HI,
I have exactly the same issue, but on a client XP machine.
Event 540 is generated by a Workstation, with no User Name and Domain information.
Logon Process: NtLmSsp
Authentication Package : NTLM
The workstation name is apparently random
Logon GUID: -
The client is not sharing anything apart from the $ drives and his Outlook Calendar, not even printers.
On the client side, running NETSTAT -B when I catch it, I get the event which is :
Protocol : TCP
Local Address: local_pc:netbios-ssn
Foreign address: foreign_pc:port_number
State: Estabilished
PID: 4
The event is paired with Event 538. From what I can see, it appears as a log-on and log-off action.
What I would like to know is what this is triggering it and why.
Thank you.
Xn
Main Topics
Browse All Topics
by: uetian1707Posted on 2007-03-04 at 23:20:48ID: 18652952
Hi,
Referring to your queries:
EventID 540:
This event indicates that a remote user has successfully connected from the network to a local resource on the server, generating a token for the network user. For example, mapping a drive to a network share or logging with an account whose profile has a drive mapping would generate this auditing message.
See the Windows Logon Types, Windows Authentication Packages and Windows Logon Processes for information about these fields. Understanding how the logon took place (through what channels) is quite important in understanding this event.
This event may also be reported for builtin accounts. Whenever a user logs in the associated builtin accounts are also logged in. The HelpAssistant account in Windows XP is one such account. Even if the Remote Assistance Service is disabled, the account will still login. This is not a potential security violation as the HelpAssistant account itself is disabled
EventID 538:
This event indicates a user logged off. The corresponding logon event (528) can be found by comparing the <logon id> field.
A logon id (logon identifier or LUID) identifies a logon session. A logon ID is valid until the user logs off. A logon ID is unique while the computer is running; no other logon session will have the same logon ID. However, the set of possible logon IDs is reset when the computer starts up.
A logon id has the following format (0x0, 0x4C37A2) and it is unique for each logon/logoff process.
Events that generate a logoff and their corresponding logon type:
- Interactive logoff will generate logon type 2
- Network logoff will generate logon type 3
- Net use disconnection will generate logon type 3
- Autodisconnect will generate logon type 3
For a list of logon types see the link to the "Windows Logon Types" article.
In many cases, the user listed for this event will be "ANONYMOUS LOGON" from "NT AUTHORITY" domain. This logon is used by processes that use the null session logons (logons that do not require a user/password combination). Any program or service that is using the System user account is in fact logging in with null credentials.
If the operating system encounters a user without any credentials, the user is regarded as having NULL credentials. When the system attempts to access a secured network resource based on NULL credentials, this is referred to as a NULL session. Access is only allowed if the remote machine allows NULL session access. This is configurable through the registry. (See Knowledge Base article M122702 for more information.)
One typical example is a computer that register itself with the Master Browser for that network segment at startup. This registration will generate several logon/logoffs from "ANONYMOUS USER". Since the registration is renewed by default every 12 minutes, such events will occur at regular intervals.