Solved

NtLmSsp and NTLM Security Problem on Windows 2003 Standard Edition

Posted on 2004-05-02
5
3,048 Views
Last Modified: 2013-12-04
Hello
I Use Windows 2003 Standard Edition , today my friend Password in my system (we use one system) changed I find this audit in my system audit:

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            5/2/2004
Time:            9:56:27 AM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      NS9
Description:
Successful Network Logon:
       User Name:      
       Domain:            
       Logon ID:            (0x0,0x1AE5F4)
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      SRV001
       Logon GUID:      -
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:      xxx.xxx.xxx.xxx
       Source Port:      0
--------------------
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            5/2/2004
Time:            9:56:17 AM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      NS9
Description:
User Logoff:
       User Name:      ANONYMOUS LOGON
       Domain:            NT AUTHORITY
       Logon ID:            (0x0,0x234913)
       Logon Type:      3
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
--------------------
Event Type:      Success Audit
Event Source:      Security
Event Category:      Account Management
Event ID:      627
Date:            5/2/2004
Time:            10:12:40 AM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      NS9
Description:
Change Password Attempt:
       Target Account Name:      Admin123
       Target Domain:      NS9
       Target Account ID:      NS9\Admin123
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      (0x0,0x3E6)
       Privileges:      -
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


what is problem that Anonymous User can change Administrator password?!!!

- karaji
0
Comment
Question by:karaji
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 2

Expert Comment

by:VRAGHAVANS
ID: 10974615
Nothing to worry
Check this URL

http://is-it-true.org/nt/atips/atips155.shtml
Venkat
0
 
LVL 12

Accepted Solution

by:
trywaredk earned 250 total points
ID: 10976711
Well - maybe there is something to worry about !

Are your friends computername NS9 ???

If not, then it could be an unknown user/computer that's doing a real logon
http://www.eventid.net/display.asp?eventid=540&eventno=9&source=Security&phase=1

If so, you should protect yourself from keyloggers ...

Cleaning your computer  - and protecting it in the future -  can't be answered with one issue.

As you can see in my url below there are at least 7 different issues, where you should decide 1 of each, or else you does'nt protect your computer at all.

The reason is, that the many different programs not always protects against each other, and each of them does'nt protect equally.

It's very important, that you study all of these issues in my knowledgebase (some of them are freeware):
http://www.tryware.dk/English/Knowledgebase/HowToProtectYourComputer.html

BTW: I'm using the Trend Micro virus-suite, and SoftScan , and haven't got any of my servers or computers infected since 1999.

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question