We help IT Professionals succeed at work.

Security log event 540 anonymous logon.  Ok? Why and how?

Hardwarez
Hardwarez asked
on
Medium Priority
2,309 Views
Last Modified: 2012-05-05
Security log event 540 anonymous logon.  I see that my log is full of theses starting a couple months ago.  This machine is a mail server and should only have traffice from me via terminal services and the normal smtp and pop traffice.  

What does this event mean?  Is someon logging onto this machine?

MSG:
Successful Network Logon:
       User Name:      
       Domain:            
       Logon ID:            (0x0,0xD50841)
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      ONEFIFTYFIVE
       Logon GUID:      -
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:      192.168.1.155
       Source Port:      0


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Comment
Watch Question

Top Expert 2007
Commented:
Those are anonymous logons.
Is the workstation one in your network (name & IP)?

J.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Yes, that is a local workstation.
Top Expert 2007
Commented:
This can be perfectly normal behaviour in a Windows environment, but if you want to get rid of them then you can disable anonymous login using group policy.
If this blocks some applications you can remove it later on.
I currently don't have time to verify, but I think you will find it in this node: Computer Configuration\Administrative Templates\System\Remote Procedure Cal

J.
Rich RumbleSecurity Samurai
CERTIFIED EXPERT
Top Expert 2006
Commented:
If not in the group policy then locally, you can goto start>run and type secpol.msc and go to the local policies>security options and enable "Network Access: Do not allow anonymous enumeration of SAM accounts" as well as SAM accounts and shares
http://technet2.microsoft.com/WindowsServer/en/library/2c82586e-bd58-42b7-9976-228a23721e351033.mspx
If this server is exposed to the internet, make sure you close ports 135-139 and 445(tcp/udp)  on the public ip.

Also make sure your not an Open Relay: http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3AdminGuide/99e4fecd-816b-4f99-a5fa-3174946e2e7b.mspx
http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3AdminGuide/7b04a59d-3eda-4389-a6a5-822a87b23da9.mspx
-rich

Author

Commented:
Thank you!
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.