|
|
|
Forum Newbie
Group: Forum Members
Last Login: 10/15/2009 4:07:47 PM
Posts: 3,
Visits: 0
|
|
| Hello, I have a system that many Event ID 4624 Successful (Anonmymous) Logon with the corresponding 4634 Logoff's. The account name is ANONYMOUS, with NO network information what so ever on any of the event entries with the account domain as NT AUTHORITY. There is a total of 1185 over a 12 month period. These are all Logon Type 3 (network) Are there any legitimate reasons for this? How come there is NO source IP or workstation name listed on any of these? This is on a Windows Vista system. There is an a IIS_Guest account, but the system is not suppose to be running a webservice. Though not sure how I can check. Is there any registry keys that would show this? All I have is a dead system image, and I can't boot it up. Thanks,
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 10/15/2009 4:07:47 PM
Posts: 3,
Visits: 0
|
|
| Sorry, I meant to say that there is an IIS_IUSRS account on the system, not IIS_GUEST.
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 10/15/2009 4:07:47 PM
Posts: 3,
Visits: 0
|
|
| To add more, in doing some testing I found out that I have the same events on my STANDALONE system, so these entries have to be legit, but what are they???
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 324,
Visits: 0
|
|
| I wish I had a more satisfying answer for you but this is just normal "noise" in Windows. The fact that there is no workstation name or IP address indicates a "network" logon by a local process. Try to find a rational explanation for every event in the security and your head becomes a messy pulp from beating it against the wall.
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 11/30/2009 6:08:39 PM
Posts: 2,
Visits: 7
|
|
I'm having the same issue, but in this case there IS network information provide.
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
New Logon:
Security ID: ANONYMOUS LOGON
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x404590
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: V
Source Network Address: 192.168.0.110
Source Port: 1031
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 0
Thanks in advance.
-Eric
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 324,
Visits: 0
|
|
| I know it's hard to accept but anonymous logons are normal. The fact that there is no network information shows that it's just local system activity. Windows talking to itself.
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 11/30/2009 6:08:39 PM
Posts: 2,
Visits: 7
|
|
Okay. That's understandable, but it was the part when you said there is no Network Information that flagged something in my thoughts, because it said exactly "Network Information" in the report.
Network Information:
Workstation Name: V
Source Network Address: 192.168.0.110
Source Port: 1031
Thanks
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 324,
Visits: 0
|
|
| Nevertheless as long as you don't enable the Security Option "let everyone permissions apply to anonymous" then you are ok
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 1/24/2012 10:10:42 AM
Posts: 1,
Visits: 0
|
|
| Why do we have Event ID with 4742 and for the user Anonymous Logon?
|
|