Anonymous Logon Every 10 Mins

[Poontos]

Windows 2000 Pro, all sp's, hotfixes.

Getting this in my security log like EVERY 10 minutes for the a long long time. Someone logging into my system every 10 minutes anonymously?


Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 13/04/2002
Time: 9:03:25 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: Withdrawn
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x81EA6)
Logon Type: 3

 

[SaigonK]

Check here


A 538 event is a succesful logoff of the system.

 

[Poontos]

Thanks, I will read through all of it when I have some time after exams.

I did a search for "anonymous" and nothing came up on that page, so it appears as though they do not address the issue of an anonymous logoff (and with that there must have been a logon) to a workstation EVERY 10 minutes.

No DC or domain setup in this scenario if that is of any help.

 

[Poontos]

Bump

 

[Poontos]

Anyone.... pwease

 

[Poontos]

^^^^

 

[kellygirlbeads]

Is the machine on a populated LAN?

Is windows networking/file sharing enabled?

 

[Doh!]

Turn off audit policy.

 

[Poontos]

<< Is the machine on a populated LAN?

Is windows networking/file sharing enabled? >>


Just one other computer, which is a notebook running Win2K and it does not seem to get this every 10 minute logoff.

All is behind a DSL Modem --> Netgear RT314 Router --> LAN

I have had this setup for ages and this logging off business must have started a month or two ago, cause I had not
been checking my logs too much due to exams and stuff with my studies.

Yes, file sharing is installed on both machines. They have identical network stacks, except for the IP of course, haha.

 

[Poontos]

<< Turn off audit policy. >>


That does not fix the problem really. Not unless I want to throw any bit of security (auditing) out the door. Thanks, but I`ll pass.

 

[jlathrop]

Here is a complete shot in the dark.

How often is your mail program set to check for email?

 

[Poontos]

<< Here is a complete shot in the dark.

How often is your mail program set to check for email? >>


Every 3 Minutes, hehe. And this stupid event happens 24/7, and anyway, my e-mail client is maybe open 4-6 hours a day, the rest is SSH.

May I ask why your shot in the dark was that my e-mail client was triggering my Windows authentication system, specfically anonymous?

 

[jlathrop]

<<

<< Here is a complete shot in the dark.

How often is your mail program set to check for email? >>


Every 3 Minutes, hehe. And this stupid event happens 24/7, and anyway, my e-mail client is maybe open 4-6 hours a day, the rest is SSH.

May I ask why your shot in the dark was that my e-mail client was triggering my Windows authentication system, specfically anonymous? >>



I had a case similar to this a couple of months ago. A friends daughter had typed an incorrect POP ID. This was on an XP Pro system. The email was set to run every 10 minutes which it did. The log showed a anonymous log-off every 10 min. When Bill deleated that entry, it stopped and hasn't happened since.

However, after looking around I came across the following link. This appears to explain your security log happenings.
Link

hope this helps some..

 

[Poontos]

Thanks for the info.... but still no solutions.

Anyone else?

 

[Poontos]

One last try...

 

[stash]

Another shot in the dark---are you running IIS?

 

[Poontos]

<< Another shot in the dark---are you running IIS? >>


The box in Add/Remove Programs was checked, but the subsection only had "Common Files" & the IIS snap-in checked on.

It was never setup, but how else would I tell if it was running? I do not think I ever saw inetinfo.exe running...

 

[stash]

If the snap in is installed you should be able to see if there are any IIS services (www, ftp, etc) running.

But if you dont need it I would recommend uninstalling all parts of IIS and seeing if that fixes the problem. Once you uninstall, to the local users in computer management and make sure the anonymous account that IIS uses has been deleted. If it hasn't, either delete it or disable it.

 

[Poontos]

<< If the snap in is installed you should be able to see if there are any IIS services (www, ftp, etc) running.

But if you dont need it I would recommend uninstalling all parts of IIS and seeing if that fixes the problem. Once you uninstall, to the local users in computer management and make sure the anonymous account that IIS uses has been deleted. If it hasn't, either delete it or disable it. >>


IIS has been uninstalled (100% sure) for the last 3 hours and I am still getting the same anonymous logon.

Thanks for the help so far though...

 

[stash]

Well, I'm stumped...you're sure there isn't an anonymous account on your machine?

 

[Poontos]

<< Well, I'm stumped...you're sure there isn't an anonymous account on your machine? >>


Nothing obvious... e.g. no "Anonymous" account.

 

[stash]

I think I have an answer for you....

ANONYMOUS LOGON is the account that is used when you do certain administrative tasks remotely. For instance, if you connect to the event viewer on a server from a different machine, you will see this event in the security log of the machine you connect to. There is a registry setting that will restict this behavior. There are 3 levels, 0, 1 and 2. 0 is open, 2 is most restictive.

Check out the Baseline Security Analyzer from Microsoft for more info. Also, think ahead if you decide to change this setting. During an experiment, I set it to 1 and Backup Exec 8.6 was no longer able to connect to the machine's system state, which is critical to restore a Win2k box.

 

[Poontos]

Originally posted by: STaSh
I think I have an answer for you....

ANONYMOUS LOGON is the account that is used when you do certain administrative tasks remotely. For instance, if you connect to the event viewer on a server from a different machine, you will see this event in the security log of the machine you connect to. There is a registry setting that will restict this behavior. There are 3 levels, 0, 1 and 2. 0 is open, 2 is most restictive.

Check out the Baseline Security Analyzer from Microsoft for more info. Also, think ahead if you decide to change this setting. During an experiment, I set it to 1 and Backup Exec 8.6 was no longer able to connect to the machine's system state, which is critical to restore a Win2k box.

Sounds about right, thanks. I had not come back to this thread until after I had made the change.

Basically, I think I changed it to the 1 setting. If anyone needs hardcore specifics, please let me know. Hopefully this did it, cause I have not seen any entries for the last couple of days. Although, when I think about it, my laptop has not been plugged in the last couple of days on the LAN. Hmmm... so My Docs have not been syncronized (which requires my admin account credentials). Will plug in the lappy soon and see what happens.