Solved

Security log event 540 anonymous logon.  Ok? Why and how?

Posted on 2006-10-26
5
2,273 Views
Last Modified: 2012-05-05
Security log event 540 anonymous logon.  I see that my log is full of theses starting a couple months ago.  This machine is a mail server and should only have traffice from me via terminal services and the normal smtp and pop traffice.  

What does this event mean?  Is someon logging onto this machine?

MSG:
Successful Network Logon:
       User Name:      
       Domain:            
       Logon ID:            (0x0,0xD50841)
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      ONEFIFTYFIVE
       Logon GUID:      -
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:      192.168.1.155
       Source Port:      0


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
Comment
Question by:Hardwarez
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 18

Assisted Solution

by:PowerIT
PowerIT earned 50 total points
ID: 17811506
Those are anonymous logons.
Is the workstation one in your network (name & IP)?

J.
0
 

Author Comment

by:Hardwarez
ID: 17811585
Yes, that is a local workstation.
0
 
LVL 18

Accepted Solution

by:
PowerIT earned 50 total points
ID: 17811838
This can be perfectly normal behaviour in a Windows environment, but if you want to get rid of them then you can disable anonymous login using group policy.
If this blocks some applications you can remove it later on.
I currently don't have time to verify, but I think you will find it in this node: Computer Configuration\Administrative Templates\System\Remote Procedure Cal

J.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 50 total points
ID: 17812802
If not in the group policy then locally, you can goto start>run and type secpol.msc and go to the local policies>security options and enable "Network Access: Do not allow anonymous enumeration of SAM accounts" as well as SAM accounts and shares
http://technet2.microsoft.com/WindowsServer/en/library/2c82586e-bd58-42b7-9976-228a23721e351033.mspx
If this server is exposed to the internet, make sure you close ports 135-139 and 445(tcp/udp)  on the public ip.

Also make sure your not an Open Relay: http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3AdminGuide/99e4fecd-816b-4f99-a5fa-3174946e2e7b.mspx
http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3AdminGuide/7b04a59d-3eda-4389-a6a5-822a87b23da9.mspx
-rich
0
 

Author Comment

by:Hardwarez
ID: 17857686
Thank you!
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses
Course of the Month7 days, 5 hours left to enroll

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question