Need help with ANONYMOUS LOGON's in my Secuirty Log's.  Who are these people?!?

Posted on 2004-03-21
Medium Priority
Last Modified: 2012-08-13
I have a wireless connection to a domain and while checking my security log's, I see all these crazy computernames coming up as like, 'John,' 'XP-HOME,' Susan,' etc.....

Here's a sample log file so you see what I'm talking about, no idea who this person is:

Successful Network Logon:
       User Name:      
       Logon ID:            (0x0,0x28F9AD)
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      USER-JP1V2JY0AS
       Logon GUID:      -
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:
       Source Port:      0

Now my question is... I'm secured behind my router using 128-bit encryption so I highly doubt all these people are hacking in.  Is it possible that neighborhood users are registering or hitting my 802.11 b/g router, thus creating log data?  The IP's are from different domains too, there are some from my ISP, but not all.  I now issue 10 DHCP address's, but I was getting the same messages when my network clients were connecting with static IP's and DHCP being disabled.  This is kind of freightning, any suggestions on what to do here?
Question by:yoyz
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 12

Accepted Solution

aindelicato earned 336 total points
ID: 10647016
More than likely, these other users are on your same DSL or CABLE system and there machine are "scanning" the network for shares.  Ever open Network Neighborhood, it then searches the LAN for other computers.  This also happens across the WAN and your router is seeing all that traffic, but not passing it to your computers.  I'm sure you are safe.

LVL 18

Assisted Solution

chicagoan earned 332 total points
ID: 10648350
I'd say this is a problem, you say you're behind a router but this is a global address directly accessing your machine.
The only way to do that would be directly connect, reverse nat or DMZ'ing your machine.

> I now issue 10 DHCP address's
you mean you have 10 public addresses?

LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 332 total points
ID: 10648617
Windows and it's anonymous connections... windows gives up so much information anonymously... download winfo.exe and you'll get a list of usernames account lockout policies, password expriation dates etc.... your registry can be read anonymously, or even if you try to coonect to your pc as Guest which is locked out by default, nonetheless, windows will let you view the registry.

Turn off Remote Registry service- and messenger service.

You have wireless... you need to get more secure with it... anyone with a laptop and wireless card driving by could see your network with ease... I assume you've got WEP turned on... but that wonn't keep people of, you need a MAC Address Access List or an Ip acl. Each wireless router has different ways of doing this.. please search for your brand or modle, and "mac address acl" or "mac address access list" etc...

Your Cable or DSL modem (even dialup) are also sources for scann's. Most scanners use null sessions, or the current user's credintials... that is why you see connections from different domain's and people's names.
Try these two tools out on your network and see how much info can be gathered:

To keep people off your systems- get a firewall, ZoneAlarm is a great product, the free version will keep even the elite at bay. Also look into setting up proper ACL's for your wireless router, only allow "trusted MAC address" the mac address's that belong to your PC's. To get your mac address, type on the CMD line- "ipconfig -all" (no quotes). Or it can usually be read on the Pci NIC in your PC's. Disabling anonymous connections with the windows registry doesn't work as well as it should, but to do that read this: http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q143/4/74.asp&NoWebContent=1

Turn off the remote registry service for certain, go to GRC.com and scann your computer with the Shields Up test... and look at the tools he has there

Read about how to secure your model or manufactureers wireless router... and be afraid- rather paranoid with wireless... read wardriving.com to see the latest and greatest in wireless insecrutiy.

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
Check out the latest tech news, community articles, and expert highlights in August's newsletter.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question