Archived from groups: microsoft.public.win2000.security (
More info?)
It is a fact of life in a Windows network using file and print sharing and netbios
over tcp/ip. Disabling netbios over tcp/ip and/or file and print sharing on a
computer will drastically reduce or eliminate those events. If you disable netbios
over tcp/ip then you will not be able to use My Network Places anymore but could use
strictly Active Directory to publish and find shares. Of course you would want to
make sure all of your applications do not rely on netbios over tcp/ip. You can not
disable file and print sharing on domain controllers and any computer you disable it
on will no longer be able to offer shares or be remotely manageable. I suggest you
run Ethereal on a computer for a while to capture those null sessions to show your
boss what they are for. Most likely they will show up using port 138 udp and
sometimes 139 tcp. Be sure your firewall blocks access to those ports from the
internet. The article below explains null sessions fairly well. If your domain
structure will allow it and still allow user access, you can remove "everyone" from
user rights such as access this computer from the network and from share/ntfs
permissions using authenticated users instead. In Windows 2000 you can also configure
the security option for "additional restrictions for anonymous connections". It has
three settings. Usually the middle setting for "do not allow anonymous enumeration of
sam and shares" is safe to set on all computers though the most restrictive setting
of "no access without explicit anonymous permissions" should be used with caution,
particularly on domain controllers. --- Steve
http://www.sans.org/rr/papers/index.php?id=286
"Jason Hurley" <jason.hurley@compuware.com> wrote in message
news:2ae5701c4680a$c4fd1ae0$a501280a@phx.gbl...
> Thanks for the info.
>
> However, my Boss is being a royal pain and now wants to
> know exactlly why we see "Anonymous Logon". I've tried
> looking it up in FAQ but nothing that helps comes up. Can
> someone help here?
>
> Windows 2000, AD, IIS.
>
> JH
>
>
> >-----Original Message-----
> >You probably do not have a security breach if just
> anonymous access is showing in the
> >logs. Anonymous access or "null" sessions are used in
> Windows networking for things
> >like maintaining the browse list [probably main reason] ,
> and users changing
> >passwords before expiring. If you have downlevel clients
> you may see more than in a
> >all W2K/XP Pro network. A security breach would be
> indicated more by lots of
> >unexplained failed logons in the security log,
> particularly of the administrator
> >account, and account lockouts. The link below can explain
> more. I am not advocating
> >you make the change it discusses on domain controllers,
> but read the paste under the
> >link. --- Steve
> >
> >http://support.microsoft.com/?kbid=246261
> >
> >"The following tasks are restricted when the
> RestrictAnonymous registry value is set
> >to 2 on a Windows 2000-based domain controller:
> > a.. Down-level member workstations or servers are not
> able to set up a netlogon
> >secure channel.
> > b.. Down-level domain controllers in trusting domains
> are not be able to set up a
> >netlogon secure channel.
> > c.. Microsoft Windows NT users are not able to change
> their passwords after they
> >expire. Also, Macintosh users are not able to change
> their passwords at all.
> > d.. The Browser service is not able to retrieve domain
> lists or server lists from
> >backup browsers, master browsers or domain master
> browsers that are running on
> >computers with the RestrictAnonymous registry value set
> to 2. Because of this, any
> >program that relies on the Browser service does not
> function properly"
> >
> >
> >"Jason Hurley" <jason.hurley@compuware.com> wrote in
> message
> >news:2aaaa01c465f3$328baf50$a301280a@phx.gbl...
> >> When I check my security log in the event viewer I
> >> sometimes see "Success Audit" for user "ANONYMOUS
> LOGON".
> >> I know that it is a system group but what is triggering
> >> ANONYMOUS LOGON to happen? Do I have a security Breach?
> >>
> >> Environment: Windows 2000 Active Directry
> >>
> >> Anyone help?
> >> Thanks,
> >> Jason
> >
> >
> >.
> >