Large number of ANONYMOUS LOGON from our Servers within our Network
Hi All,
I have a Terminal Server part of our domain and when reviewing the security event log I see a large number of Events. Event ID's: 538,540 one after another consecutively for the User ANONYMOUS LOGON for multiple servers. The events occur so often
that after a few days the event log fills and I am prompted with a warning and manually need to clear the event log.
I do not suspect this is a security threat as the logons are coming from other servers part of the domain. What I am having trouble is working out:
1. Why are request being made to the TS from other servers on the domain.
2. Why is it using the ANONYMOUS LOGON to access the server and what for.
3. How to suppress/stop these events logging and flooding the security log.
If anyone could provide some insight as to how I can get more information or resolve this it would be greatly appreciated.
Examples are:
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 30/05/2012
Time: 11:17:05 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: MUMBOJUMBO
Description:
User Logoff:
User Name:
ANONYMOUS LOGON
Domain:
NT AUTHORITY
Logon ID:
(0x0,0x129DC36)
Logon Type:
3
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 30/05/2012
Time: 11:17:05 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: MUMBOJUMBO
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID:
(0x0,0x129DC43)
Logon Type:
3
Logon Process:
NtLmSsp
Authentication Package:
NTLM
Workstation Name:
BOB
Logon GUID:
-
Caller User Name:
-
Caller Domain:
-
Caller Logon ID:
-
Caller Process ID: -
Transited Services: -
Source Network Address:
192.168.100.4
Source Port:
0
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
May 29th, 2012 9:43pm
Hi,
Do you want to restrict the logon user?
Please refer the following policy settings:
Allow log on locally
http://technet.microsoft.com/en-us/library/cc756809(v=WS.10).aspx
Allow Logon through Terminal Services
http://blogs.technet.com/b/askperf/archive/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group.aspx
Hope this helps!
Best Regards
Elytis ChengElytis Cheng
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
May 31st, 2012 2:07am
Hi,
Do you want to restrict the logon user?
Please refer the following policy settings:
Allow log on locally
http://technet.microsoft.com/en-us/library/cc756809(v=WS.10).aspx
Allow Logon through Terminal Services
http://blogs.technet.com/b/askperf/archive/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group.aspx
Hope this helps!
Best Regards
Elytis ChengElytis Cheng
TechNet Community Support
May 31st, 2012 2:11am
a) reconfigure the logs to rewrite automatically
b) this is normal, the Security log grows veeery quickly
c) anonymous connections are used often by some services to query for features available. Some namedpipes are accessed anonymously, even when a user types into Run or Win Explorer address dialog a UNC path such as
\\fileserver, once he types the follwoing backslash (\), the client does an anonymous query against the server to obtain a list of shares in order to pupulate the autocomplete list - this is really done anonymously and can
be disabled in policy. Only if the user opens the full window of the UNC path, it is authenticated.
d) if you want to determine what is causing the communications, use Network Monitor on the terminal server.
e) anyway - the terminal server is phylosophically an endpoint machine - so why not enabling firewall on it with Block All Incoming Connections anyway??
ondrej.
Free Windows Admin Tool Kit Click here and download it now
June 1st, 2012 4:16am
a) reconfigure the logs to rewrite automatically
b) this is normal, the Security log grows veeery quickly
c) anonymous connections are used often by some services to query for features available. Some namedpipes are accessed anonymously, even when a user types into Run or Win Explorer address dialog a UNC path such as
\\fileserver, once he types the follwoing backslash (\), the client does an anonymous query against the server to obtain a list of shares in order to pupulate the autocomplete list - this is really done anonymously and can
be disabled in policy. Only if the user opens the full window of the UNC path, it is authenticated.
d) if you want to determine what is causing the communications, use Network Monitor on the terminal server.
e) anyway - the terminal server is phylosophically an endpoint machine - so why not enabling firewall on it with Block All Incoming Connections anyway??
ondrej.
June 1st, 2012 4:21am