RE: successful anonymous login

["dave kleiman" <dave () isecureu com>]

Jose,

I apologies to all if I missed something earlier in the thread and repeat
it.

1.  Look over:
http://support.microsoft.com/default.aspx?scid=kb;en-us;867716&Product=winsv
r2003  this is Understanding and evaluating Microsoft Internet Information
Services authentication (not poking fun) but should be pre migration review.


2. And
http://support.microsoft.com/default.aspx?scid=kb;en-us;812614&Product=iis60
these are your default IIS6 perms.  You can check them manually or you can,
end an e-mail to authdiag () microsoft com request a copy of AuthDiag 1.0 RC 2,
they respond fast and this tool lets you verify the perms, and perform many
other Authentication checks against your IIS server.

3. NTLMSsp is the NT LM Security Support Provider. Type 3 indicates Network
Logon.

4. Install URLScan see:
http://www.microsoft.com/technet/security/tools/urlscan.mspx#XSLTsection1231
21120120  to decide if this fits your needs.

5.  Without out knowing  more about your setup, which would be helpful for
indicating security settings to help, you should at the very least set the
following:
You can edit by hand or:

________________ cut and paste into a .reg file_________________

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000001
"disabledomaincreds"=dword:00000001
"everyoneincludesanonymous"=dword:00000000
"forceguest"=dword:00000000
"fullprivilegeauditing"=hex:01
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000005
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000001
"restrictanonymous"=dword:00000001
"restrictanonymoussam"=dword:00000001
"SubmitControl"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
"ntlmminclientsec"=dword:20080030
"ntlmminserversec"=dword:20080030

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"ProtectionMode"=dword:00000001
"SafeDllSearchMode"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
"obcaseinsensitive"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory
Management]
"ClearPageFileAtShutdown"=dword:00000001

__________________________end
cut________________________________________________

Once again it would be nice to hear a little more about your setup (i.e. SQL
or other Database, Cold Fussion, ASP.NET etc.. etc..) this would or could
change permissions needed on various items.


______________________________________
Dave Kleiman, CISSP, CISM, CIFI, MCSE
www.SecurityBreachResponse.com





-----Original Message-----
From: Jose Rivera [mailto:jose () papugai com] 
Sent: Tuesday, July 27, 2004 20:57
To: 'Adam Tuliper'; webappsec () securityfocus com
Subject: RE: successful anonymous login

Yes, as far as I know all patches are in.

Even an update check says no updates are needed. 

Is it a given that latest service packs does not contain all NEEDED patches?

If so, does anyone have a list of what patches are needed outside of
released service packs?


-----Original Message-----
From: Adam Tuliper [mailto:amt () gecko-software com]
Sent: Tuesday, July 27, 2004 12:18 PM
To: Jose Rivera; 'Adam Tuliper'; webappsec () securityfocus com
Subject: Re: successful anonymous login

considering this was via dcom...was this machine completely patched and up
to date before this event was logged?


On Tue, 27 Jul 2004 12:12:53 -0700
 "Jose Rivera" <jose () papugai com> wrote:
> Good question. It's not like a name of a machine on my network. From 
> research, I think it stands for host on demand. Why this comes up in 
> this error tho, Im not sure. The ip is definitely from outside.
>
>
>
>
> -----Original Message-----
> From: Adam Tuliper [mailto:amt () gecko-software com]
> Sent: Tuesday, July 27, 2004 12:02 PM
> To: Jose Rivera; webappsec () securityfocus com
> Subject: Re: successful anonymous login
>
> NtLmSsp usually deals with DCOM logins.
> What workstation is HOD?
>
> On Tue, 27 Jul 2004 10:59:11 -0700
>  "Jose Rivera" <jose () papugai com> wrote:
> > We recently migrated our web server into windows 2003.
> >
> > Not sure where this is coming from...but successful
> login
> > from an
> > anonymous user doesn't sound good?
> >
> > Please help or point in the right direction.
> >
> > Thanks
> > Jose
> >
> >
> > Event Type: Success Audit
> > Event Source:       Security
> > Event Category:     Logon/Logoff 
> > Event ID:   540
> > Date:               7/27/2004
> > Time:               10:44:20 AM
> > User:               NT AUTHORITY\ANONYMOUS LOGON
> > Computer:   xxxxxx
> > Description:
> > Successful Network Logon:
> >     User Name:      
> >     Domain:         
> >     Logon ID:               (0x0,0x9BA1BD3)
> >     Logon Type:     3
> >     Logon Process:  NtLmSsp 
> >     Authentication Package: NTLM
> >     Workstation Name:       HOD
> >     Logon GUID:     -
> >     Caller User Name:       -
> >     Caller Domain:  -
> >     Caller Logon ID:        -
> >     Caller Process ID: -
> >     Transited Services: -
> >     Source Network Address: 81.60.187.145
> >     Source Port:    0