Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 489
  • Last Modified:

Need help with ANONYMOUS LOGON's in my Secuirty Log's. Who are these people?!?

I have a wireless connection to a domain and while checking my security log's, I see all these crazy computernames coming up as like, 'John,' 'XP-HOME,' Susan,' etc.....

Here's a sample log file so you see what I'm talking about, no idea who this person is:

Successful Network Logon:
       User Name:      
       Domain:            
       Logon ID:            (0x0,0x28F9AD)
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      USER-JP1V2JY0AS
       Logon GUID:      -
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:      65.43.87.238
       Source Port:      0


Now my question is... I'm secured behind my router using 128-bit encryption so I highly doubt all these people are hacking in.  Is it possible that neighborhood users are registering or hitting my 802.11 b/g router, thus creating log data?  The IP's are from different domains too, there are some from my ISP, but not all.  I now issue 10 DHCP address's, but I was getting the same messages when my network clients were connecting with static IP's and DHCP being disabled.  This is kind of freightning, any suggestions on what to do here?
0
yoyz
Asked:
yoyz
3 Solutions
 
aindelicatoCommented:
More than likely, these other users are on your same DSL or CABLE system and there machine are "scanning" the network for shares.  Ever open Network Neighborhood, it then searches the LAN for other computers.  This also happens across the WAN and your router is seeing all that traffic, but not passing it to your computers.  I'm sure you are safe.

--D
0
 
chicagoanCommented:
I'd say this is a problem, you say you're behind a router but this is a global address directly accessing your machine.
The only way to do that would be directly connect, reverse nat or DMZ'ing your machine.

> I now issue 10 DHCP address's
you mean you have 10 public addresses?

0
 
Rich RumbleSecurity SamuraiCommented:
Windows and it's anonymous connections... windows gives up so much information anonymously... download winfo.exe and you'll get a list of usernames account lockout policies, password expriation dates etc.... your registry can be read anonymously, or even if you try to coonect to your pc as Guest which is locked out by default, nonetheless, windows will let you view the registry.

Turn off Remote Registry service- and messenger service.

You have wireless... you need to get more secure with it... anyone with a laptop and wireless card driving by could see your network with ease... I assume you've got WEP turned on... but that wonn't keep people of, you need a MAC Address Access List or an Ip acl. Each wireless router has different ways of doing this.. please search for your brand or modle, and "mac address acl" or "mac address access list" etc...

Your Cable or DSL modem (even dialup) are also sources for scann's. Most scanners use null sessions, or the current user's credintials... that is why you see connections from different domain's and people's names.
Try these two tools out on your network and see how much info can be gathered:
http://www.gfi.com/lannetscan/
http://ntsecurity.nu/toolbox/winfo/

To keep people off your systems- get a firewall, ZoneAlarm is a great product, the free version will keep even the elite at bay. Also look into setting up proper ACL's for your wireless router, only allow "trusted MAC address" the mac address's that belong to your PC's. To get your mac address, type on the CMD line- "ipconfig -all" (no quotes). Or it can usually be read on the Pci NIC in your PC's. Disabling anonymous connections with the windows registry doesn't work as well as it should, but to do that read this: http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q143/4/74.asp&NoWebContent=1

Turn off the remote registry service for certain, go to GRC.com and scann your computer with the Shields Up test... and look at the tools he has there
https://grc.com/x/ne.dll?bh0bkyd2
http://grc.com/freepopular.htm

Read about how to secure your model or manufactureers wireless router... and be afraid- rather paranoid with wireless... read wardriving.com to see the latest and greatest in wireless insecrutiy.
GL!
-rich
0

Featured Post

Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now