Anonymous Log Entries Filling Security Log

My question is two-fold and probably very basic but here is the scenario...

I have a workstation (WinXP) that is joined to a domain but its security log is filling within days due to 538 and 540 Anonymous logon events. These events are being generated by various other workstations 'live' on the network and are quite frequent - every 3 to 4min. It is not used as a file sharing system and should be no different than other workstations.

Besides changing the logged events - which I know can be done.

What are these events for?
Why would they be occurring only on this one machine?

The entries are in pairs are vary for the computer reported but are otherwise as per the attached screenshots.
2013-1008-1544.56-ss--event-samp.jpg
2013-1008-1545.22-ss--event-samp.jpg
LVL 2
DanielTAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rich RumbleSecurity SamuraiCommented:
Logon Type 3 is network, when another computer uses netbios to look for shared printers or other services, you will see this (when you audit for it). It's easy to sniff and find what more specifically is doing it. Install wireshark and it may tell you all you need to know :)

The C$ and others (by default always available) can still be enumerated and seen by other machines on the network, and trigger those events.
-rich
0
DanielTAuthor Commented:
So this is network chatter for shares and printers. Why does it fill the log?
is it due to windows setting of automatically detect shared printers such that systems are constantly checking? Should that 'feature' be disabled?

Can this activity be due to something undesirable - such as malware?
How would you differentiate this from 'normal' traffic?
(presume Wireshark may help with this - but what should be the focus to look for?)
0
Rich RumbleSecurity SamuraiCommented:
Malware sure, but it's not typically. Yes the automatic searching for printers and shares can be a cause, there are also tools that attempt to see who is logged on, even netstat does it.
netstat -A ip.ip.ip.ip looks to see who is logged on and does anony events, logonsession from sysinternals I think can do that too.
Wireshark is probably the best way to track it down, you will see ANONY logon, you can match the IP or Computer name to the event log times and figure it out. Netbios isn't too complex when using wireshark, but if you haven't ever used it, it could be intimidating.

Wireshark will make your eyes bleed when you see how chatty windows networks are if you don't disable services that aren't needed :)
-rich
0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

DanielTAuthor Commented:
Thanks.
 
Aware of wireshark as I have used it before. Just not enough to know it well.
Have the sysinternal utilities but have not used logonsession.

I am also familiar with netstat (usually use -aon) but have not appended an IP address (assume that is what you mean by ip.ip.ip.ip). What does that do? I could not see any difference from netstat -a alone.
0
Rich RumbleSecurity SamuraiCommented:
nbtstat my bad, -A is ip, and -a is FQDN, sorry about that.
-rich
0
DanielTAuthor Commented:
thx.

Any way to audit account logons without all the extra 'noise'?
0
Rich RumbleSecurity SamuraiCommented:
Depends on what you use, technically you want all the logs, but your in query tool you may want to exclude those particular ones. Unfortunately it's hard to filter, because 540/538 are what you'd see for any account logging on or off, it's the details like the account (anonymous) that is harder to filter out on, esp using windows native tools. A more complex method may be to use Logparser, or wevtuil and it might be able to filter out records based on something in the body, but I don't think it will. A full SIEM product like Logrythm, Splunk or loglogic. You can get the browser service and others shutdown to reduce the chatter, but if you just sit with wireshark open, on an totally idle machine, it's astounding how much it says and hears just sitting there minding it's own business :)
-rich
0
DanielTAuthor Commented:
LOTS of good info.
Thanks.

For this machine it is a REALLY simple config [ :) ]. On the local machine - just windows logging and local security policy settings. It is the local log that is filling and is particularly problematic as the main acct is a user acct (not admin) and it gets locked out when the log is full. So the intent would be to minimize the quantity of log data. The log itself has already had it's maximize size increased and retention period shortened to help prevent the lockout.

Logging is enabled for...
- Audit Account Logon events; success and failure
- Audit Logon events; success and failure

As I understand, "Logon events" records entries for remote or local logon whereas "Account logon events" records only local acct logons. Am thinking I just need to stop logging for "Logon events" that have succeeded. Would this do it - or do I have the two mixed up?

Thx!
0
Rich RumbleSecurity SamuraiCommented:
The functional limit (not theoretical, functional) for event log's in XP is 300Mb or so: http://support.microsoft.com/kb/957662
There are also log policies you can have, such as over-writing as needed, keeping only the last month's logs etc..evt-log-propertiesI would start there, that also has the side effect of letting people logon when the event log is full. If it fills up too quickly then perhaps move to the overwrite as needed.
The last suggestion I'd have is to have a 3rd party firewall block those anonymous logon's, I know you can do that with ZoneAlarm, probably others.
You may also look in secpol.msc ->local policies -> security options and make sure the anonymous logons are kept to a minimum anonymous settings-rich
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DanielTAuthor Commented:
Hi Rich

Already dealt with the log size and retention (number of days to keep before over-writing) as mentioned above BUT between that and the Network Access settings in secpol.msc I think it will do the trick.

Thx!
0
DanielTAuthor Commented:
Thx for quick feedback and thorough answers!!  :))
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.