Event 538 with no corresponding logon

Toggle sidebar Toggle sidebar
M

Michael

Distinguished
Dec 31, 2007
1,319
0
19,280
Archived from groups: microsoft.public.win2000.security (More info?)

Hi all,

I know that this has come up in some past threads, but I can't find them and
this is the first time I ever see this problem. I have 2 Windows 2000 Server
member servers that are running Terminal Services and Citrix MetaFrame. They
both have RestrictAnonymous set to 2 (I just verified it). They were
installed in December of last year and have been running fine until a couple
of days ago. Now all of a sudden the security logs are being filled with
Event 538 ANONYMOUS LOGON from NT AUTHORITY of type 3 and there is no
corresponding logon for any of the events. I've been searching on KB,
EventID.net and everywhere else, and in NO place does it actually explain
why this occurs, only that it occurs. The comments on EventID.net only
allude to the fact that this event can "happen" with no associated logon,
but doesn't actually explain why or how to stop it. Another site brings up
this problem along with another one, but then only goes into detail on the
other problem.

By the way, the only thing we changed on these systems in the last couple of
days was move them to a switch from a hub, and change all the network cards
and switch ports to 100/full duplex. These events seem to have started right
after this change.

Can anyone shed some light on this?

Thanks in advance.

Michael S.
 
Archived from groups: microsoft.public.win2000.security (More info?)

I don't really know but I notice when using Ethereal to capture packet traffic
that a lot of times null sessions are used by the computer browser service.
Maybe your computer became a master browser suddenly?? You can use nbtstat -n to
see if it is. You could try using Ethereal to try and see what kind of traffic
is causing such activity [what ports, etc]. You could correlate the Ethereal
capture with the security log by time to narrow down the search and maybe use a
filter if you know what computer or computers are initiating those null
sessions. --- Steve


"Michael" <nospam@nospam.no> wrote in message
news:eybLw90XEHA.3664@TK2MSFTNGP12.phx.gbl...
> Hi all,
>
> I know that this has come up in some past threads, but I can't find them and
> this is the first time I ever see this problem. I have 2 Windows 2000 Server
> member servers that are running Terminal Services and Citrix MetaFrame. They
> both have RestrictAnonymous set to 2 (I just verified it). They were
> installed in December of last year and have been running fine until a couple
> of days ago. Now all of a sudden the security logs are being filled with
> Event 538 ANONYMOUS LOGON from NT AUTHORITY of type 3 and there is no
> corresponding logon for any of the events. I've been searching on KB,
> EventID.net and everywhere else, and in NO place does it actually explain
> why this occurs, only that it occurs. The comments on EventID.net only
> allude to the fact that this event can "happen" with no associated logon,
> but doesn't actually explain why or how to stop it. Another site brings up
> this problem along with another one, but then only goes into detail on the
> other problem.
>
> By the way, the only thing we changed on these systems in the last couple of
> days was move them to a switch from a hub, and change all the network cards
> and switch ports to 100/full duplex. These events seem to have started right
> after this change.
>
> Can anyone shed some light on this?
>
> Thanks in advance.
>
> Michael S.
>
>
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom