Solved

Need help with ANONYMOUS LOGON's in my Secuirty Log's.  Who are these people?!?

Posted on 2004-03-21
5
443 Views
Last Modified: 2012-08-13
I have a wireless connection to a domain and while checking my security log's, I see all these crazy computernames coming up as like, 'John,' 'XP-HOME,' Susan,' etc.....

Here's a sample log file so you see what I'm talking about, no idea who this person is:

Successful Network Logon:
       User Name:      
       Domain:            
       Logon ID:            (0x0,0x28F9AD)
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      USER-JP1V2JY0AS
       Logon GUID:      -
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:      65.43.87.238
       Source Port:      0


Now my question is... I'm secured behind my router using 128-bit encryption so I highly doubt all these people are hacking in.  Is it possible that neighborhood users are registering or hitting my 802.11 b/g router, thus creating log data?  The IP's are from different domains too, there are some from my ISP, but not all.  I now issue 10 DHCP address's, but I was getting the same messages when my network clients were connecting with static IP's and DHCP being disabled.  This is kind of freightning, any suggestions on what to do here?
0
Comment
Question by:yoyz
5 Comments
 
LVL 12

Accepted Solution

by:
aindelicato earned 84 total points
ID: 10647016
More than likely, these other users are on your same DSL or CABLE system and there machine are "scanning" the network for shares.  Ever open Network Neighborhood, it then searches the LAN for other computers.  This also happens across the WAN and your router is seeing all that traffic, but not passing it to your computers.  I'm sure you are safe.

--D
0
 
LVL 18

Assisted Solution

by:chicagoan
chicagoan earned 83 total points
ID: 10648350
I'd say this is a problem, you say you're behind a router but this is a global address directly accessing your machine.
The only way to do that would be directly connect, reverse nat or DMZ'ing your machine.

> I now issue 10 DHCP address's
you mean you have 10 public addresses?

0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 83 total points
ID: 10648617
Windows and it's anonymous connections... windows gives up so much information anonymously... download winfo.exe and you'll get a list of usernames account lockout policies, password expriation dates etc.... your registry can be read anonymously, or even if you try to coonect to your pc as Guest which is locked out by default, nonetheless, windows will let you view the registry.

Turn off Remote Registry service- and messenger service.

You have wireless... you need to get more secure with it... anyone with a laptop and wireless card driving by could see your network with ease... I assume you've got WEP turned on... but that wonn't keep people of, you need a MAC Address Access List or an Ip acl. Each wireless router has different ways of doing this.. please search for your brand or modle, and "mac address acl" or "mac address access list" etc...

Your Cable or DSL modem (even dialup) are also sources for scann's. Most scanners use null sessions, or the current user's credintials... that is why you see connections from different domain's and people's names.
Try these two tools out on your network and see how much info can be gathered:
http://www.gfi.com/lannetscan/
http://ntsecurity.nu/toolbox/winfo/

To keep people off your systems- get a firewall, ZoneAlarm is a great product, the free version will keep even the elite at bay. Also look into setting up proper ACL's for your wireless router, only allow "trusted MAC address" the mac address's that belong to your PC's. To get your mac address, type on the CMD line- "ipconfig -all" (no quotes). Or it can usually be read on the Pci NIC in your PC's. Disabling anonymous connections with the windows registry doesn't work as well as it should, but to do that read this: http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q143/4/74.asp&NoWebContent=1

Turn off the remote registry service for certain, go to GRC.com and scann your computer with the Shields Up test... and look at the tools he has there
https://grc.com/x/ne.dll?bh0bkyd2
http://grc.com/freepopular.htm

Read about how to secure your model or manufactureers wireless router... and be afraid- rather paranoid with wireless... read wardriving.com to see the latest and greatest in wireless insecrutiy.
GL!
-rich
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now