Sign in with
Sign up | Sign in
Your question

Anon Logon Events 538/540

Last response: in Windows XP
Share
Anonymous
March 3, 2005 4:25:36 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I'm sure this has been covered before, but I have not found a satisfactory
solution to the issue. I constantly have the ANONYMOUS LOGON event from a
remote computer (Usually HOD) in my Event Viewer. I have installed several
patches from MS and have denied network logon in both local/domain policies.
I haven't seen any 'working' solutions anywhere on the net. Applying the
patches has considerably affected the successful logons, but it has not
eliminated them.
Has anyone had any success beyond what I have so far? Or can someone answer
some of these questions?

I can't seem to find any log info concerning the IPs of these remote
connections. Does XP store these someplace? The tedious process I have been
using is via cmd line -> 'netstat -a -n 5 > netstat.txt', then filtering
everything out.

The NTLM, is it possible to enforce some authorization that will only
validate PCs that I specifically allow, ignoring any conn request from a PC
not listed?? I only have a handful of boxes here (8) and setting something
up like this I believe will be less work overall (In retrospect).

--ScareCrowe
Anonymous
March 4, 2005 1:07:33 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hello,

Thanks for your post.

According to your message, I understand you have event 538/540.

The event 540 logs the Successful Network Logon and the event 538 logs the
Successful Network Logoff. Please rest assured they are not security
issues, only for the network communication authentications. Some network
applications use the ANONYMOUS LOGON process to create a communication
channel with your computer. Therefore, these security logs can be ignored.

The information on this particular security event can be found within the
following documentation:

http://www.microsoft.com/resources/documentation/Window...
roddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/stan
dard/proddocs/en-us/518.asp

Anonymous logon means that it is a null session. NT Auth/Anonymous is just
a pseudonym for a Null Session. The NTAuth/Anonymous isn't really an
account; it just means that no credentials were supplied. There are many
conditions known to cause a null session connection which makes it
difficult to tell the exact cause of these particular events. This
Anonymous logon is instance was caused by the service NTLMSSP. For more
information about the NTLMSSP, please refer to the following link:

http://msdn.microsoft.com/library/default.asp?url=/libr...
y_9qgg.asp

If the logon authenticate with NTLM, it will show the workstation name. The
computer name HOD is not the real computer name, I assume the machine may
be infected with virus, so it is masked under the identity of HOD for the
machine name.

Please don't worry about it.

As for your question, I would like to answer them in order.

Q1: I can't seem to find any log info concerning the IPs of these remote
connections. Does XP store these someplace?

A: Since it will take much disk space to have the logs, Windows don't have
related logs concerning the IPs of the remote connections. However, you can
download a tool named Network Monitor and use it to capture the data you
desire.

About Network Monitor 2.0
http://msdn.microsoft.com/library/default.asp?url=/libr...
on/about_network_monitor_2_0.asp

To obtain a time-bombed version of Network Monitor, visit the following
Microsoft Web site:
ftp://ftp.microsoft.com/pss/tools/netmon

Notes:

1) Netmon2.zip contains Netmon 2.0 (Netmon 2.0 runs on Windows NT 4.0,
Windows 2000, and Windows XP)
2) Netmon1.zip contains Netmon 1.0 (Netmon 1.0 runs on Windows NT 4.0,
Windows 98, and Windows 95)
3) The current password to unzip is "trace".


Q2: The NTLM, is it possible to enforce some authorization that will only
validate PCs that I specifically allow, ignoring any connection request
from a PC not listed??

A: You can use group policy to specify the users or computers which can log
on to your system.

Hope this helps. If you have any further questions, don't hesitate to get
in touch!

Best regards,

Frances He


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Anonymous
March 4, 2005 4:19:12 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I do realize that the logons are (usually) followed immedietely by a logoff,
indicative of communation channel creation. However, after some of these
events appear, there are also events from the same computers attemting to
access other resources as shown by event ids 680, 529 & 534 typically
showing:

Event Id : 529
Logon Failure:
Reason: Unknown user name or password
User Name: Administrator
Domain: AV
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: AV

These will usually start with Administrator, show a few failures, then
progress through the domain users.

I am assuming these boxes are connecting & grabbing user info despite my
setting 'Do not enumerate...' in LSP. I have even specified "Anonymous
Logon" as denied for all LSPs starting with 'Deny logon *' and 'Deny access
from network'.

I'm concerned because not all logon events are accompanied by a logoff
event. This makes me wonder if the remote user has been able to access my
shares or whatnot and can now do so whenever they wish.


> As for your question, I would like to answer them in order.
>
> Q1: I can't seem to find any log info concerning the IPs of these remote
> connections. Does XP store these someplace?
>
> A: Since it will take much disk space to have the logs, Windows don't have
> related logs concerning the IPs of the remote connections. However, you
can
> download a tool named Network Monitor and use it to capture the data you
> desire.
>

Yes, Netmon is one of the several tools I utilize to stay aware of what's
going on with my boxes.
I have however seen posts from same issue where the Event Viewer also
displays the connecting IP address. I have XP Pro & 2ksvr and neither show
the IP info, so perhaps it's 2003 that does?

>
> Q2: The NTLM, is it possible to enforce some authorization that will only
> validate PCs that I specifically allow, ignoring any connection request
> from a PC not listed??
>
> A: You can use group policy to specify the users or computers which can
log
> on to your system.
>


This I am not familiar with. I was hoping that because I have a non-typical
setup as a home user, that I would be able to use it to my advantage to
filter out unwanted connections. I have a 5 IP static block, all members of
same domain, IP range from xxx.xxx.xxx.146 thru xxx.xxx.xxx.150. I would be
interested in setting up some type of authentication that would compare the
IP and Domain also before allowing any connections. I would probably be
better off only doing this on workstations, as configuring this on a server
may cause problems.

Anywho, thanks much Francis for the thorough explanation!

--ScareCrowe
Anonymous
March 7, 2005 1:31:55 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hello,

Thank you for your follow up. I understand your worry about the security of
your system.

I assume you have a small domain, with only 8 computers. Your winXP is only
a client in the domain. The others will sometimes use the resources on your
computer. Is this correct?

With regard to the event id from your event viewer, I have to gain more
information to make a conclusion. Please send the security logs of your
system to v-franhe@microsoft.com for further research.

Follow the steps below to save the event log.

1. In the run box, key in "eventvwr".
2. In the Event Viewer, right click "Security" and select "save log file
as¡­".
3. Save it as a .txt file.

I am looking forward to your reply!

Best regards,

Frances He


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
!