• This article is only available to registered users. Sign up now and get instant access!
  • [November 26, 2001]
  • Access Denied--Evaluating Anonymous Events in the Security Log
  • By:  Randy Franklin Smith
  • Access Denied
  • InstantDoc #23067
  • Web Exclusive from Windows IT Pro

I find a high number of anonymous logons and logoffs in my server Security logs each day. In both event ID 528 (Logon) and event ID 538 (Logoff), the user is listed as NT AUTHORITY/ANONYMOUS. What are these anonymous logons and logoffs, and what risk do they present?

Windows 2000 and Windows NT support anonymous logons that let users browse the servers on the network in Network Neighborhood and their shares' Network Neighborhood. When you double-click a computer in Network Neighborhood to view its shared folders, you usually haven't yet logged on to that computer. Your workstation connects anonymously to the server and queries the server for its shared folders. Then, when you actually map a drive to one of those shared folders, your workstation logs on to the server with your username and password. Contrary to popular belief, these anonymous logons don't provide access to any folders or other objects. However, the anonymous logons do present a risk: They let potential intruders connect anonymously and enumerate all the shared folders, usernames, and SIDs on a computer. Intruders can use this information to launch an attack. For example, even if you rename the Administrator account to protect the account from attack, an intruder who uses the proper APIs can enumerate the users on the computer and look for one whose SID ends in 500 (the built-in Administrator account SID always ends in 500) and thus discover the new name for the Administrator account. A familiar intruder tool called RedButton can perform this search for you.

To disable anonymous connections, look in any Group Policy Object (GPO) under \computer configuration\windows settings\security settings\local policies\security options and set Additional restrictions for anonymous connections to Do not allow enumeration of SAM accounts and shares. If you enable this policy, you need to know about some caveats. For example, some applications, such as Microsoft Exchange 2000 Server (as well as earlier versions of Exchange), communicate with one another on multiple machines by using anonymous connections. For more information about the risks associated with anonymous logons, see the Microsoft article "Restricting Information Available to Anonymous Logon Users" (http://support.microsoft.com/support/kb/articles/q143/4/74.asp).

End of Article


You must log on before posting a comment.

If you don't have a username & password, please register now.

Reader Comments

<br><br> The following statement is incorrect,<br>

"When you double-click a computer in Network Neighborhood to view its shared folders, you usually haven't yet logged on to that computer. Your workstation connects anonymously to the server and queries the server for its shared folders. Then, when you actually map a drive to one of those shared folders, your workstation logs on to the server with your username and password."<br>

Browsing a server's shares via MS tools, either a GUI (Network Neighborhood) or command line (Net View), requires user authentication.<br>

However by default, Shares and SAM information may be enumerated by manually establishing a null user session i.e.(anonymous logon):<br><br>

Net Use \\servername\ipc$ "" /user:""

<br><br> A tool such as DumpSec (updated verison of DumpACL) can perform the enumeration. Some hacking tools such the silly "Red Button Attack" automatically establish the null user session for the technically impaired.<br>

Setting the GPO to "Do not allow enumeration of SAM accounts and shares" will break downlevel trusts, cross forest domain trusts and NT 4 RAS. Several tools as illustrated in "Hacking Windows 2000 Exposed" enumerate SAM and AD information despite this restriction.<br>

BYRON PUTMAN- February 12, 2002

The article doesn't explain what I'm seeing on my machines - I see numerous NT Authority/Anonymous Login events (538 and 540) on my machine where the "computer" entry in event log is the SAME computer id (netbios name) as the machine I'm reviewing the event log on - in other words, the machine is logging onto ITSELF anonymously for some reason. The events pop up anywhere from every few seconds to (usually) about every two minutes. I've already verified in the Security Database that "Network Access: Do not allow anonymous enumeration of SAM accounts and shares" is enabled (i.e. "RestrictAnonymous" is set). I think this may have something to do with IIS being installed on the PC. No time to check it out with sniffer or Network Monitor yet.

Dennis Reed- November 15, 2002