NT AUTHORITY\ANONYMOUS LOGON -SUCCESS-

EVENT LOG
*******************************************
Event Type:      Success Audit
Event Source:      Security
Event Category:      Account Management
Event ID:      627
Date:            9/24/2003
Time:            6:53:20 AM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      SERVER1
Description:
Change Password Attempt:
       Target Account Name:      joeuser
       Target Domain:      CENTRAL
       Target Account ID:      CENTRAL\joeuser
       Caller User Name:      ANONYMOUS LOGON
       Caller Domain:      NT AUTHORITY
       Caller Logon ID:      (0x0,0xC6DB6)
       Privileges:      -
 *******************************************
This is an Exchange Server with Web service for OWA.
FTP is disabled. Up to Date Critical patches.

I want no Anonymous access at all!
How can I disable and verify NO Anonymous access?
How can I find out ORIGIN information: PC +/or IP +/or User.

Thanks
LVL 1
Suburb-ManAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

juliancrawfordCommented:
If no anonymous access to IIS services is required, disable the IUSR_computername account.

To track PC/IP info you need to setup auditing.
Control Panel>Administrative Tools>Local Security Policy>Local Policies>Audit Policy
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Suburb-ManAuthor Commented:
Thanks for the prompt response.

Disabled IUSR_x, now to wait for complaints from users or logs.

How do I know that IUSR was the avenue Anonymous used?

What kind of Audit Policy do you suggest for JoeUser *?
* Name changed to protect the suspected innocent.
0
juliancrawfordCommented:
Here is a little article that discusses the IUSR account that could help
Understanding anonymous authentication and the IUSR account.
http://www.macromedia.com/support/ultradev/ts/documents/anonymous_authentication.htm

The most important items to audit would be
Audit logon events - success and failure
Audit account logon events - success and failure
Audit account management - success and failure

The results of the audit can be viewed in the Security log of the event viewer.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.