RE: [ActiveDir] Anonymous Logon
:o) My security logs are 180MB. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Wednesday, August 06, 2003 3:27 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon I would not have been surprised to see this on a web server, but the domain controllers being audited do not have either www or ftp services running. I was not prepared for the voluminous amount of system and anonymous entries in the log. I've increased the log size to 5MB on each DC and have them scheduled to backup to a remote server every day at 23:55. I'm looking into purchasing a syslog server, it seems the only viable way to manage this mess. -Original Message- From: rick reynolds [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 10:10 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Anonymous Logon If web services or ftp are running on those, both those services allow anon to access the main page, - Original Message - From: Rittenhouse, Cindy [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 1:02 PM Subject: RE: [ActiveDir] Anonymous Logon Rick, The security logs in question are on my Windows 2000 domain controllers, PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT Authority\Anonymous Logon User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0xCB82F) Logon Type: 3 and Event 540 NT Authority\System Logons Successful Network Logon: User Name: PSDC1$ Domain: LC_POLICE Logon ID: (0x0,0xCBE63) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: These don't appear to give me any specific information. I need to keep records for 3 years that show when a user logged onto the network and from which workstation. When I audit Account Logon, I get the information, but the user is always System, so there is no easy way to filter for a specific user name. When I use Audit Logon events, I can filter by user name, but I'm filling 75% of the log with Anonymous and System logons. I'm generating about 8MB of security log daily between the two DCs, so I'm not sure what is the most efficient way to configure the audit policy on my DCs. It seems that either way, the logs fill with quite a bit of basically useless information. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, August 04, 2003 18:26 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, My initial thought on this, understanding the process, is that everyone is Anonymous when they first hit the server. A record of this 'anonymous' access is made, and the process continues where you actually identify yourself. Clearly, this is going to be different if you are running a web server, where the access might be mostly anonymous, unless set to some manner of authentication (Windows, Basic, etc.) Now, for more detail, if you want to post some of the records that you're seeing (you should be able to follow the authentication trail via the ID's in the audit records) I can help you identify what is going on and what the anonymous access is all about. It would help to know what type of server this is, as well. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Monday, August 04, 2003 1:35 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Anonymous Logon I successfully upgraded my NT domain to AD yesterday. I now find my DC security log on the PDC emulator filling up twice a day. It is set to 2048 KB, do not overwrite (I have to save them for 3 years). The majority of events are Anonymous logons. Is it normal to have this quantity of Anonymous logons? Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 Phone: (717)293-7274 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http
Re: [ActiveDir] Anonymous Logon
Can vouch for the Kiwi server. Works great, and even better its free. G. - Original Message - From: Free, Bob [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 07, 2003 6:49 AM Subject: RE: [ActiveDir] Anonymous Logon Since I'll need a syslog server, I'd like one that will also work with the logs on our Cisco devices? Sorry on monitorware, but KIWI is a very popular free Win32 implementation with folks in mixed MS/Cisco environments who just want to syslog, say Windows, Cisco routers and PIX's. http://www.kiwisyslog.com/ There are some great papers at SANs to get you going- http://www.sans.org/rr/catindex.php?cat_id=33 Case Study: Using Syslog in a Microsoft Cisco Environment Dan Rathbun, June 27, 2003 A Security Analysis of System Event Logging with Syslog Kenneth Nawyn, June 27, 2003 Centralizing Event Logs on Windows 2000 Gregory Lalla, GSEC April 4, 2003 Effective Logging Use of the Kiwi Syslog Utility Brian R. WilkinsCNE/ MCSE/ CCNP/ CISSP, June 7, 2002 Importance of Understanding Logs from an Information Security Standpoint Stewart Allen, October 5, 2001 Cisco Pix: Logging and Beyond Ben Carlsrud, September 26, 2001 -Original Message- From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 1:11 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon Does anyone have any experience with MonitorWare. Since I'll need a syslog server, I'd like one that will also work with the logs on our Cisco devices? -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 23:03 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, If you're going to have to keep all audit entries, you're going to have a tough time. I can help decipher these records for you (I do a lot of this!), but in a nutshell you've recorded a successful logoff (the Event 538) and a successful network logon via the Kerberos authentication package by the user PSDC1 - who looks to be a machine. In fact, one of your DCs. Yes, they do logon and logoff of the domain - typically to connect to services that it needs. This one (the Event 540) was a logon to the domain, where the previous was not a logoff from the domain proper. A Logon type 3 tells you that it was via the network, while a type 2 is interactive (too bad you can't tell if it was actually at the console). Less common types are 4 (batch), 5 (service), 7 (unlocked workstation), 8 (plaintext password) or 9 (impersonated logon). The Logon process and authentication package notes what type of process was spawned to authenticate the user from the point it connected to the session through authentication. You might see Kerberos (network), NTLM (network), or User32/Negotiate (Local). Realm associated events to MIT Kerberos realms should record as Kerberos authentication. Bottom line: Ignore the SYSTEM (usually a service doing what it needs) and the machine name events logging on. They are irrelevant and generally service and process related to normal operation of the network. Do, however, take note of the user logon and logoffs. The Logon ID field will stay with the user from Logon through the logoff of this session. You should be able to always associate a 540 Event to a corresponding 538 Event. However, be vigilant that a 538 is not always the same. One might indicate a network logoff, one might indicate and net use disconnection and another might record an Interactive logoff or an auto disconnect. As to what to do about spurious events that mean nothing when dealing with user activity, I'd suggest a more manageable solution such as a syslog server for Windows events and filter the records that you want going to the syslog server. This not only collects all of the server's audit events at one place but also allows you to get rid of the events that play no part in true auditing of the server. Do a Google search on Windows Syslog and you'll find a number of options - one of which should suit. Hope this helps! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Tuesday, August 05, 2003 3:03 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon Rick, The security logs in question are on my Windows 2000 domain controllers, PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT Authority\Anonymous Logon User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0xCB82F) Logon Type: 3 and Event 540 NT Authority\System Logons Successful Network Logon: User Name: PSDC1$ Domain: LC_POLICE Logon ID: (0x0,0xCBE63) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: These don't appear to give me any specific information. I need
RE: [ActiveDir] Anonymous Logon
Rick, The security logs in question are on my Windows 2000 domain controllers, PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT Authority\Anonymous Logon User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0xCB82F) Logon Type: 3 and Event 540 NT Authority\System Logons Successful Network Logon: User Name: PSDC1$ Domain: LC_POLICE Logon ID: (0x0,0xCBE63) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: These don't appear to give me any specific information. I need to keep records for 3 years that show when a user logged onto the network and from which workstation. When I audit Account Logon, I get the information, but the user is always System, so there is no easy way to filter for a specific user name. When I use Audit Logon events, I can filter by user name, but I'm filling 75% of the log with Anonymous and System logons. I'm generating about 8MB of security log daily between the two DCs, so I'm not sure what is the most efficient way to configure the audit policy on my DCs. It seems that either way, the logs fill with quite a bit of basically useless information. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, August 04, 2003 18:26 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, My initial thought on this, understanding the process, is that everyone is Anonymous when they first hit the server. A record of this 'anonymous' access is made, and the process continues where you actually identify yourself. Clearly, this is going to be different if you are running a web server, where the access might be mostly anonymous, unless set to some manner of authentication (Windows, Basic, etc.) Now, for more detail, if you want to post some of the records that you're seeing (you should be able to follow the authentication trail via the ID's in the audit records) I can help you identify what is going on and what the anonymous access is all about. It would help to know what type of server this is, as well. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Monday, August 04, 2003 1:35 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Anonymous Logon I successfully upgraded my NT domain to AD yesterday. I now find my DC security log on the PDC emulator filling up twice a day. It is set to 2048 KB, do not overwrite (I have to save them for 3 years). The majority of events are Anonymous logons. Is it normal to have this quantity of Anonymous logons? Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 Phone: (717)293-7274 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Anonymous Logon
I believe those would show a logon by the IUSR (or other specified account) account because it isn't truly anonymous, you are simply proxied into the IUSR or some other specified anonymous access account. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rick reynolds Sent: Wednesday, August 06, 2003 10:10 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Anonymous Logon If web services or ftp are running on those, both those services allow anon to access the main page, - Original Message - From: Rittenhouse, Cindy [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 1:02 PM Subject: RE: [ActiveDir] Anonymous Logon Rick, The security logs in question are on my Windows 2000 domain controllers, PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT Authority\Anonymous Logon User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0xCB82F) Logon Type: 3 and Event 540 NT Authority\System Logons Successful Network Logon: User Name: PSDC1$ Domain: LC_POLICE Logon ID: (0x0,0xCBE63) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: These don't appear to give me any specific information. I need to keep records for 3 years that show when a user logged onto the network and from which workstation. When I audit Account Logon, I get the information, but the user is always System, so there is no easy way to filter for a specific user name. When I use Audit Logon events, I can filter by user name, but I'm filling 75% of the log with Anonymous and System logons. I'm generating about 8MB of security log daily between the two DCs, so I'm not sure what is the most efficient way to configure the audit policy on my DCs. It seems that either way, the logs fill with quite a bit of basically useless information. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, August 04, 2003 18:26 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, My initial thought on this, understanding the process, is that everyone is Anonymous when they first hit the server. A record of this 'anonymous' access is made, and the process continues where you actually identify yourself. Clearly, this is going to be different if you are running a web server, where the access might be mostly anonymous, unless set to some manner of authentication (Windows, Basic, etc.) Now, for more detail, if you want to post some of the records that you're seeing (you should be able to follow the authentication trail via the ID's in the audit records) I can help you identify what is going on and what the anonymous access is all about. It would help to know what type of server this is, as well. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Monday, August 04, 2003 1:35 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Anonymous Logon I successfully upgraded my NT domain to AD yesterday. I now find my DC security log on the PDC emulator filling up twice a day. It is set to 2048 KB, do not overwrite (I have to save them for 3 years). The majority of events are Anonymous logons. Is it normal to have this quantity of Anonymous logons? Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 Phone: (717)293-7274 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Anonymous Logon
We were playing with KIWI and an addin called backlogNT that a lot of others were using and recommending. Looks like it's morphed into SNARE. http://www.intersectalliance.com/projects/SnareWindows/index.html -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2003 6:14 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon How are you sending the Windows event logs to a syslog server? Is that Kiwi as well? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 7:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, I've evaluated and have recommended MonitorWare to our Security Director for the needs of our environment which is combined Enterprise with Cisco, Windows, Unix (all flavors) ACDs, and Tandem systems. Clearly, our ability to send syslog formatted logs makes sense, as we're not the only players, just a bit more adaptable. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Wednesday, August 06, 2003 3:11 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon Does anyone have any experience with MonitorWare. Since I'll need a syslog server, I'd like one that will also work with the logs on our Cisco devices? -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 23:03 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, If you're going to have to keep all audit entries, you're going to have a tough time. I can help decipher these records for you (I do a lot of this!), but in a nutshell you've recorded a successful logoff (the Event 538) and a successful network logon via the Kerberos authentication package by the user PSDC1 - who looks to be a machine. In fact, one of your DCs. Yes, they do logon and logoff of the domain - typically to connect to services that it needs. This one (the Event 540) was a logon to the domain, where the previous was not a logoff from the domain proper. A Logon type 3 tells you that it was via the network, while a type 2 is interactive (too bad you can't tell if it was actually at the console). Less common types are 4 (batch), 5 (service), 7 (unlocked workstation), 8 (plaintext password) or 9 (impersonated logon). The Logon process and authentication package notes what type of process was spawned to authenticate the user from the point it connected to the session through authentication. You might see Kerberos (network), NTLM (network), or User32/Negotiate (Local). Realm associated events to MIT Kerberos realms should record as Kerberos authentication. Bottom line: Ignore the SYSTEM (usually a service doing what it needs) and the machine name events logging on. They are irrelevant and generally service and process related to normal operation of the network. Do, however, take note of the user logon and logoffs. The Logon ID field will stay with the user from Logon through the logoff of this session. You should be able to always associate a 540 Event to a corresponding 538 Event. However, be vigilant that a 538 is not always the same. One might indicate a network logoff, one might indicate and net use disconnection and another might record an Interactive logoff or an auto disconnect. As to what to do about spurious events that mean nothing when dealing with user activity, I'd suggest a more manageable solution such as a syslog server for Windows events and filter the records that you want going to the syslog server. This not only collects all of the server's audit events at one place but also allows you to get rid of the events that play no part in true auditing of the server. Do a Google search on Windows Syslog and you'll find a number of options - one of which should suit. Hope this helps! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Tuesday, August 05, 2003 3:03 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon Rick, The security logs in question are on my Windows 2000 domain controllers, PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT Authority\Anonymous Logon User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID
RE: [ActiveDir] Anonymous Logon
Title: RE: [ActiveDir] Anonymous Logon Then again you know Rick Kingslan has wonderful AD knowledge !!! Carlos Magalhaes ADSI MVP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 06, 2003 3:02 PM To: ActiveDir Subject: Re: [ActiveDir] Anonymous Logon Great post -- Sent from my BlackBerry Wireless Handheld - Original Message - From: ActiveDir-owner Sent: 08/05/2003 11:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, If you're going to have to keep all audit entries, you're going to have a tough time. I can help decipher these records for you (I do a lot of this!), but in a nutshell you've recorded a successful logoff (the Event 538) and a successful network logon via the Kerberos authentication package by the user PSDC1 - who looks to be a machine. In fact, one of your DCs. Yes, they do logon and logoff of the domain - typically to connect to services that it needs. This one (the Event 540) was a logon to the domain, where the previous was not a logoff from the domain proper. A Logon type 3 tells you that it was via the network, while a type 2 is interactive (too bad you can't tell if it was actually at the console). Less common types are 4 (batch), 5 (service), 7 (unlocked workstation), 8 (plaintext password) or 9 (impersonated logon). The Logon process and authentication package notes what type of process was spawned to authenticate the user from the point it connected to the session through authentication. You might see Kerberos (network), NTLM (network), or User32/Negotiate (Local). Realm associated events to MIT Kerberos realms should record as Kerberos authentication. Bottom line: Ignore the SYSTEM (usually a service doing what it needs) and the machine name events logging on. They are irrelevant and generally service and process related to normal operation of the network. Do, however, take note of the user logon and logoffs. The Logon ID field will stay with the user from Logon through the logoff of this session. You should be able to always associate a 540 Event to a corresponding 538 Event. However, be vigilant that a 538 is not always the same. One might indicate a network logoff, one might indicate and net use disconnection and another might record an Interactive logoff or an auto disconnect. As to what to do about spurious events that mean nothing when dealing with user activity, I'd suggest a more manageable solution such as a syslog server for Windows events and filter the records that you want going to the syslog server. This not only collects all of the server's audit events at one place but also allows you to get rid of the events that play no part in true auditing of the server. Do a Google search on Windows Syslog and you'll find a number of options - one of which should suit. Hope this helps! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rittenhouse, Cindy Sent: Tuesday, August 05, 2003 3:03 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon Rick, The security logs in question are on my Windows 2000 domain controllers, PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT Authority\Anonymous Logon User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0xCB82F) Logon Type: 3 and Event 540 NT Authority\System Logons Successful Network Logon: User Name: PSDC1$ Domain: LC_POLICE Logon ID: (0x0,0xCBE63) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: These don't appear to give me any specific information. I need to keep records for 3 years that show when a user logged onto the network and from which workstation. When I audit Account Logon, I get the information, but the user is always System, so there is no easy way to filter for a specific user name. When I use Audit Logon events, I can filter by user name, but I'm filling 75% of the log with Anonymous and System logons. I'm generating about 8MB of security log daily between the two DCs, so I'm not sure what is the most efficient way to configure the audit policy on my DCs. It seems that either way, the logs fill with quite a bit of basically useless information. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Monday, August 04, 2003 18:26 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, My initial thought on this, understanding the process, is that everyone is Anonymous when they first hit the server. A record of this 'anonymous' access is made, and the process continues where you actually identify yourself. Clearly, this is going to be different if you are running a web server, where the access might be mostly anonymous, unless
Re: [ActiveDir] Anonymous Logon
If web services or ftp are running on those, both those services allow anon to access the main page, - Original Message - From: Rittenhouse, Cindy [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 1:02 PM Subject: RE: [ActiveDir] Anonymous Logon Rick, The security logs in question are on my Windows 2000 domain controllers, PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT Authority\Anonymous Logon User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0xCB82F) Logon Type: 3 and Event 540 NT Authority\System Logons Successful Network Logon: User Name: PSDC1$ Domain: LC_POLICE Logon ID: (0x0,0xCBE63) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: These don't appear to give me any specific information. I need to keep records for 3 years that show when a user logged onto the network and from which workstation. When I audit Account Logon, I get the information, but the user is always System, so there is no easy way to filter for a specific user name. When I use Audit Logon events, I can filter by user name, but I'm filling 75% of the log with Anonymous and System logons. I'm generating about 8MB of security log daily between the two DCs, so I'm not sure what is the most efficient way to configure the audit policy on my DCs. It seems that either way, the logs fill with quite a bit of basically useless information. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, August 04, 2003 18:26 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, My initial thought on this, understanding the process, is that everyone is Anonymous when they first hit the server. A record of this 'anonymous' access is made, and the process continues where you actually identify yourself. Clearly, this is going to be different if you are running a web server, where the access might be mostly anonymous, unless set to some manner of authentication (Windows, Basic, etc.) Now, for more detail, if you want to post some of the records that you're seeing (you should be able to follow the authentication trail via the ID's in the audit records) I can help you identify what is going on and what the anonymous access is all about. It would help to know what type of server this is, as well. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Monday, August 04, 2003 1:35 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Anonymous Logon I successfully upgraded my NT domain to AD yesterday. I now find my DC security log on the PDC emulator filling up twice a day. It is set to 2048 KB, do not overwrite (I have to save them for 3 years). The majority of events are Anonymous logons. Is it normal to have this quantity of Anonymous logons? Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 Phone: (717)293-7274 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Anonymous Logon
Great post -- Sent from my BlackBerry Wireless Handheld - Original Message - From: ActiveDir-owner Sent: 08/05/2003 11:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, If you're going to have to keep all audit entries, you're going to have a tough time. I can help decipher these records for you (I do a lot of this!), but in a nutshell you've recorded a successful logoff (the Event 538) and a successful network logon via the Kerberos authentication package by the user PSDC1 - who looks to be a machine. In fact, one of your DCs. Yes, they do logon and logoff of the domain - typically to connect to services that it needs. This one (the Event 540) was a logon to the domain, where the previous was not a logoff from the domain proper. A Logon type 3 tells you that it was via the network, while a type 2 is interactive (too bad you can't tell if it was actually at the console). Less common types are 4 (batch), 5 (service), 7 (unlocked workstation), 8 (plaintext password) or 9 (impersonated logon). The Logon process and authentication package notes what type of process was spawned to authenticate the user from the point it connected to the session through authentication. You might see Kerberos (network), NTLM (network), or User32/Negotiate (Local). Realm associated events to MIT Kerberos realms should record as Kerberos authentication. Bottom line: Ignore the SYSTEM (usually a service doing what it needs) and the machine name events logging on. They are irrelevant and generally service and process related to normal operation of the network. Do, however, take note of the user logon and logoffs. The Logon ID field will stay with the user from Logon through the logoff of this session. You should be able to always associate a 540 Event to a corresponding 538 Event. However, be vigilant that a 538 is not always the same. One might indicate a network logoff, one might indicate and net use disconnection and another might record an Interactive logoff or an auto disconnect. As to what to do about spurious events that mean nothing when dealing with user activity, I'd suggest a more manageable solution such as a syslog server for Windows events and filter the records that you want going to the syslog server. This not only collects all of the server's audit events at one place but also allows you to get rid of the events that play no part in true auditing of the server. Do a Google search on Windows Syslog and you'll find a number of options - one of which should suit. Hope this helps! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Tuesday, August 05, 2003 3:03 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon Rick, The security logs in question are on my Windows 2000 domain controllers, PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT Authority\Anonymous Logon User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0xCB82F) Logon Type: 3 and Event 540 NT Authority\System Logons Successful Network Logon: User Name: PSDC1$ Domain: LC_POLICE Logon ID: (0x0,0xCBE63) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: These don't appear to give me any specific information. I need to keep records for 3 years that show when a user logged onto the network and from which workstation. When I audit Account Logon, I get the information, but the user is always System, so there is no easy way to filter for a specific user name. When I use Audit Logon events, I can filter by user name, but I'm filling 75% of the log with Anonymous and System logons. I'm generating about 8MB of security log daily between the two DCs, so I'm not sure what is the most efficient way to configure the audit policy on my DCs. It seems that either way, the logs fill with quite a bit of basically useless information. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, August 04, 2003 18:26 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, My initial thought on this, understanding the process, is that everyone is Anonymous when they first hit the server. A record of this 'anonymous' access is made, and the process continues where you actually identify yourself. Clearly, this is going to be different if you are running a web server, where the access might be mostly anonymous, unless set to some manner of authentication (Windows, Basic, etc.) Now, for more detail, if you want to post some of the records that you're seeing (you should be able to follow the authentication
RE: [ActiveDir] Anonymous Logon
Cindy, If you're going to have to keep all audit entries, you're going to have a tough time. I can help decipher these records for you (I do a lot of this!), but in a nutshell you've recorded a successful logoff (the Event 538) and a successful network logon via the Kerberos authentication package by the user PSDC1 - who looks to be a machine. In fact, one of your DCs. Yes, they do logon and logoff of the domain - typically to connect to services that it needs. This one (the Event 540) was a logon to the domain, where the previous was not a logoff from the domain proper. A Logon type 3 tells you that it was via the network, while a type 2 is interactive (too bad you can't tell if it was actually at the console). Less common types are 4 (batch), 5 (service), 7 (unlocked workstation), 8 (plaintext password) or 9 (impersonated logon). The Logon process and authentication package notes what type of process was spawned to authenticate the user from the point it connected to the session through authentication. You might see Kerberos (network), NTLM (network), or User32/Negotiate (Local). Realm associated events to MIT Kerberos realms should record as Kerberos authentication. Bottom line: Ignore the SYSTEM (usually a service doing what it needs) and the machine name events logging on. They are irrelevant and generally service and process related to normal operation of the network. Do, however, take note of the user logon and logoffs. The Logon ID field will stay with the user from Logon through the logoff of this session. You should be able to always associate a 540 Event to a corresponding 538 Event. However, be vigilant that a 538 is not always the same. One might indicate a network logoff, one might indicate and net use disconnection and another might record an Interactive logoff or an auto disconnect. As to what to do about spurious events that mean nothing when dealing with user activity, I'd suggest a more manageable solution such as a syslog server for Windows events and filter the records that you want going to the syslog server. This not only collects all of the server's audit events at one place but also allows you to get rid of the events that play no part in true auditing of the server. Do a Google search on Windows Syslog and you'll find a number of options - one of which should suit. Hope this helps! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Tuesday, August 05, 2003 3:03 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon Rick, The security logs in question are on my Windows 2000 domain controllers, PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT Authority\Anonymous Logon User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0xCB82F) Logon Type: 3 and Event 540 NT Authority\System Logons Successful Network Logon: User Name: PSDC1$ Domain: LC_POLICE Logon ID: (0x0,0xCBE63) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: These don't appear to give me any specific information. I need to keep records for 3 years that show when a user logged onto the network and from which workstation. When I audit Account Logon, I get the information, but the user is always System, so there is no easy way to filter for a specific user name. When I use Audit Logon events, I can filter by user name, but I'm filling 75% of the log with Anonymous and System logons. I'm generating about 8MB of security log daily between the two DCs, so I'm not sure what is the most efficient way to configure the audit policy on my DCs. It seems that either way, the logs fill with quite a bit of basically useless information. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, August 04, 2003 18:26 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, My initial thought on this, understanding the process, is that everyone is Anonymous when they first hit the server. A record of this 'anonymous' access is made, and the process continues where you actually identify yourself. Clearly, this is going to be different if you are running a web server, where the access might be mostly anonymous, unless set to some manner of authentication (Windows, Basic, etc.) Now, for more detail, if you want to post some of the records that you're seeing (you should be able to follow the authentication trail via the ID's in the audit records) I can help you identify what is going on and what the anonymous access is all about. It would help to know what type of server this is, as well. Rick Kingslan MCSE, MCSA
RE: [ActiveDir] Anonymous Logon
Return Receipt Your RE: [ActiveDir] Anonymous Logon document : was James Day/Contractor/NPS received by: at: 08/06/2003 04:23:41 PM EDT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Anonymous Logon
I would not have been surprised to see this on a web server, but the domain controllers being audited do not have either www or ftp services running. I was not prepared for the voluminous amount of system and anonymous entries in the log. I've increased the log size to 5MB on each DC and have them scheduled to backup to a remote server every day at 23:55. I'm looking into purchasing a syslog server, it seems the only viable way to manage this mess. -Original Message- From: rick reynolds [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 10:10 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Anonymous Logon If web services or ftp are running on those, both those services allow anon to access the main page, - Original Message - From: Rittenhouse, Cindy [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 1:02 PM Subject: RE: [ActiveDir] Anonymous Logon Rick, The security logs in question are on my Windows 2000 domain controllers, PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT Authority\Anonymous Logon User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0xCB82F) Logon Type: 3 and Event 540 NT Authority\System Logons Successful Network Logon: User Name: PSDC1$ Domain: LC_POLICE Logon ID: (0x0,0xCBE63) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: These don't appear to give me any specific information. I need to keep records for 3 years that show when a user logged onto the network and from which workstation. When I audit Account Logon, I get the information, but the user is always System, so there is no easy way to filter for a specific user name. When I use Audit Logon events, I can filter by user name, but I'm filling 75% of the log with Anonymous and System logons. I'm generating about 8MB of security log daily between the two DCs, so I'm not sure what is the most efficient way to configure the audit policy on my DCs. It seems that either way, the logs fill with quite a bit of basically useless information. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, August 04, 2003 18:26 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, My initial thought on this, understanding the process, is that everyone is Anonymous when they first hit the server. A record of this 'anonymous' access is made, and the process continues where you actually identify yourself. Clearly, this is going to be different if you are running a web server, where the access might be mostly anonymous, unless set to some manner of authentication (Windows, Basic, etc.) Now, for more detail, if you want to post some of the records that you're seeing (you should be able to follow the authentication trail via the ID's in the audit records) I can help you identify what is going on and what the anonymous access is all about. It would help to know what type of server this is, as well. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Monday, August 04, 2003 1:35 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Anonymous Logon I successfully upgraded my NT domain to AD yesterday. I now find my DC security log on the PDC emulator filling up twice a day. It is set to 2048 KB, do not overwrite (I have to save them for 3 years). The majority of events are Anonymous logons. Is it normal to have this quantity of Anonymous logons? Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 Phone: (717)293-7274 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Anonymous Logon
Thanks to all for the references and responses. I think I'm on the right path, I've ordered the MonitorWare. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 00:22 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Nope - MonitorWare. Tested it and it worked well in the homogenous environment. Fairly configurable and it will allow me to use eventcomb first to determine what logs I want to send. This was I can get rid of the Service and SYSTEM related events and the extraneous 'crap' (technical term, you know) that has absolutely nothing to do with anything of value. http://www.eventreporter.com/en/ Regards, Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, August 07, 2003 8:14 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon How are you sending the Windows event logs to a syslog server? Is that Kiwi as well? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 7:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, I've evaluated and have recommended MonitorWare to our Security Director for the needs of our environment which is combined Enterprise with Cisco, Windows, Unix (all flavors) ACDs, and Tandem systems. Clearly, our ability to send syslog formatted logs makes sense, as we're not the only players, just a bit more adaptable. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Wednesday, August 06, 2003 3:11 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon Does anyone have any experience with MonitorWare. Since I'll need a syslog server, I'd like one that will also work with the logs on our Cisco devices? -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 23:03 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, If you're going to have to keep all audit entries, you're going to have a tough time. I can help decipher these records for you (I do a lot of this!), but in a nutshell you've recorded a successful logoff (the Event 538) and a successful network logon via the Kerberos authentication package by the user PSDC1 - who looks to be a machine. In fact, one of your DCs. Yes, they do logon and logoff of the domain - typically to connect to services that it needs. This one (the Event 540) was a logon to the domain, where the previous was not a logoff from the domain proper. A Logon type 3 tells you that it was via the network, while a type 2 is interactive (too bad you can't tell if it was actually at the console). Less common types are 4 (batch), 5 (service), 7 (unlocked workstation), 8 (plaintext password) or 9 (impersonated logon). The Logon process and authentication package notes what type of process was spawned to authenticate the user from the point it connected to the session through authentication. You might see Kerberos (network), NTLM (network), or User32/Negotiate (Local). Realm associated events to MIT Kerberos realms should record as Kerberos authentication. Bottom line: Ignore the SYSTEM (usually a service doing what it needs) and the machine name events logging on. They are irrelevant and generally service and process related to normal operation of the network. Do, however, take note of the user logon and logoffs. The Logon ID field will stay with the user from Logon through the logoff of this session. You should be able to always associate a 540 Event to a corresponding 538 Event. However, be vigilant that a 538 is not always the same. One might indicate a network logoff, one might indicate and net use disconnection and another might record an Interactive logoff or an auto disconnect. As to what to do about spurious events that mean nothing when dealing with user activity, I'd suggest a more manageable solution such as a syslog server for Windows events and filter the records that you want going to the syslog server. This not only collects all of the server's audit events at one place but also allows you to get rid of the events that play no part in true auditing of the server. Do a Google search on Windows Syslog and you'll find a number of options - one of which should suit. Hope this helps! Rick Kingslan MCSE, MCSA, MCT Microsoft
RE: [ActiveDir] Anonymous Logon
Cindy, I've evaluated and have recommended MonitorWare to our Security Director for the needs of our environment which is combined Enterprise with Cisco, Windows, Unix (all flavors) ACDs, and Tandem systems. Clearly, our ability to send syslog formatted logs makes sense, as we're not the only players, just a bit more adaptable. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Wednesday, August 06, 2003 3:11 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon Does anyone have any experience with MonitorWare. Since I'll need a syslog server, I'd like one that will also work with the logs on our Cisco devices? -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 23:03 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, If you're going to have to keep all audit entries, you're going to have a tough time. I can help decipher these records for you (I do a lot of this!), but in a nutshell you've recorded a successful logoff (the Event 538) and a successful network logon via the Kerberos authentication package by the user PSDC1 - who looks to be a machine. In fact, one of your DCs. Yes, they do logon and logoff of the domain - typically to connect to services that it needs. This one (the Event 540) was a logon to the domain, where the previous was not a logoff from the domain proper. A Logon type 3 tells you that it was via the network, while a type 2 is interactive (too bad you can't tell if it was actually at the console). Less common types are 4 (batch), 5 (service), 7 (unlocked workstation), 8 (plaintext password) or 9 (impersonated logon). The Logon process and authentication package notes what type of process was spawned to authenticate the user from the point it connected to the session through authentication. You might see Kerberos (network), NTLM (network), or User32/Negotiate (Local). Realm associated events to MIT Kerberos realms should record as Kerberos authentication. Bottom line: Ignore the SYSTEM (usually a service doing what it needs) and the machine name events logging on. They are irrelevant and generally service and process related to normal operation of the network. Do, however, take note of the user logon and logoffs. The Logon ID field will stay with the user from Logon through the logoff of this session. You should be able to always associate a 540 Event to a corresponding 538 Event. However, be vigilant that a 538 is not always the same. One might indicate a network logoff, one might indicate and net use disconnection and another might record an Interactive logoff or an auto disconnect. As to what to do about spurious events that mean nothing when dealing with user activity, I'd suggest a more manageable solution such as a syslog server for Windows events and filter the records that you want going to the syslog server. This not only collects all of the server's audit events at one place but also allows you to get rid of the events that play no part in true auditing of the server. Do a Google search on Windows Syslog and you'll find a number of options - one of which should suit. Hope this helps! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Tuesday, August 05, 2003 3:03 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon Rick, The security logs in question are on my Windows 2000 domain controllers, PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT Authority\Anonymous Logon User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0xCB82F) Logon Type: 3 and Event 540 NT Authority\System Logons Successful Network Logon: User Name: PSDC1$ Domain: LC_POLICE Logon ID: (0x0,0xCBE63) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: These don't appear to give me any specific information. I need to keep records for 3 years that show when a user logged onto the network and from which workstation. When I audit Account Logon, I get the information, but the user is always System, so there is no easy way to filter for a specific user name. When I use Audit Logon events, I can filter by user name, but I'm filling 75% of the log with Anonymous and System logons. I'm generating about 8MB of security log daily between the two DCs, so I'm not sure what is the most efficient way to configure the audit policy on my DCs. It seems
RE: [ActiveDir] Anonymous Logon
Return Receipt Your RE: [ActiveDir] Anonymous Logon document : was James Day/Contractor/NPS received by: at: 08/07/2003 08:21:42 AM EDT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Anonymous Logon
Does anyone have any experience with MonitorWare. Since I'll need a syslog server, I'd like one that will also work with the logs on our Cisco devices? -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 23:03 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, If you're going to have to keep all audit entries, you're going to have a tough time. I can help decipher these records for you (I do a lot of this!), but in a nutshell you've recorded a successful logoff (the Event 538) and a successful network logon via the Kerberos authentication package by the user PSDC1 - who looks to be a machine. In fact, one of your DCs. Yes, they do logon and logoff of the domain - typically to connect to services that it needs. This one (the Event 540) was a logon to the domain, where the previous was not a logoff from the domain proper. A Logon type 3 tells you that it was via the network, while a type 2 is interactive (too bad you can't tell if it was actually at the console). Less common types are 4 (batch), 5 (service), 7 (unlocked workstation), 8 (plaintext password) or 9 (impersonated logon). The Logon process and authentication package notes what type of process was spawned to authenticate the user from the point it connected to the session through authentication. You might see Kerberos (network), NTLM (network), or User32/Negotiate (Local). Realm associated events to MIT Kerberos realms should record as Kerberos authentication. Bottom line: Ignore the SYSTEM (usually a service doing what it needs) and the machine name events logging on. They are irrelevant and generally service and process related to normal operation of the network. Do, however, take note of the user logon and logoffs. The Logon ID field will stay with the user from Logon through the logoff of this session. You should be able to always associate a 540 Event to a corresponding 538 Event. However, be vigilant that a 538 is not always the same. One might indicate a network logoff, one might indicate and net use disconnection and another might record an Interactive logoff or an auto disconnect. As to what to do about spurious events that mean nothing when dealing with user activity, I'd suggest a more manageable solution such as a syslog server for Windows events and filter the records that you want going to the syslog server. This not only collects all of the server's audit events at one place but also allows you to get rid of the events that play no part in true auditing of the server. Do a Google search on Windows Syslog and you'll find a number of options - one of which should suit. Hope this helps! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Tuesday, August 05, 2003 3:03 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon Rick, The security logs in question are on my Windows 2000 domain controllers, PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT Authority\Anonymous Logon User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0xCB82F) Logon Type: 3 and Event 540 NT Authority\System Logons Successful Network Logon: User Name: PSDC1$ Domain: LC_POLICE Logon ID: (0x0,0xCBE63) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: These don't appear to give me any specific information. I need to keep records for 3 years that show when a user logged onto the network and from which workstation. When I audit Account Logon, I get the information, but the user is always System, so there is no easy way to filter for a specific user name. When I use Audit Logon events, I can filter by user name, but I'm filling 75% of the log with Anonymous and System logons. I'm generating about 8MB of security log daily between the two DCs, so I'm not sure what is the most efficient way to configure the audit policy on my DCs. It seems that either way, the logs fill with quite a bit of basically useless information. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, August 04, 2003 18:26 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, My initial thought on this, understanding the process, is that everyone is Anonymous when they first hit the server. A record of this 'anonymous' access is made, and the process continues where you actually identify yourself. Clearly, this is going to be different if you are running a web server, where the access might be mostly anonymous, unless set to some manner of authentication (Windows, Basic, etc.) Now, for more
[ActiveDir] Anonymous Logon
I successfully upgraded my NT domain to AD yesterday. I now find my DC security log on the PDC emulator filling up twice a day. It is set to 2048 KB, do not overwrite (I have to save them for 3 years). The majority of events are Anonymous logons. Is it normal to have this quantity of Anonymous logons? Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 Phone: (717)293-7274 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
