available. Some namedpipes are accessed anonymously, even when a user types into Run or Win Explorer address dialog a UNC path such as \\fileserver, once he types the follwoing backslash (\), the client does an anonymous query against the server to obtain a list of shares in order to pupulate the autocomplete list - this is really done anonymously and can be disabled in policy. Only if the user opens the full window of the UNC path, it is authenticated. d) if you want to determine what is causing the communications, use Network Monitor on the terminal server. e) anyway - the terminal server is phylosophically an endpoint machine - so why not enabling firewall on it with Block All Incoming Connections anyway?? ondrej.

a) reconfigure the logs to rewrite automatically b) this is normal, the Security log grows veeery quickly c) anonymous connections are used often by some services to query for features available. Some namedpipes are accessed anonymously, even when a user types into Run or Win Explorer address dialog a UNC path such as \\fileserver, once he types the follwoing backslash (\), the client does an anonymous query against the server to obtain a list of shares in order to pupulate the autocomplete list - this is really done anonymously and can be disabled in policy. Only if the user opens the full window of the UNC path, it is authenticated. d) if you want to determine what is causing the communications, use Network Monitor on the terminal server. e) anyway - the terminal server is phylosophically an endpoint machine - so why not enabling firewall on it with Block All Incoming Connections anyway?? ondrej.