WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: successful anonymous login

From: "Yvan Boily" <yboily () seccuris com>
Date: Tue, 27 Jul 2004 15:11:45 -0500
I would go through all of your policies on the 2k3 server and ensure that
all anonymous access is locked down.  I would also manually peruse the
services running on the system and disable anything you do not need.  Be
careful not to do this on a production box; remember that sometimes
hardening checklists can render a system inoperable (for your purposes)


2003 is better than most NTOS platforms, however it still has a few things
that concern me (but I am overly paranoid).
-----Original Message-----
From: Jose Rivera [mailto:jose () papugai com] 
Sent: Tuesday, July 27, 2004 2:59 PM
To: 'Yvan Boily'
Subject: RE: successful anonymous login

Hi Ivan

Ive put the iis lockdown tool...but other than that I assumed wk2003
would be closed down by default?

You might be correct on the computer browser, as Ive seen events related
to this in the logs. 

[ip deleted] is not one of my ip's tho...

Thanks
Jose

-----Original Message-----
From: Yvan Boily [mailto:yboily () seccuris com] 
Sent: Tuesday, July 27, 2004 12:32 PM
To: 'Jose Rivera'
Subject: RE: successful anonymous login

Hmm.. This looks like it could be an attempt from a computer browser
service
to determine wether or not there are shares available on the system.

Is [ip deleted] or the workstation HOD something that should normally
do
things like that?  

Have you run through a hardening checklist on your windows 2k3 box?
What
kind of security have you put into place on this system?

-----Original Message-----
From: Jose Rivera [mailto:jose () papugai com] 
Sent: Tuesday, July 27, 2004 12:59 PM
To: webappsec () securityfocus com
Subject: successful anonymous login

We recently migrated our web server into windows 2003.

Not sure where this is coming from...but successful login from an
anonymous user doesn't sound good?

Please help or point in the right direction.

Thanks
Jose


Event Type:     Success Audit
Event Source:   Security
Event Category: Logon/Logoff 
Event ID:       540
Date:           7/27/2004
Time:           10:44:20 AM
User:           NT AUTHORITY\ANONYMOUS LOGON
Computer:       xxxxxx
Description:
Successful Network Logon:
        User Name:      
        Domain:         
        Logon ID:               (0x0,0x9BA1BD3)
        Logon Type:     3
        Logon Process:  NtLmSsp 
        Authentication Package: NTLM
        Workstation Name:       HOD
        Logon GUID:     -
        Caller User Name:       -
        Caller Domain:  -
        Caller Logon ID:        -
        Caller Process ID: -
        Transited Services: -
        Source Network Address:[ip deleted]
        Source Port:    0


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Previous By Date Next
Previous By Thread Next

Current thread: