Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2278
  • Last Modified:

Security log event 540 anonymous logon. Ok? Why and how?

Security log event 540 anonymous logon.  I see that my log is full of theses starting a couple months ago.  This machine is a mail server and should only have traffice from me via terminal services and the normal smtp and pop traffice.  

What does this event mean?  Is someon logging onto this machine?

MSG:
Successful Network Logon:
       User Name:      
       Domain:            
       Logon ID:            (0x0,0xD50841)
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      ONEFIFTYFIVE
       Logon GUID:      -
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:      192.168.1.155
       Source Port:      0


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
Hardwarez
Asked:
Hardwarez
  • 2
  • 2
3 Solutions
 
PowerITCommented:
Those are anonymous logons.
Is the workstation one in your network (name & IP)?

J.
0
 
HardwarezAuthor Commented:
Yes, that is a local workstation.
0
 
PowerITCommented:
This can be perfectly normal behaviour in a Windows environment, but if you want to get rid of them then you can disable anonymous login using group policy.
If this blocks some applications you can remove it later on.
I currently don't have time to verify, but I think you will find it in this node: Computer Configuration\Administrative Templates\System\Remote Procedure Cal

J.
0
 
Rich RumbleSecurity SamuraiCommented:
If not in the group policy then locally, you can goto start>run and type secpol.msc and go to the local policies>security options and enable "Network Access: Do not allow anonymous enumeration of SAM accounts" as well as SAM accounts and shares
http://technet2.microsoft.com/WindowsServer/en/library/2c82586e-bd58-42b7-9976-228a23721e351033.mspx
If this server is exposed to the internet, make sure you close ports 135-139 and 445(tcp/udp)  on the public ip.

Also make sure your not an Open Relay: http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3AdminGuide/99e4fecd-816b-4f99-a5fa-3174946e2e7b.mspx
http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3AdminGuide/7b04a59d-3eda-4389-a6a5-822a87b23da9.mspx
-rich
0
 
HardwarezAuthor Commented:
Thank you!
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now