Anon Logon Events 538/540

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I'm sure this has been covered before, but I have not found a satisfactory
solution to the issue. I constantly have the ANONYMOUS LOGON event from a
remote computer (Usually HOD) in my Event Viewer. I have installed several
patches from MS and have denied network logon in both local/domain policies.
I haven't seen any 'working' solutions anywhere on the net. Applying the
patches has considerably affected the successful logons, but it has not
eliminated them.
Has anyone had any success beyond what I have so far? Or can someone answer
some of these questions?

I can't seem to find any log info concerning the IPs of these remote
connections. Does XP store these someplace? The tedious process I have been
using is via cmd line -> 'netstat -a -n 5 > netstat.txt', then filtering
everything out.

The NTLM, is it possible to enforce some authorization that will only
validate PCs that I specifically allow, ignoring any conn request from a PC
not listed?? I only have a handful of boxes here (8) and setting something
up like this I believe will be less work overall (In retrospect).

--ScareCrowe
3 answers Last reply
More about anon logon events
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Hello,

    Thanks for your post.

    According to your message, I understand you have event 538/540.

    The event 540 logs the Successful Network Logon and the event 538 logs the
    Successful Network Logoff. Please rest assured they are not security
    issues, only for the network communication authentications. Some network
    applications use the ANONYMOUS LOGON process to create a communication
    channel with your computer. Therefore, these security logs can be ignored.

    The information on this particular security event can be found within the
    following documentation:

    http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/p
    roddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/stan
    dard/proddocs/en-us/518.asp

    Anonymous logon means that it is a null session. NT Auth/Anonymous is just
    a pseudonym for a Null Session. The NTAuth/Anonymous isn't really an
    account; it just means that no credentials were supplied. There are many
    conditions known to cause a null session connection which makes it
    difficult to tell the exact cause of these particular events. This
    Anonymous logon is instance was caused by the service NTLMSSP. For more
    information about the NTLMSSP, please refer to the following link:

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/com/securit
    y_9qgg.asp

    If the logon authenticate with NTLM, it will show the workstation name. The
    computer name HOD is not the real computer name, I assume the machine may
    be infected with virus, so it is masked under the identity of HOD for the
    machine name.

    Please don't worry about it.

    As for your question, I would like to answer them in order.

    Q1: I can't seem to find any log info concerning the IPs of these remote
    connections. Does XP store these someplace?

    A: Since it will take much disk space to have the logs, Windows don't have
    related logs concerning the IPs of the remote connections. However, you can
    download a tool named Network Monitor and use it to capture the data you
    desire.

    About Network Monitor 2.0
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmon/netm
    on/about_network_monitor_2_0.asp

    To obtain a time-bombed version of Network Monitor, visit the following
    Microsoft Web site:
    ftp://ftp.microsoft.com/pss/tools/netmon

    Notes:

    1) Netmon2.zip contains Netmon 2.0 (Netmon 2.0 runs on Windows NT 4.0,
    Windows 2000, and Windows XP)
    2) Netmon1.zip contains Netmon 1.0 (Netmon 1.0 runs on Windows NT 4.0,
    Windows 98, and Windows 95)
    3) The current password to unzip is "trace".


    Q2: The NTLM, is it possible to enforce some authorization that will only
    validate PCs that I specifically allow, ignoring any connection request
    from a PC not listed??

    A: You can use group policy to specify the users or computers which can log
    on to your system.

    Hope this helps. If you have any further questions, don't hesitate to get
    in touch!

    Best regards,

    Frances He


    Microsoft Online Partner Support
    Get Secure! - www.microsoft.com/security

    =====================================================

    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.

    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    I do realize that the logons are (usually) followed immedietely by a logoff,
    indicative of communation channel creation. However, after some of these
    events appear, there are also events from the same computers attemting to
    access other resources as shown by event ids 680, 529 & 534 typically
    showing:

    Event Id : 529
    Logon Failure:
    Reason: Unknown user name or password
    User Name: Administrator
    Domain: AV
    Logon Type: 3
    Logon Process: NtLmSsp
    Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Workstation Name: AV

    These will usually start with Administrator, show a few failures, then
    progress through the domain users.

    I am assuming these boxes are connecting & grabbing user info despite my
    setting 'Do not enumerate...' in LSP. I have even specified "Anonymous
    Logon" as denied for all LSPs starting with 'Deny logon *' and 'Deny access
    from network'.

    I'm concerned because not all logon events are accompanied by a logoff
    event. This makes me wonder if the remote user has been able to access my
    shares or whatnot and can now do so whenever they wish.


    > As for your question, I would like to answer them in order.
    >
    > Q1: I can't seem to find any log info concerning the IPs of these remote
    > connections. Does XP store these someplace?
    >
    > A: Since it will take much disk space to have the logs, Windows don't have
    > related logs concerning the IPs of the remote connections. However, you
    can
    > download a tool named Network Monitor and use it to capture the data you
    > desire.
    >

    Yes, Netmon is one of the several tools I utilize to stay aware of what's
    going on with my boxes.
    I have however seen posts from same issue where the Event Viewer also
    displays the connecting IP address. I have XP Pro & 2ksvr and neither show
    the IP info, so perhaps it's 2003 that does?

    >
    > Q2: The NTLM, is it possible to enforce some authorization that will only
    > validate PCs that I specifically allow, ignoring any connection request
    > from a PC not listed??
    >
    > A: You can use group policy to specify the users or computers which can
    log
    > on to your system.
    >


    This I am not familiar with. I was hoping that because I have a non-typical
    setup as a home user, that I would be able to use it to my advantage to
    filter out unwanted connections. I have a 5 IP static block, all members of
    same domain, IP range from xxx.xxx.xxx.146 thru xxx.xxx.xxx.150. I would be
    interested in setting up some type of authentication that would compare the
    IP and Domain also before allowing any connections. I would probably be
    better off only doing this on workstations, as configuring this on a server
    may cause problems.

    Anywho, thanks much Francis for the thorough explanation!

    --ScareCrowe
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Hello,

    Thank you for your follow up. I understand your worry about the security of
    your system.

    I assume you have a small domain, with only 8 computers. Your winXP is only
    a client in the domain. The others will sometimes use the resources on your
    computer. Is this correct?

    With regard to the event id from your event viewer, I have to gain more
    information to make a conclusion. Please send the security logs of your
    system to v-franhe@microsoft.com for further research.

    Follow the steps below to save the event log.

    1. In the run box, key in "eventvwr".
    2. In the Event Viewer, right click "Security" and select "save log file
    as¡­".
    3. Save it as a .txt file.

    I am looking forward to your reply!

    Best regards,

    Frances He


    Microsoft Online Partner Support
    Get Secure! - www.microsoft.com/security

    =====================================================

    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.

    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
Ask a new question

Read More

Windows XP