Large number of ANONYMOUS LOGON from our Servers within our Network
Hi All,
I have a Terminal Server part of our domain and when reviewing the security event log I see a large number of Events. Event ID's: 538,540 one after another consecutively for the User ANONYMOUS LOGON for multiple servers. The events occur so often
that after a few days the event log fills and I am prompted with a warning and manually need to clear the event log.
I do not suspect this is a security threat as the logons are coming from other servers part of the domain. What I am having trouble is working out:
1. Why are request being made to the TS from other servers on the domain.
2. Why is it using the ANONYMOUS LOGON to access the server and what for.
3. How to suppress/stop these events logging and flooding the security log.
If anyone could provide some insight as to how I can get more information or resolve this it would be greatly appreciated.
Examples are:
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 30/05/2012
Time: 11:17:05 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: MUMBOJUMBO
Description:
User Logoff:
User Name:
ANONYMOUS LOGON
Domain:
NT AUTHORITY
Logon ID:
(0x0,0x129DC36)
Logon Type:
3
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 30/05/2012
Time: 11:17:05 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: MUMBOJUMBO
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID:
(0x0,0x129DC43)
Logon Type:
3
Logon Process:
NtLmSsp
Authentication Package:
NTLM
Workstation Name:
BOB
Logon GUID:
-
Caller User Name:
-
Caller Domain:
-
Caller Logon ID:
-
Caller Process ID: -
Transited Services: -
Source Network Address:
192.168.100.4
Source Port:
0
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
May 29th, 2012 9:33pm