I believe those would show a logon by the IUSR (or other specified account) account because it isn't truly anonymous, you are simply proxied into the IUSR or some other specified anonymous access account.
joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rick reynolds Sent: Wednesday, August 06, 2003 10:10 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Anonymous Logon If web services or ftp are running on those, both those services allow anon to access the main page, ----- Original Message ----- From: "Rittenhouse, Cindy" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, August 05, 2003 1:02 PM Subject: RE: [ActiveDir] Anonymous Logon > Rick, > The security logs in question are on my Windows 2000 domain > controllers, PSDC1 and PSDC2. When I Audit Logon Events, the log fills > with Event 538 NT > Authority\Anonymous Logon > User Logoff: > User Name: ANONYMOUS LOGON > Domain: NT AUTHORITY > Logon ID: (0x0,0xCB82F) > Logon Type: 3 > > and Event 540 NT Authority\System Logons > Successful Network Logon: > User Name: PSDC1$ > Domain: LC_POLICE > Logon ID: (0x0,0xCBE63) > Logon Type: 3 > Logon Process: Kerberos > Authentication Package: Kerberos > Workstation Name: > > These don't appear to give me any specific information. > > I need to keep records for 3 years that show when a user logged onto > the network and from which workstation. When I audit Account Logon, I > get the information, but the user is always System, so there is no > easy way to filter for a specific user name. When I use Audit Logon > events, I can filter > by user name, but I'm filling 75% of the log with Anonymous and System > logons. I'm generating about 8MB of security log daily between the two DCs, > so I'm not sure what is the most efficient way to configure the audit policy > on my DCs. It seems that either way, the logs fill with quite a bit of > basically useless information. > > > -----Original Message----- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Monday, August 04, 2003 18:26 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Anonymous Logon > > > Cindy, > > My initial thought on this, understanding the process, is that > everyone is Anonymous when they first hit the server. A record of > this 'anonymous' access is made, and the process continues where you > actually identify yourself. > > Clearly, this is going to be different if you are running a web > server, where the access might be mostly anonymous, unless set to some > manner of authentication (Windows, Basic, etc.) > > Now, for more detail, if you want to post some of the records that > you're seeing (you should be able to follow the authentication trail > via the ID's in the audit records) I can help you identify what is > going on and what the > anonymous access is all about. It would help to know what type of > server this is, as well. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy > Sent: Monday, August 04, 2003 1:35 PM > To: '[EMAIL PROTECTED]' > Subject: [ActiveDir] Anonymous Logon > > I successfully upgraded my NT domain to AD yesterday. I now find my DC > security log on the PDC emulator filling up twice a day. It is set to 2048 > KB, do not overwrite (I have to save them for 3 years). The majority > of events are Anonymous logons. Is it normal to have this quantity of Anonymous > logons? > > Cynthia Rittenhouse MCSE,CCNA > LAN Administrator > County of Lancaster > Lancaster, PA 17602 > Phone: (717)293-7274 > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
