WebApp Sec mailing list archives
RE: successful anonymous login
From: "Yvan Boily" <yboily () seccuris com>
Date: Tue, 27 Jul 2004 15:08:38 -0500
Hmm.. This looks like it could be an attempt from a computer browser service to determine wether or not there are shares available on the system. Is <the IP address> or the workstation HOD something that should normally do things like that? Have you run through a hardening checklist on your windows 2k3 box? What kind of security have you put into place on this system? -----Original Message----- From: Jose Rivera [mailto:jose () papugai com] Sent: Tuesday, July 27, 2004 12:59 PM To: webappsec () securityfocus com Subject: successful anonymous login We recently migrated our web server into windows 2003. Not sure where this is coming from...but successful login from an anonymous user doesn't sound good? Please help or point in the right direction. Thanks Jose Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 540 Date: 7/27/2004 Time: 10:44:20 AM User: NT AUTHORITY\ANONYMOUS LOGON Computer: xxxxxx Description: Successful Network Logon: User Name: Domain: Logon ID: (0x0,0x9BA1BD3) Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: HOD Logon GUID: - Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: <the IP address> Source Port: 0 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Current thread:
- RE: successful anonymous login kquest (Jul 27)
- <Possible follow-ups>
- RE: successful anonymous login Yvan Boily (Jul 27)
- RE: successful anonymous login Yvan Boily (Jul 27)
- RE: successful anonymous login Jose Rivera (Jul 27)
- RE: successful anonymous login Brewis, Mark (Jul 28)
- RE: successful anonymous login Adam Tuliper (Jul 28)