RE: successful anonymous login

["Yvan Boily" <yboily () seccuris com>]

Hmm.. This looks like it could be an attempt from a computer browser service
to determine wether or not there are shares available on the system.

Is <the IP address> or the workstation HOD something that should normally do
things like that?  

Have you run through a hardening checklist on your windows 2k3 box?  What
kind of security have you put into place on this system?

-----Original Message-----
From: Jose Rivera [mailto:jose () papugai com] 
Sent: Tuesday, July 27, 2004 12:59 PM
To: webappsec () securityfocus com
Subject: successful anonymous login

We recently migrated our web server into windows 2003.

Not sure where this is coming from...but successful login from an
anonymous user doesn't sound good?

Please help or point in the right direction.

Thanks
Jose


Event Type:     Success Audit
Event Source:   Security
Event Category: Logon/Logoff 
Event ID:       540
Date:           7/27/2004
Time:           10:44:20 AM
User:           NT AUTHORITY\ANONYMOUS LOGON
Computer:       xxxxxx
Description:
Successful Network Logon:
        User Name:      
        Domain:         
        Logon ID:               (0x0,0x9BA1BD3)
        Logon Type:     3
        Logon Process:  NtLmSsp 
        Authentication Package: NTLM
        Workstation Name:       HOD
        Logon GUID:     -
        Caller User Name:       -
        Caller Domain:  -
        Caller Logon ID:        -
        Caller Process ID: -
        Transited Services: -
        Source Network Address: <the IP address>
        Source Port:    0


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.