If web services or ftp are running on those, both those services allow anon to access the main page,
----- Original Message ----- From: "Rittenhouse, Cindy" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, August 05, 2003 1:02 PM Subject: RE: [ActiveDir] Anonymous Logon > Rick, > The security logs in question are on my Windows 2000 domain controllers, > PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT > Authority\Anonymous Logon > User Logoff: > User Name: ANONYMOUS LOGON > Domain: NT AUTHORITY > Logon ID: (0x0,0xCB82F) > Logon Type: 3 > > and Event 540 NT Authority\System Logons > Successful Network Logon: > User Name: PSDC1$ > Domain: LC_POLICE > Logon ID: (0x0,0xCBE63) > Logon Type: 3 > Logon Process: Kerberos > Authentication Package: Kerberos > Workstation Name: > > These don't appear to give me any specific information. > > I need to keep records for 3 years that show when a user logged onto the > network and from which workstation. When I audit Account Logon, I get the > information, but the user is always System, so there is no easy way to > filter for a specific user name. When I use Audit Logon events, I can filter > by user name, but I'm filling 75% of the log with Anonymous and System > logons. I'm generating about 8MB of security log daily between the two DCs, > so I'm not sure what is the most efficient way to configure the audit policy > on my DCs. It seems that either way, the logs fill with quite a bit of > basically useless information. > > > -----Original Message----- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Monday, August 04, 2003 18:26 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Anonymous Logon > > > Cindy, > > My initial thought on this, understanding the process, is that everyone is > Anonymous when they first hit the server. A record of this 'anonymous' > access is made, and the process continues where you actually identify > yourself. > > Clearly, this is going to be different if you are running a web server, > where the access might be mostly anonymous, unless set to some manner of > authentication (Windows, Basic, etc.) > > Now, for more detail, if you want to post some of the records that you're > seeing (you should be able to follow the authentication trail via the ID's > in the audit records) I can help you identify what is going on and what the > anonymous access is all about. It would help to know what type of server > this is, as well. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy > Sent: Monday, August 04, 2003 1:35 PM > To: '[EMAIL PROTECTED]' > Subject: [ActiveDir] Anonymous Logon > > I successfully upgraded my NT domain to AD yesterday. I now find my DC > security log on the PDC emulator filling up twice a day. It is set to 2048 > KB, do not overwrite (I have to save them for 3 years). The majority of > events are Anonymous logons. Is it normal to have this quantity of Anonymous > logons? > > Cynthia Rittenhouse MCSE,CCNA > LAN Administrator > County of Lancaster > Lancaster, PA 17602 > Phone: (717)293-7274 > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
