?
Solved

NT AUTHORITY\ANONYMOUS LOGON -SUCCESS-

Posted on 2003-10-28
3
Medium Priority
?
24,429 Views
Last Modified: 2013-12-04
EVENT LOG
*******************************************
Event Type:      Success Audit
Event Source:      Security
Event Category:      Account Management
Event ID:      627
Date:            9/24/2003
Time:            6:53:20 AM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      SERVER1
Description:
Change Password Attempt:
       Target Account Name:      joeuser
       Target Domain:      CENTRAL
       Target Account ID:      CENTRAL\joeuser
       Caller User Name:      ANONYMOUS LOGON
       Caller Domain:      NT AUTHORITY
       Caller Logon ID:      (0x0,0xC6DB6)
       Privileges:      -
 *******************************************
This is an Exchange Server with Web service for OWA.
FTP is disabled. Up to Date Critical patches.

I want no Anonymous access at all!
How can I disable and verify NO Anonymous access?
How can I find out ORIGIN information: PC +/or IP +/or User.

Thanks
0
Comment
Question by:Suburb-Man
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 5

Accepted Solution

by:
juliancrawford earned 1000 total points
ID: 9636936
If no anonymous access to IIS services is required, disable the IUSR_computername account.

To track PC/IP info you need to setup auditing.
Control Panel>Administrative Tools>Local Security Policy>Local Policies>Audit Policy
0
 
LVL 1

Author Comment

by:Suburb-Man
ID: 9637151
Thanks for the prompt response.

Disabled IUSR_x, now to wait for complaints from users or logs.

How do I know that IUSR was the avenue Anonymous used?

What kind of Audit Policy do you suggest for JoeUser *?
* Name changed to protect the suspected innocent.
0
 
LVL 5

Expert Comment

by:juliancrawford
ID: 9637970
Here is a little article that discusses the IUSR account that could help
Understanding anonymous authentication and the IUSR account.
http://www.macromedia.com/support/ultradev/ts/documents/anonymous_authentication.htm

The most important items to audit would be
Audit logon events - success and failure
Audit account logon events - success and failure
Audit account management - success and failure

The results of the audit can be viewed in the Security log of the event viewer.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Suggested Courses
Course of the Month13 days, 19 hours left to enroll

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question