WebApp Sec mailing list archives
RE: successful anonymous login
From: "Yvan Boily" <yboily () seccuris com>
Date: Tue, 27 Jul 2004 15:11:45 -0500
I would go through all of your policies on the 2k3 server and ensure that all anonymous access is locked down. I would also manually peruse the services running on the system and disable anything you do not need. Be careful not to do this on a production box; remember that sometimes hardening checklists can render a system inoperable (for your purposes) 2003 is better than most NTOS platforms, however it still has a few things that concern me (but I am overly paranoid). -----Original Message----- From: Jose Rivera [mailto:jose () papugai com] Sent: Tuesday, July 27, 2004 2:59 PM To: 'Yvan Boily' Subject: RE: successful anonymous login Hi Ivan Ive put the iis lockdown tool...but other than that I assumed wk2003 would be closed down by default? You might be correct on the computer browser, as Ive seen events related to this in the logs. [ip deleted] is not one of my ip's tho... Thanks Jose -----Original Message----- From: Yvan Boily [mailto:yboily () seccuris com] Sent: Tuesday, July 27, 2004 12:32 PM To: 'Jose Rivera' Subject: RE: successful anonymous login Hmm.. This looks like it could be an attempt from a computer browser service to determine wether or not there are shares available on the system. Is [ip deleted] or the workstation HOD something that should normally do things like that? Have you run through a hardening checklist on your windows 2k3 box? What kind of security have you put into place on this system? -----Original Message----- From: Jose Rivera [mailto:jose () papugai com] Sent: Tuesday, July 27, 2004 12:59 PM To: webappsec () securityfocus com Subject: successful anonymous login We recently migrated our web server into windows 2003. Not sure where this is coming from...but successful login from an anonymous user doesn't sound good? Please help or point in the right direction. Thanks Jose Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 540 Date: 7/27/2004 Time: 10:44:20 AM User: NT AUTHORITY\ANONYMOUS LOGON Computer: xxxxxx Description: Successful Network Logon: User Name: Domain: Logon ID: (0x0,0x9BA1BD3) Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: HOD Logon GUID: - Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address:[ip deleted] Source Port: 0 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Current thread:
- RE: successful anonymous login kquest (Jul 27)
- <Possible follow-ups>
- RE: successful anonymous login Yvan Boily (Jul 27)
- RE: successful anonymous login Yvan Boily (Jul 27)
- RE: successful anonymous login Jose Rivera (Jul 27)
- RE: successful anonymous login Brewis, Mark (Jul 28)
- RE: successful anonymous login Adam Tuliper (Jul 28)