Solved

NT AUTHORITY\ANONYMOUS LOGON -SUCCESS-

Posted on 2003-10-28
3
24,367 Views
Last Modified: 2013-12-04
EVENT LOG
*******************************************
Event Type:      Success Audit
Event Source:      Security
Event Category:      Account Management
Event ID:      627
Date:            9/24/2003
Time:            6:53:20 AM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      SERVER1
Description:
Change Password Attempt:
       Target Account Name:      joeuser
       Target Domain:      CENTRAL
       Target Account ID:      CENTRAL\joeuser
       Caller User Name:      ANONYMOUS LOGON
       Caller Domain:      NT AUTHORITY
       Caller Logon ID:      (0x0,0xC6DB6)
       Privileges:      -
 *******************************************
This is an Exchange Server with Web service for OWA.
FTP is disabled. Up to Date Critical patches.

I want no Anonymous access at all!
How can I disable and verify NO Anonymous access?
How can I find out ORIGIN information: PC +/or IP +/or User.

Thanks
0
Comment
Question by:Suburb-Man
  • 2
3 Comments
 
LVL 5

Accepted Solution

by:
juliancrawford earned 250 total points
ID: 9636936
If no anonymous access to IIS services is required, disable the IUSR_computername account.

To track PC/IP info you need to setup auditing.
Control Panel>Administrative Tools>Local Security Policy>Local Policies>Audit Policy
0
 
LVL 1

Author Comment

by:Suburb-Man
ID: 9637151
Thanks for the prompt response.

Disabled IUSR_x, now to wait for complaints from users or logs.

How do I know that IUSR was the avenue Anonymous used?

What kind of Audit Policy do you suggest for JoeUser *?
* Name changed to protect the suspected innocent.
0
 
LVL 5

Expert Comment

by:juliancrawford
ID: 9637970
Here is a little article that discusses the IUSR account that could help
Understanding anonymous authentication and the IUSR account.
http://www.macromedia.com/support/ultradev/ts/documents/anonymous_authentication.htm

The most important items to audit would be
Audit logon events - success and failure
Audit account logon events - success and failure
Audit account management - success and failure

The results of the audit can be viewed in the Security log of the event viewer.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question