InstantForum.NET v4.1.4UltimateWindowsSecurity.com Forumhttp://forum.ultimatewindowssecurity.com/noreply@ultimatewindowssecurity.comTue, 07 Feb 2012 12:09:49 GMT20http://forum.ultimatewindowssecurity.com/Topic80-34-1.aspxSo it is true then that there is no way to effectively "stop" the vast numbers of these from being logged if you have auditing enabled? That is unfortunate.<br><br>For example we have several hundred systems logging to several different AD's and on average in an hour we generate 270K logs, of which 89k are Event ID 540, breaking out the Type3 and Type8 we find that about 88.5k of them are Type3 with the remaining ~500 being Type8.<br><br>Looking closer at the Type3 we find that 50.5k of them are "ANONYMOUS LOGON"<br><br>Such as below:<br><br>NT AUTHORITY,ANONYMOUS LOGON,vb2k0056,Aug 27 17:59:03 2009,security,Security,"Successful Network Logon: <br> User Name: Domain: Logon ID:(0x0,0x4F6DE22B) Logon Type:3 Logon Process:NtLmSsp Authentication Package:NTLM Workstation Name:VB0409237 Logon GUID:- Caller<br> User Name:- Caller Domain:- Caller Logon ID:- Caller Process ID: - Transited Services: - Source Network Address:10.153.152.154 Source Port:0 <br><br>So no one has devised a way to no log this sort of behavior?Thu, 27 Aug 2009 19:06:51 GMTrizhttp://forum.ultimatewindowssecurity.com/Topic80-34-1.aspxI assume you are describing the log on a domain controller? If so, yes that's normal. Each computer in the domain checks in with a domain controller every 90 minutes or so to refresh group policy which causes a network logon (540) and logoff (538). It would be nice if that auditing could just be turned off since it's noise but Windows lacks that kind of granularity.Tue, 28 Apr 2009 09:10:17 GMTRandyFranklinSmithhttp://forum.ultimatewindowssecurity.com/Topic80-34-1.aspxOur WS2003 Event Viewer Security log contains many more machine log-ins than user account logins. Is this a normal, useful configuration, or have we bollixed something?Mon, 27 Apr 2009 10:45:59 GMTClay