Solved

NT AUTHORITY\ANONYMOUS LOGON -SUCCESS-

Posted on 2003-10-28
3
24,410 Views
Last Modified: 2013-12-04
EVENT LOG
*******************************************
Event Type:      Success Audit
Event Source:      Security
Event Category:      Account Management
Event ID:      627
Date:            9/24/2003
Time:            6:53:20 AM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      SERVER1
Description:
Change Password Attempt:
       Target Account Name:      joeuser
       Target Domain:      CENTRAL
       Target Account ID:      CENTRAL\joeuser
       Caller User Name:      ANONYMOUS LOGON
       Caller Domain:      NT AUTHORITY
       Caller Logon ID:      (0x0,0xC6DB6)
       Privileges:      -
 *******************************************
This is an Exchange Server with Web service for OWA.
FTP is disabled. Up to Date Critical patches.

I want no Anonymous access at all!
How can I disable and verify NO Anonymous access?
How can I find out ORIGIN information: PC +/or IP +/or User.

Thanks
0
Comment
Question by:Suburb-Man
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 5

Accepted Solution

by:
juliancrawford earned 250 total points
ID: 9636936
If no anonymous access to IIS services is required, disable the IUSR_computername account.

To track PC/IP info you need to setup auditing.
Control Panel>Administrative Tools>Local Security Policy>Local Policies>Audit Policy
0
 
LVL 1

Author Comment

by:Suburb-Man
ID: 9637151
Thanks for the prompt response.

Disabled IUSR_x, now to wait for complaints from users or logs.

How do I know that IUSR was the avenue Anonymous used?

What kind of Audit Policy do you suggest for JoeUser *?
* Name changed to protect the suspected innocent.
0
 
LVL 5

Expert Comment

by:juliancrawford
ID: 9637970
Here is a little article that discusses the IUSR account that could help
Understanding anonymous authentication and the IUSR account.
http://www.macromedia.com/support/ultradev/ts/documents/anonymous_authentication.htm

The most important items to audit would be
Audit logon events - success and failure
Audit account logon events - success and failure
Audit account management - success and failure

The results of the audit can be viewed in the Security log of the event viewer.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
OfficeMate Freezes on login or does not load after login credentials are input.
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question