Learn how to a build a cloud-first strategyRegister Now


ANONYMOUS LOGIN on web server - audit event 540 - is this a problem?

Posted on 2007-10-12
Medium Priority
Last Modified: 2013-12-04
Should I be worried if I'm seeing event 540 - ANONYMOUS LOGIN in the security audit on my web server? I've hardened the server with MBSA and disabled ALL unnecessary services. I'm running an antivirus program (ESET NOD32) on the machine and that's it. The server is in a locked down DMZ behind a Cisco ASA firewall with IPS with only the required ports open.

Just seeing the anonymous login worries me... please respond quickly.

I'm running WS 2003 Web Edition - fully patched - SP2

Question by:Pugglewuggle
  • 3
  • 2

Expert Comment

ID: 20063726
If your web server is configured to allow anonymous logon then no, there is nothing to worry about.
LVL 12

Author Comment

ID: 20066077
I don't think that's what it's referring to.... If I access a page 100 times, it doesn't give me that, not even once. Is there anything or anyone else we can ask to confirm that this either is or isn't a problem?
LVL 58

Accepted Solution

tigermatt earned 2000 total points
ID: 20066838
I can confirm that I also receive regular annonymous login audits in the Security logs with IIS, and my research would indicate it's not a problem.

The easiest way for you to tell if there's a security breach or not would be to examine the IIS logs and see what files were accessed. They are very detailed and useful for tracking things like this down; don't let their text format put you off! They can be found in <systemdrive>:\WINDOWS\system32\LogFiles\W3SVC<website id>. The website ID can be found in IIS manager, and I know for sure that the "Default Web Site" has an ID of 1, the rest will be a random number unless you changed it.

If you find yourself regularaly looking through the IIS logs then there are plenty of tools to produce nice reports from a range or the whole set of logs - a good investment if you do this regularly but for one offs, just trawl through the text file like me!

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

LVL 12

Author Comment

ID: 20066871
Dude, you're freakin' amazing! How do you do it?!
LVL 58

Expert Comment

ID: 20066956
Who knows? Just built-up knowledge over time I suppose!
LVL 12

Author Comment

ID: 20066964

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
OfficeMate Freezes on login or does not load after login credentials are input.
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question