I have posed this question directly to a couple people on the list and the concensus is that we still don't know the answer.
My Webserver Admin is trying to tell me that the entries below from the Exchange server Security logs originate from the OWA accessing mailboxes or sending mail out through the IMS. The following is an excerpt from Q263236: "Logon.asp prompts the user to either provide a mailbox name or to choose anonymous access. Anonymous access allows the user to read from and post to public folders anonymously and also to find names in an address book by using Lightweight Directory Access Protocol (LDAP)." So...I'm running Exchange 5.5 SP4 and I have "Allow Anonymous LDAP Access" turned off. If I have removed anonymous LDAP access, should I EVER see this in the security logs of my IMS? Or any of my other Exchange servers for that matter? Maybe I'm not thinking correctly, but even if I allowed Anonymous LDAP access to the Exchange system, I wouldn't expect to see this in the IMS, only on the mailbox or public folder servers. Am I wrong? One response was, "I am far from expert on LDAP, but I think you're answer is in the User. NT Authority suggests to me that it's a system logon of some sort." Ok...I can deal with that. My question at this point is, "It makes me nervous to have Anonymous logons from anywhere to my Exchange servers. With it logging on anonymously, how do you discriminate between the OWA server doing it and someone that has compromised the OWA server sitting in the DMZ and spamming the heck out of the Internet from your server? Wouldn't a better and more secure approach be to give the OWA server a non-generic service account to logon to the Exchange servers with? Say..."_owaexlogon", for example?" When I searched the KB for "NT Authority" and OWA, these were some of the results I got: http://support.microsoft.com/default.aspx?scid=kb;en-us;182900 - Not the issue http://support.microsoft.com/default.aspx?scid=kb;en-us;193925 - Duh! http://support.microsoft.com/default.aspx?scid=kb;en-us;220965 - Not the problem...OWA and Exchange on separate computers. http://support.microsoft.com/default.aspx?scid=kb;en-us;300646 - Bingo! Isn't this telling me that rather than see "Anonymous Logon" that I should see "IUSR_ComputerName" as its logon credentials? Or not? Under the "User section" of the Security log entry, I would probably expect to see something like: User: NT AUTHORITY\IUSR_ComputerName OR User: ANONYMOUS LOGON\IUSR_ComputerName Thoughts / Suggestions? Security Event Log Message: Event Type: Success Audit Event Source: Security Event Category: Privilege Use Event ID: 576 Date: 3/10/2003 Time: 12:56:24 PM User: NT AUTHORITY\ANONYMOUS LOGON Computer: MAIL Description: Special privileges assigned to new logon: User Name: Domain: Logon ID: (0x0,0x2938FD7) Assigned: SeChangeNotifyPrivilege _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
