Rick,
The security logs in question are on my Windows 2000 domain controllers,
PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT
Authority\Anonymous Logon
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0xCB82F)
Logon Type: 3
and Event 540 NT Authority\System Logons
Successful Network Logon:
User Name: PSDC1$
Domain: LC_POLICE
Logon ID: (0x0,0xCBE63)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
These don't appear to give me any specific information.
I need to keep records for 3 years that show when a user logged onto the
network and from which workstation. When I audit Account Logon, I get the
information, but the user is always System, so there is no easy way to
filter for a specific user name. When I use Audit Logon events, I can filter
by user name, but I'm filling 75% of the log with Anonymous and System
logons. I'm generating about 8MB of security log daily between the two DCs,
so I'm not sure what is the most efficient way to configure the audit policy
on my DCs. It seems that either way, the logs fill with quite a bit of
basically useless information.
-----Original Message-----
From: Rick Kingslan [mailto:[EMAIL PROTECTED]
Sent: Monday, August 04, 2003 18:26
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Anonymous Logon
Cindy,
My initial thought on this, understanding the process, is that everyone is
Anonymous when they first hit the server. A record of this 'anonymous'
access is made, and the process continues where you actually identify
yourself.
Clearly, this is going to be different if you are running a web server,
where the access might be mostly anonymous, unless set to some manner of
authentication (Windows, Basic, etc.)
Now, for more detail, if you want to post some of the records that you're
seeing (you should be able to follow the authentication trail via the ID's
in the audit records) I can help you identify what is going on and what the
anonymous access is all about. It would help to know what type of server
this is, as well.
Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy
Sent: Monday, August 04, 2003 1:35 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Anonymous Logon
I successfully upgraded my NT domain to AD yesterday. I now find my DC
security log on the PDC emulator filling up twice a day. It is set to 2048
KB, do not overwrite (I have to save them for 3 years). The majority of
events are Anonymous logons. Is it normal to have this quantity of Anonymous
logons?
Cynthia Rittenhouse MCSE,CCNA
LAN Administrator
County of Lancaster
Lancaster, PA 17602
Phone: (717)293-7274
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
