vivo123
asked on
Security Log
I noticed in the security logs, I will sometimes see an error code 681 with the (Logon to account: anonymous)
What does the anonymous mean in this case and why does it show up instead of a user account name.
Thanks
What does the anonymous mean in this case and why does it show up instead of a user account name.
Thanks
ASKER
No on either.. These are showing up on individual workstations. But I can not figure out why the anonymous user ID.
Event ID 681
The logon to account: anonymous
by: Microsoft_Authentication_P ackage_V1_ 0
from workstation: test1
failed
The error code was 3221225572
Event ID 681
The logon to account: anonymous
by: Microsoft_Authentication_P
from workstation: test1
failed
The error code was 3221225572
ASKER
I still don't see an explanation for the anonymous logon. These are workstations that are user assigned nobody else logs in. They are running XP Pro SP1 completely patched.
Are you sure they are not running the FTP service??
yeah the only thing I see is that you have an FTP running too.
Check your services for any ftp like service.
Check your services for any ftp like service.
ASKER
Thanks I will take a look
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Dave for the explanantion.. I am going to check further. Is there any other type auditing that could be set to help break this down farther.
Without specific knowledge of where the requests are coming from, short of a network trace I can't think of any additional logging that would really help.
It appears that the culprit is not able to access the machines so auditing file access would be pointless, and if you don't know what machine is launching the requests you're going to have a *lot* of data to dig through if you enable any kind of domain wide auditing of user activity.
Dave Dietz
It appears that the culprit is not able to access the machines so auditing file access would be pointless, and if you don't know what machine is launching the requests you're going to have a *lot* of data to dig through if you enable any kind of domain wide auditing of user activity.
Dave Dietz
ASKER
FrontPage is installed on the suspected machines. Do you think this could be a possiblility?? I am reaching..
Thanks again..
Thanks again..
Not likely but not impossible.
How many 'suspected' machine are there?
If there are just a few it may be feasible to perform some network tracing to see what they are doing.....
Dave Dietz
How many 'suspected' machine are there?
If there are just a few it may be feasible to perform some network tracing to see what they are doing.....
Dave Dietz
ASKER
3 suspected machines...
Can you explain further on the network tracing?
Can you explain further on the network tracing?
You could set up a network sniffer and configure it to only listen for traffic to and from the suspected machines.
Once you see the suspect bahavior on a target machine you can go through the netmon trace and see what exactly the machine has been doing on the network.
You could also set up File and Object Auditing and/or Logon/Logoff Auditing on the suspect machines to see who is on the boxes and what they are accessing while they are on it. A slightly more readicla approach would be to install a keylogger/screen capture type utility and see exactly what the machines are doing.
Dave Dietz
Once you see the suspect bahavior on a target machine you can go through the netmon trace and see what exactly the machine has been doing on the network.
You could also set up File and Object Auditing and/or Logon/Logoff Auditing on the suspect machines to see who is on the boxes and what they are accessing while they are on it. A slightly more readicla approach would be to install a keylogger/screen capture type utility and see exactly what the machines are doing.
Dave Dietz
ASKER
Thanks for the info
This is why u are getting them Anonymous user logs into to FTP etc..
They are being Audited so that why ther are there..