WebApp Sec mailing list archives
RE: successful anonymous login
From: "Yaakov Yehudi" <yehudi () tehila gov il>
Date: Wed, 28 Jul 2004 09:09:05 +0300
Most functionality of URLSCAN is equaled or excelled by inbuilt features of Windows 2003's IIS 6. In other words, it is normally contraindicated to use URLSCAN in Windows 2003. -----Original Message----- From: dave kleiman [mailto:dave () isecureu com] Sent: Wednesday, July 28, 2004 06:37 To: webappsec () securityfocus com Cc: 'Jose Rivera'; 'Adam Tuliper' Subject: RE: successful anonymous login Jose, I apologies to all if I missed something earlier in the thread and repeat it. 1. Look over: http://support.microsoft.com/default.aspx?scid=kb;en-us;867716&Product=winsv r2003 this is Understanding and evaluating Microsoft Internet Information Services authentication (not poking fun) but should be pre migration review. 2. And http://support.microsoft.com/default.aspx?scid=kb;en-us;812614&Product=iis60 these are your default IIS6 perms. You can check them manually or you can, end an e-mail to authdiag () microsoft com request a copy of AuthDiag 1.0 RC 2, they respond fast and this tool lets you verify the perms, and perform many other Authentication checks against your IIS server. 3. NTLMSsp is the NT LM Security Support Provider. Type 3 indicates Network Logon. 4. Install URLScan see: http://www.microsoft.com/technet/security/tools/urlscan.mspx#XSLTsection1231 21120120 to decide if this fits your needs. 5. Without out knowing more about your setup, which would be helpful for indicating security settings to help, you should at the very least set the following: You can edit by hand or: ________________ cut and paste into a .reg file_________________ Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "SecureBoot"=dword:00000001 "auditbaseobjects"=dword:00000000 "crashonauditfail"=dword:00000001 "disabledomaincreds"=dword:00000001 "everyoneincludesanonymous"=dword:00000000 "forceguest"=dword:00000000 "fullprivilegeauditing"=hex:01 "limitblankpassworduse"=dword:00000001 "lmcompatibilitylevel"=dword:00000005 "nodefaultadminowner"=dword:00000001 "nolmhash"=dword:00000001 "restrictanonymous"=dword:00000001 "restrictanonymoussam"=dword:00000001 "SubmitControl"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0] "ntlmminclientsec"=dword:20080030 "ntlmminserversec"=dword:20080030 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager] "ProtectionMode"=dword:00000001 "SafeDllSearchMode"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel] "obcaseinsensitive"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management] "ClearPageFileAtShutdown"=dword:00000001 __________________________end cut________________________________________________ Once again it would be nice to hear a little more about your setup (i.e. SQL or other Database, Cold Fussion, ASP.NET etc.. etc..) this would or could change permissions needed on various items. ______________________________________ Dave Kleiman, CISSP, CISM, CIFI, MCSE www.SecurityBreachResponse.com -----Original Message----- From: Jose Rivera [mailto:jose () papugai com] Sent: Tuesday, July 27, 2004 20:57 To: 'Adam Tuliper'; webappsec () securityfocus com Subject: RE: successful anonymous login Yes, as far as I know all patches are in. Even an update check says no updates are needed. Is it a given that latest service packs does not contain all NEEDED patches? If so, does anyone have a list of what patches are needed outside of released service packs? -----Original Message----- From: Adam Tuliper [mailto:amt () gecko-software com] Sent: Tuesday, July 27, 2004 12:18 PM To: Jose Rivera; 'Adam Tuliper'; webappsec () securityfocus com Subject: Re: successful anonymous login considering this was via dcom...was this machine completely patched and up to date before this event was logged? On Tue, 27 Jul 2004 12:12:53 -0700 "Jose Rivera" <jose () papugai com> wrote:
Good question. It's not like a name of a machine on my network. From research, I think it stands for host on demand. Why this comes up in this error tho, Im not sure. The ip is definitely from outside. -----Original Message----- From: Adam Tuliper [mailto:amt () gecko-software com] Sent: Tuesday, July 27, 2004 12:02 PM To: Jose Rivera; webappsec () securityfocus com Subject: Re: successful anonymous login NtLmSsp usually deals with DCOM logins. What workstation is HOD? On Tue, 27 Jul 2004 10:59:11 -0700 "Jose Rivera" <jose () papugai com> wrote:We recently migrated our web server into windows 2003. Not sure where this is coming from...but successfulloginfrom an anonymous user doesn't sound good? Please help or point in the right direction. Thanks Jose Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 540 Date: 7/27/2004 Time: 10:44:20 AM User: NT AUTHORITY\ANONYMOUS LOGON Computer: xxxxxx Description: Successful Network Logon: User Name: Domain: Logon ID: (0x0,0x9BA1BD3) Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: HOD Logon GUID: - Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 81.60.187.145 Source Port: 0
Current thread:
- RE: Growing Bad Practice with Login Forms, (continued)
- RE: Growing Bad Practice with Login Forms Mark Curphey (Jul 27)
- RE: Growing Bad Practice with Login Forms Konstantin Ryabitsev (Jul 27)
- RE: Growing Bad Practice with Login Forms Mark Curphey (Jul 27)
- Re: Growing Bad Practice with Login Forms Ian (Jul 27)
- RE: Growing Bad Practice with Login Forms Dan C Crawford (Jul 27)
- successful anonymous login Jose Rivera (Jul 27)
- Re: successful anonymous login Adam Tuliper (Jul 27)
- RE: successful anonymous login Jose Rivera (Jul 27)
- Re: successful anonymous login Adam Tuliper (Jul 27)
- RE: successful anonymous login Jose Rivera (Jul 27)
- RE: successful anonymous login dave kleiman (Jul 27)
- RE: successful anonymous login Yaakov Yehudi (Jul 28)
- RE: Growing Bad Practice with Login Forms Dan C Crawford (Jul 27)
- RE: successful anonymous login V. Poddubnyy (Jul 27)
- Re: Growing Bad Practice with Login Forms Merlijn Tishauser (Jul 27)
- RE: Growing Bad Practice with Login Forms Mark Curphey (Jul 27)
- RE: Growing Bad Practice with Login Forms Yvan Boily (Jul 27)
- Re: Growing Bad Practice with Login Forms Toro, Daniel (Jul 27)
- Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 27)
- Re: Growing Bad Practice with Login Forms Stephen de Vries (Jul 28)