RE: [ActiveDir] Anonymous Logon
Cindy, If you're going to have to keep all audit entries, you're going to have a tough time. I can help decipher these records for you (I do a lot of this!), but in a nutshell you've recorded a successful logoff (the Event 538) and a successful network logon via the Kerberos authentication package by the user PSDC1 - who looks to be a machine. In fact, one of your DCs. Yes, they do logon and logoff of the domain - typically to connect to services that it needs. This one (the Event 540) was a logon to the domain, where the previous was not a logoff from the domain proper. A Logon type 3 tells you that it was via the network, while a type 2 is interactive (too bad you can't tell if it was actually at the console). Less common types are 4 (batch), 5 (service), 7 (unlocked workstation), 8 (plaintext password) or 9 (impersonated logon). The Logon process and authentication package notes what type of process was spawned to authenticate the user from the point it connected to the session through authentication. You might see Kerberos (network), NTLM (network), or User32/Negotiate (Local). Realm associated events to MIT Kerberos realms should record as Kerberos authentication. Bottom line: Ignore the SYSTEM (usually a service doing what it needs) and the machine name events logging on. They are irrelevant and generally service and process related to normal operation of the network. Do, however, take note of the user logon and logoffs. The Logon ID field will stay with the user from Logon through the logoff of this session. You should be able to always associate a 540 Event to a corresponding 538 Event. However, be vigilant that a 538 is not always the same. One might indicate a network logoff, one might indicate and net use disconnection and another might record an Interactive logoff or an auto disconnect. As to what to do about spurious events that mean nothing when dealing with user activity, I'd suggest a more manageable solution such as a syslog server for Windows events and filter the records that you want going to the syslog server. This not only collects all of the server's audit events at one place but also allows you to get rid of the events that play no part in true auditing of the server. Do a Google search on Windows Syslog and you'll find a number of options - one of which should suit. Hope this helps! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Tuesday, August 05, 2003 3:03 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon Rick, The security logs in question are on my Windows 2000 domain controllers, PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT Authority\Anonymous Logon User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0xCB82F) Logon Type: 3 and Event 540 NT Authority\System Logons Successful Network Logon: User Name: PSDC1$ Domain: LC_POLICE Logon ID: (0x0,0xCBE63) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: These don't appear to give me any specific information. I need to keep records for 3 years that show when a user logged onto the network and from which workstation. When I audit Account Logon, I get the information, but the user is always System, so there is no easy way to filter for a specific user name. When I use Audit Logon events, I can filter by user name, but I'm filling 75% of the log with Anonymous and System logons. I'm generating about 8MB of security log daily between the two DCs, so I'm not sure what is the most efficient way to configure the audit policy on my DCs. It seems that either way, the logs fill with quite a bit of basically useless information. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, August 04, 2003 18:26 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, My initial thought on this, understanding the process, is that everyone is Anonymous when they first hit the server. A record of this 'anonymous' access is made, and the process continues where you actually identify yourself. Clearly, this is going to be different if you are running a web server, where the access might be mostly anonymous, unless set to some manner of authentication (Windows, Basic, etc.) Now, for more detail, if you want to post some of the records that you're seeing (you should be able to follow the authentication trail via the ID's in the audit records) I can help you identify what is going on and what the anonymous access is all about. I
Re: [ActiveDir] Anonymous Logon
Great post -- Sent from my BlackBerry Wireless Handheld - Original Message - From: ActiveDir-owner Sent: 08/05/2003 11:03 PM To: <[EMAIL PROTECTED]> Subject: RE: [ActiveDir] Anonymous Logon Cindy, If you're going to have to keep all audit entries, you're going to have a tough time. I can help decipher these records for you (I do a lot of this!), but in a nutshell you've recorded a successful logoff (the Event 538) and a successful network logon via the Kerberos authentication package by the user PSDC1 - who looks to be a machine. In fact, one of your DCs. Yes, they do logon and logoff of the domain - typically to connect to services that it needs. This one (the Event 540) was a logon to the domain, where the previous was not a logoff from the domain proper. A Logon type 3 tells you that it was via the network, while a type 2 is interactive (too bad you can't tell if it was actually at the console). Less common types are 4 (batch), 5 (service), 7 (unlocked workstation), 8 (plaintext password) or 9 (impersonated logon). The Logon process and authentication package notes what type of process was spawned to authenticate the user from the point it connected to the session through authentication. You might see Kerberos (network), NTLM (network), or User32/Negotiate (Local). Realm associated events to MIT Kerberos realms should record as Kerberos authentication. Bottom line: Ignore the SYSTEM (usually a service doing what it needs) and the machine name events logging on. They are irrelevant and generally service and process related to normal operation of the network. Do, however, take note of the user logon and logoffs. The Logon ID field will stay with the user from Logon through the logoff of this session. You should be able to always associate a 540 Event to a corresponding 538 Event. However, be vigilant that a 538 is not always the same. One might indicate a network logoff, one might indicate and net use disconnection and another might record an Interactive logoff or an auto disconnect. As to what to do about spurious events that mean nothing when dealing with user activity, I'd suggest a more manageable solution such as a syslog server for Windows events and filter the records that you want going to the syslog server. This not only collects all of the server's audit events at one place but also allows you to get rid of the events that play no part in true auditing of the server. Do a Google search on Windows Syslog and you'll find a number of options - one of which should suit. Hope this helps! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Tuesday, August 05, 2003 3:03 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon Rick, The security logs in question are on my Windows 2000 domain controllers, PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT Authority\Anonymous Logon User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0xCB82F) Logon Type: 3 and Event 540 NT Authority\System Logons Successful Network Logon: User Name: PSDC1$ Domain: LC_POLICE Logon ID: (0x0,0xCBE63) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: These don't appear to give me any specific information. I need to keep records for 3 years that show when a user logged onto the network and from which workstation. When I audit Account Logon, I get the information, but the user is always System, so there is no easy way to filter for a specific user name. When I use Audit Logon events, I can filter by user name, but I'm filling 75% of the log with Anonymous and System logons. I'm generating about 8MB of security log daily between the two DCs, so I'm not sure what is the most efficient way to configure the audit policy on my DCs. It seems that either way, the logs fill with quite a bit of basically useless information. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, August 04, 2003 18:26 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, My initial thought on this, understanding the process, is that everyone is Anonymous when they first hit the server. A record of this 'anonymous' access is made, and the process continues where you actually identify yourself. Clearly, this is going to be different if you are running a web server, where the access might be mostly anonymous, unless set to some manner of authentication (Windows, Basic, etc.) Now, for more detail, if you want
Re: [ActiveDir] Anonymous Logon
If web services or ftp are running on those, both those services allow anon to access the main page, - Original Message - From: "Rittenhouse, Cindy" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, August 05, 2003 1:02 PM Subject: RE: [ActiveDir] Anonymous Logon > Rick, > The security logs in question are on my Windows 2000 domain controllers, > PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT > Authority\Anonymous Logon > User Logoff: > User Name: ANONYMOUS LOGON > Domain: NT AUTHORITY > Logon ID: (0x0,0xCB82F) > Logon Type: 3 > > and Event 540 NT Authority\System Logons > Successful Network Logon: > User Name: PSDC1$ > Domain: LC_POLICE > Logon ID: (0x0,0xCBE63) > Logon Type: 3 > Logon Process: Kerberos > Authentication Package: Kerberos > Workstation Name: > > These don't appear to give me any specific information. > > I need to keep records for 3 years that show when a user logged onto the > network and from which workstation. When I audit Account Logon, I get the > information, but the user is always System, so there is no easy way to > filter for a specific user name. When I use Audit Logon events, I can filter > by user name, but I'm filling 75% of the log with Anonymous and System > logons. I'm generating about 8MB of security log daily between the two DCs, > so I'm not sure what is the most efficient way to configure the audit policy > on my DCs. It seems that either way, the logs fill with quite a bit of > basically useless information. > > > -Original Message- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Monday, August 04, 2003 18:26 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Anonymous Logon > > > Cindy, > > My initial thought on this, understanding the process, is that everyone is > Anonymous when they first hit the server. A record of this 'anonymous' > access is made, and the process continues where you actually identify > yourself. > > Clearly, this is going to be different if you are running a web server, > where the access might be mostly anonymous, unless set to some manner of > authentication (Windows, Basic, etc.) > > Now, for more detail, if you want to post some of the records that you're > seeing (you should be able to follow the authentication trail via the ID's > in the audit records) I can help you identify what is going on and what the > anonymous access is all about. It would help to know what type of server > this is, as well. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy > Sent: Monday, August 04, 2003 1:35 PM > To: '[EMAIL PROTECTED]' > Subject: [ActiveDir] Anonymous Logon > > I successfully upgraded my NT domain to AD yesterday. I now find my DC > security log on the PDC emulator filling up twice a day. It is set to 2048 > KB, do not overwrite (I have to save them for 3 years). The majority of > events are Anonymous logons. Is it normal to have this quantity of Anonymous > logons? > > Cynthia Rittenhouse MCSE,CCNA > LAN Administrator > County of Lancaster > Lancaster, PA 17602 > Phone: (717)293-7274 > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Anonymous Logon
Title: RE: [ActiveDir] Anonymous Logon Then again you know Rick Kingslan has wonderful AD knowledge !!! Carlos Magalhaes ADSI MVP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 06, 2003 3:02 PM To: ActiveDir Subject: Re: [ActiveDir] Anonymous Logon Great post -- Sent from my BlackBerry Wireless Handheld - Original Message - From: ActiveDir-owner Sent: 08/05/2003 11:03 PM To: <[EMAIL PROTECTED]> Subject: RE: [ActiveDir] Anonymous Logon Cindy, If you're going to have to keep all audit entries, you're going to have a tough time. I can help decipher these records for you (I do a lot of this!), but in a nutshell you've recorded a successful logoff (the Event 538) and a successful network logon via the Kerberos authentication package by the user PSDC1 - who looks to be a machine. In fact, one of your DCs. Yes, they do logon and logoff of the domain - typically to connect to services that it needs. This one (the Event 540) was a logon to the domain, where the previous was not a logoff from the domain proper. A Logon type 3 tells you that it was via the network, while a type 2 is interactive (too bad you can't tell if it was actually at the console). Less common types are 4 (batch), 5 (service), 7 (unlocked workstation), 8 (plaintext password) or 9 (impersonated logon). The Logon process and authentication package notes what type of process was spawned to authenticate the user from the point it connected to the session through authentication. You might see Kerberos (network), NTLM (network), or User32/Negotiate (Local). Realm associated events to MIT Kerberos realms should record as Kerberos authentication. Bottom line: Ignore the SYSTEM (usually a service doing what it needs) and the machine name events logging on. They are irrelevant and generally service and process related to normal operation of the network. Do, however, take note of the user logon and logoffs. The Logon ID field will stay with the user from Logon through the logoff of this session. You should be able to always associate a 540 Event to a corresponding 538 Event. However, be vigilant that a 538 is not always the same. One might indicate a network logoff, one might indicate and net use disconnection and another might record an Interactive logoff or an auto disconnect. As to what to do about spurious events that mean nothing when dealing with user activity, I'd suggest a more manageable solution such as a syslog server for Windows events and filter the records that you want going to the syslog server. This not only collects all of the server's audit events at one place but also allows you to get rid of the events that play no part in true auditing of the server. Do a Google search on Windows Syslog and you'll find a number of options - one of which should suit. Hope this helps! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rittenhouse, Cindy Sent: Tuesday, August 05, 2003 3:03 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon Rick, The security logs in question are on my Windows 2000 domain controllers, PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT Authority\Anonymous Logon User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0xCB82F) Logon Type: 3 and Event 540 NT Authority\System Logons Successful Network Logon: User Name: PSDC1$ Domain: LC_POLICE Logon ID: (0x0,0xCBE63) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: These don't appear to give me any specific information. I need to keep records for 3 years that show when a user logged onto the network and from which workstation. When I audit Account Logon, I get the information, but the user is always System, so there is no easy way to filter for a specific user name. When I use Audit Logon events, I can filter by user name, but I'm filling 75% of the log with Anonymous and System logons. I'm generating about 8MB of security log daily between the two DCs, so I'm not sure what is the most efficient way to configure the audit policy on my DCs. It seems that either way, the logs fill with quite a bit of basically useless information. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Monday, August 04, 2003 18:26 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, My initial thought on this, understanding the process, is that everyone is Anonymous when they first hit the server.
RE: [ActiveDir] Anonymous Logon
I believe those would show a logon by the IUSR (or other specified account) account because it isn't truly anonymous, you are simply proxied into the IUSR or some other specified anonymous access account. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rick reynolds Sent: Wednesday, August 06, 2003 10:10 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Anonymous Logon If web services or ftp are running on those, both those services allow anon to access the main page, - Original Message - From: "Rittenhouse, Cindy" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, August 05, 2003 1:02 PM Subject: RE: [ActiveDir] Anonymous Logon > Rick, > The security logs in question are on my Windows 2000 domain > controllers, PSDC1 and PSDC2. When I Audit Logon Events, the log fills > with Event 538 NT > Authority\Anonymous Logon > User Logoff: > User Name: ANONYMOUS LOGON > Domain: NT AUTHORITY > Logon ID: (0x0,0xCB82F) > Logon Type: 3 > > and Event 540 NT Authority\System Logons > Successful Network Logon: > User Name: PSDC1$ > Domain: LC_POLICE > Logon ID: (0x0,0xCBE63) > Logon Type: 3 > Logon Process: Kerberos > Authentication Package: Kerberos > Workstation Name: > > These don't appear to give me any specific information. > > I need to keep records for 3 years that show when a user logged onto > the network and from which workstation. When I audit Account Logon, I > get the information, but the user is always System, so there is no > easy way to filter for a specific user name. When I use Audit Logon > events, I can filter > by user name, but I'm filling 75% of the log with Anonymous and System > logons. I'm generating about 8MB of security log daily between the two DCs, > so I'm not sure what is the most efficient way to configure the audit policy > on my DCs. It seems that either way, the logs fill with quite a bit of > basically useless information. > > > -Original Message----- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Monday, August 04, 2003 18:26 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Anonymous Logon > > > Cindy, > > My initial thought on this, understanding the process, is that > everyone is Anonymous when they first hit the server. A record of > this 'anonymous' access is made, and the process continues where you > actually identify yourself. > > Clearly, this is going to be different if you are running a web > server, where the access might be mostly anonymous, unless set to some > manner of authentication (Windows, Basic, etc.) > > Now, for more detail, if you want to post some of the records that > you're seeing (you should be able to follow the authentication trail > via the ID's in the audit records) I can help you identify what is > going on and what the > anonymous access is all about. It would help to know what type of > server this is, as well. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy > Sent: Monday, August 04, 2003 1:35 PM > To: '[EMAIL PROTECTED]' > Subject: [ActiveDir] Anonymous Logon > > I successfully upgraded my NT domain to AD yesterday. I now find my DC > security log on the PDC emulator filling up twice a day. It is set to 2048 > KB, do not overwrite (I have to save them for 3 years). The majority > of events are Anonymous logons. Is it normal to have this quantity of Anonymous > logons? > > Cynthia Rittenhouse MCSE,CCNA > LAN Administrator > County of Lancaster > Lancaster, PA 17602 > Phone: (717)293-7274 > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Anonymous Logon
Rick, The security logs in question are on my Windows 2000 domain controllers, PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT Authority\Anonymous Logon User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0xCB82F) Logon Type: 3 and Event 540 NT Authority\System Logons Successful Network Logon: User Name: PSDC1$ Domain: LC_POLICE Logon ID: (0x0,0xCBE63) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: These don't appear to give me any specific information. I need to keep records for 3 years that show when a user logged onto the network and from which workstation. When I audit Account Logon, I get the information, but the user is always System, so there is no easy way to filter for a specific user name. When I use Audit Logon events, I can filter by user name, but I'm filling 75% of the log with Anonymous and System logons. I'm generating about 8MB of security log daily between the two DCs, so I'm not sure what is the most efficient way to configure the audit policy on my DCs. It seems that either way, the logs fill with quite a bit of basically useless information. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, August 04, 2003 18:26 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, My initial thought on this, understanding the process, is that everyone is Anonymous when they first hit the server. A record of this 'anonymous' access is made, and the process continues where you actually identify yourself. Clearly, this is going to be different if you are running a web server, where the access might be mostly anonymous, unless set to some manner of authentication (Windows, Basic, etc.) Now, for more detail, if you want to post some of the records that you're seeing (you should be able to follow the authentication trail via the ID's in the audit records) I can help you identify what is going on and what the anonymous access is all about. It would help to know what type of server this is, as well. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Monday, August 04, 2003 1:35 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Anonymous Logon I successfully upgraded my NT domain to AD yesterday. I now find my DC security log on the PDC emulator filling up twice a day. It is set to 2048 KB, do not overwrite (I have to save them for 3 years). The majority of events are Anonymous logons. Is it normal to have this quantity of Anonymous logons? Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 Phone: (717)293-7274 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Anonymous Logon
Can vouch for the Kiwi server. Works great, and even better its free. G. - Original Message - From: "Free, Bob" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, August 07, 2003 6:49 AM Subject: RE: [ActiveDir] Anonymous Logon >Since I'll need a syslog server, I'd like one that will also work with the logs on our Cisco >devices? Sorry on monitorware, but KIWI is a very popular free Win32 implementation with folks in mixed MS/Cisco environments who just want to syslog, say Windows, Cisco routers and PIX's. http://www.kiwisyslog.com/ There are some great papers at SANs to get you going- http://www.sans.org/rr/catindex.php?cat_id=33 Case Study: Using Syslog in a Microsoft & Cisco Environment Dan Rathbun, June 27, 2003 A Security Analysis of System Event Logging with Syslog Kenneth Nawyn, June 27, 2003 Centralizing Event Logs on Windows 2000 Gregory Lalla, GSEC April 4, 2003 Effective Logging & Use of the Kiwi Syslog Utility Brian R. WilkinsCNE/ MCSE/ CCNP/ CISSP, June 7, 2002 Importance of Understanding Logs from an Information Security Standpoint Stewart Allen, October 5, 2001 Cisco Pix: Logging and Beyond Ben Carlsrud, September 26, 2001 -Original Message- From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 1:11 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon Does anyone have any experience with MonitorWare. Since I'll need a syslog server, I'd like one that will also work with the logs on our Cisco devices? -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 23:03 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, If you're going to have to keep all audit entries, you're going to have a tough time. I can help decipher these records for you (I do a lot of this!), but in a nutshell you've recorded a successful logoff (the Event 538) and a successful network logon via the Kerberos authentication package by the user PSDC1 - who looks to be a machine. In fact, one of your DCs. Yes, they do logon and logoff of the domain - typically to connect to services that it needs. This one (the Event 540) was a logon to the domain, where the previous was not a logoff from the domain proper. A Logon type 3 tells you that it was via the network, while a type 2 is interactive (too bad you can't tell if it was actually at the console). Less common types are 4 (batch), 5 (service), 7 (unlocked workstation), 8 (plaintext password) or 9 (impersonated logon). The Logon process and authentication package notes what type of process was spawned to authenticate the user from the point it connected to the session through authentication. You might see Kerberos (network), NTLM (network), or User32/Negotiate (Local). Realm associated events to MIT Kerberos realms should record as Kerberos authentication. Bottom line: Ignore the SYSTEM (usually a service doing what it needs) and the machine name events logging on. They are irrelevant and generally service and process related to normal operation of the network. Do, however, take note of the user logon and logoffs. The Logon ID field will stay with the user from Logon through the logoff of this session. You should be able to always associate a 540 Event to a corresponding 538 Event. However, be vigilant that a 538 is not always the same. One might indicate a network logoff, one might indicate and net use disconnection and another might record an Interactive logoff or an auto disconnect. As to what to do about spurious events that mean nothing when dealing with user activity, I'd suggest a more manageable solution such as a syslog server for Windows events and filter the records that you want going to the syslog server. This not only collects all of the server's audit events at one place but also allows you to get rid of the events that play no part in true auditing of the server. Do a Google search on Windows Syslog and you'll find a number of options - one of which should suit. Hope this helps! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Tuesday, August 05, 2003 3:03 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon Rick, The security logs in question are on my Windows 2000 domain controllers, PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT Authority\Anonymous Logon User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0xCB82F) Logon Type: 3 and Event 540 NT Authority\System Logons Successful Network Logon: User Name: PSDC1$ Domain: LC_POLICE Logon ID: (0x0,0xCBE63) Logon Type: 3 Logon Process: Ker
RE: [ActiveDir] Anonymous Logon
Bob, Thanks for bringing these up. I've read through these (which drove much of our efforts for our syslog server) and am quite pleased with where we are and how we're eventually going to get there. Now, all I need is a crap-load of space and a Security Analyst with time to comb the 'intersting' bits out of the logs. :-/ Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Wednesday, August 06, 2003 3:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon >Since I'll need a syslog server, I'd like one that will also work with >the logs on our Cisco devices? Sorry on monitorware, but KIWI is a very popular free Win32 implementation with folks in mixed MS/Cisco environments who just want to syslog, say Windows, Cisco routers and PIX's. http://www.kiwisyslog.com/ There are some great papers at SANs to get you going- http://www.sans.org/rr/catindex.php?cat_id=33 Case Study: Using Syslog in a Microsoft & Cisco Environment Dan Rathbun, June 27, 2003 A Security Analysis of System Event Logging with Syslog Kenneth Nawyn, June 27, 2003 Centralizing Event Logs on Windows 2000 Gregory Lalla, GSEC April 4, 2003 Effective Logging & Use of the Kiwi Syslog Utility Brian R. WilkinsCNE/ MCSE/ CCNP/ CISSP, June 7, 2002 Importance of Understanding Logs from an Information Security Standpoint Stewart Allen, October 5, 2001 Cisco Pix: Logging and Beyond Ben Carlsrud, September 26, 2001 -Original Message- From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 1:11 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon Does anyone have any experience with MonitorWare. Since I'll need a syslog server, I'd like one that will also work with the logs on our Cisco devices? -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 23:03 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, If you're going to have to keep all audit entries, you're going to have a tough time. I can help decipher these records for you (I do a lot of this!), but in a nutshell you've recorded a successful logoff (the Event 538) and a successful network logon via the Kerberos authentication package by the user PSDC1 - who looks to be a machine. In fact, one of your DCs. Yes, they do logon and logoff of the domain - typically to connect to services that it needs. This one (the Event 540) was a logon to the domain, where the previous was not a logoff from the domain proper. A Logon type 3 tells you that it was via the network, while a type 2 is interactive (too bad you can't tell if it was actually at the console). Less common types are 4 (batch), 5 (service), 7 (unlocked workstation), 8 (plaintext password) or 9 (impersonated logon). The Logon process and authentication package notes what type of process was spawned to authenticate the user from the point it connected to the session through authentication. You might see Kerberos (network), NTLM (network), or User32/Negotiate (Local). Realm associated events to MIT Kerberos realms should record as Kerberos authentication. Bottom line: Ignore the SYSTEM (usually a service doing what it needs) and the machine name events logging on. They are irrelevant and generally service and process related to normal operation of the network. Do, however, take note of the user logon and logoffs. The Logon ID field will stay with the user from Logon through the logoff of this session. You should be able to always associate a 540 Event to a corresponding 538 Event. However, be vigilant that a 538 is not always the same. One might indicate a network logoff, one might indicate and net use disconnection and another might record an Interactive logoff or an auto disconnect. As to what to do about spurious events that mean nothing when dealing with user activity, I'd suggest a more manageable solution such as a syslog server for Windows events and filter the records that you want going to the syslog server. This not only collects all of the server's audit events at one place but also allows you to get rid of the events that play no part in true auditing of the server. Do a Google search on Windows Syslog and you'll find a number of options - one of which should suit. Hope this helps! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Tuesday, August 05, 2003 3:03 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon Rick, The security logs in
RE: [ActiveDir] Anonymous Logon
How are you sending the Windows event logs to a syslog server? Is that Kiwi as well? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 06, 2003 7:19 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Anonymous Logon > > > Cindy, > > I've evaluated and have recommended MonitorWare to our > Security Director for > the needs of our environment which is combined Enterprise with Cisco, > Windows, Unix (all flavors) ACDs, and Tandem systems. > > Clearly, our ability to send syslog formatted logs makes > sense, as we're not > the only players, just a bit more adaptable. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Rittenhouse, Cindy > Sent: Wednesday, August 06, 2003 3:11 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Anonymous Logon > > Does anyone have any experience with MonitorWare. Since I'll > need a syslog > server, I'd like one that will also work with the logs on our > Cisco devices? > > -Original Message- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 05, 2003 23:03 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Anonymous Logon > > > Cindy, > > If you're going to have to keep all audit entries, you're > going to have a > tough time. I can help decipher these records for you (I do a lot of > this!), but in a nutshell you've recorded a successful logoff > (the Event > 538) and a successful network logon via the Kerberos > authentication package > by the user PSDC1 - who looks to be a machine. In fact, one > of your DCs. > Yes, they do logon and logoff of the domain - typically to connect to > services that it needs. This one (the Event 540) was a logon > to the domain, > where the previous was not a logoff from the domain proper. > > A Logon type 3 tells you that it was via the network, while a > type 2 is > interactive (too bad you can't tell if it was actually at the > console). > Less common types are 4 (batch), 5 (service), 7 (unlocked > workstation), 8 > (plaintext password) or 9 (impersonated logon). > > The Logon process and authentication package notes what type > of process was > spawned to authenticate the user from the point it connected > to the session > through authentication. You might see Kerberos (network), > NTLM (network), > or User32/Negotiate (Local). Realm associated events to MIT > Kerberos realms > should record as Kerberos authentication. > > Bottom line: Ignore the SYSTEM (usually a service doing what > it needs) and > the machine name events logging on. They are irrelevant and generally > service and process related to normal operation of the network. Do, > however, take note of the user logon and logoffs. The Logon > ID field will > stay with the user from Logon through the logoff of this session. You > should be able to always associate a 540 Event to a > corresponding 538 Event. > However, be vigilant that a 538 is not always the same. One > might indicate > a network logoff, one might indicate and net use > disconnection and another > might record an Interactive logoff or an auto disconnect. > > As to what to do about spurious events that mean nothing when > dealing with > user activity, I'd suggest a more manageable solution such as a syslog > server for Windows events and filter the records that you > want going to the > syslog server. This not only collects all of the server's > audit events at > one place but also allows you to get rid of the events that > play no part in > true auditing of the server. > > Do a Google search on Windows Syslog and you'll find a number > of options - > one of which should suit. > > Hope this helps! > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Rittenhouse, Cindy > Sent: Tuesday, August 05, 2003 3:03 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Anonymous Logon > > Rick, > The security logs in question are on my Windows 2000 domain > controllers, > PSDC1 and PSDC2. When I Audit Log
RE: [ActiveDir] Anonymous Logon
>Since I'll need a syslog server, I'd like one that will also work with the logs on >our Cisco >devices? Sorry on monitorware, but KIWI is a very popular free Win32 implementation with folks in mixed MS/Cisco environments who just want to syslog, say Windows, Cisco routers and PIX's. http://www.kiwisyslog.com/ There are some great papers at SANs to get you going- http://www.sans.org/rr/catindex.php?cat_id=33 Case Study: Using Syslog in a Microsoft & Cisco Environment Dan Rathbun, June 27, 2003 A Security Analysis of System Event Logging with Syslog Kenneth Nawyn, June 27, 2003 Centralizing Event Logs on Windows 2000 Gregory Lalla, GSEC April 4, 2003 Effective Logging & Use of the Kiwi Syslog Utility Brian R. WilkinsCNE/ MCSE/ CCNP/ CISSP, June 7, 2002 Importance of Understanding Logs from an Information Security Standpoint Stewart Allen, October 5, 2001 Cisco Pix: Logging and Beyond Ben Carlsrud, September 26, 2001 -Original Message- From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 1:11 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon Does anyone have any experience with MonitorWare. Since I'll need a syslog server, I'd like one that will also work with the logs on our Cisco devices? -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 23:03 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, If you're going to have to keep all audit entries, you're going to have a tough time. I can help decipher these records for you (I do a lot of this!), but in a nutshell you've recorded a successful logoff (the Event 538) and a successful network logon via the Kerberos authentication package by the user PSDC1 - who looks to be a machine. In fact, one of your DCs. Yes, they do logon and logoff of the domain - typically to connect to services that it needs. This one (the Event 540) was a logon to the domain, where the previous was not a logoff from the domain proper. A Logon type 3 tells you that it was via the network, while a type 2 is interactive (too bad you can't tell if it was actually at the console). Less common types are 4 (batch), 5 (service), 7 (unlocked workstation), 8 (plaintext password) or 9 (impersonated logon). The Logon process and authentication package notes what type of process was spawned to authenticate the user from the point it connected to the session through authentication. You might see Kerberos (network), NTLM (network), or User32/Negotiate (Local). Realm associated events to MIT Kerberos realms should record as Kerberos authentication. Bottom line: Ignore the SYSTEM (usually a service doing what it needs) and the machine name events logging on. They are irrelevant and generally service and process related to normal operation of the network. Do, however, take note of the user logon and logoffs. The Logon ID field will stay with the user from Logon through the logoff of this session. You should be able to always associate a 540 Event to a corresponding 538 Event. However, be vigilant that a 538 is not always the same. One might indicate a network logoff, one might indicate and net use disconnection and another might record an Interactive logoff or an auto disconnect. As to what to do about spurious events that mean nothing when dealing with user activity, I'd suggest a more manageable solution such as a syslog server for Windows events and filter the records that you want going to the syslog server. This not only collects all of the server's audit events at one place but also allows you to get rid of the events that play no part in true auditing of the server. Do a Google search on Windows Syslog and you'll find a number of options - one of which should suit. Hope this helps! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Tuesday, August 05, 2003 3:03 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon Rick, The security logs in question are on my Windows 2000 domain controllers, PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT Authority\Anonymous Logon User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0xCB82F) Logon Type: 3 and Event 540 NT Authority\System Logons Successful Network Logon: User Name: PSDC1$ Domain: LC_POLICE Logon ID: (0x0,0xCBE63) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: These don't appear to give me any specific in
RE: [ActiveDir] Anonymous Logon
Nope - MonitorWare. Tested it and it worked well in the homogenous environment. Fairly configurable and it will allow me to use eventcomb first to determine what logs I want to send. This was I can get rid of the Service and SYSTEM related events and the extraneous 'crap' (technical term, you know) that has absolutely nothing to do with anything of value. http://www.eventreporter.com/en/ Regards, Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, August 07, 2003 8:14 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon How are you sending the Windows event logs to a syslog server? Is that Kiwi as well? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 06, 2003 7:19 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Anonymous Logon > > > Cindy, > > I've evaluated and have recommended MonitorWare to our Security > Director for the needs of our environment which is combined Enterprise > with Cisco, Windows, Unix (all flavors) ACDs, and Tandem systems. > > Clearly, our ability to send syslog formatted logs makes sense, as > we're not the only players, just a bit more adaptable. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, > Cindy > Sent: Wednesday, August 06, 2003 3:11 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Anonymous Logon > > Does anyone have any experience with MonitorWare. Since I'll need a > syslog server, I'd like one that will also work with the logs on our > Cisco devices? > > -Original Message- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 05, 2003 23:03 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Anonymous Logon > > > Cindy, > > If you're going to have to keep all audit entries, you're going to > have a tough time. I can help decipher these records for you (I do a > lot of this!), but in a nutshell you've recorded a successful logoff > (the Event > 538) and a successful network logon via the Kerberos authentication > package by the user PSDC1 - who looks to be a machine. In fact, one > of your DCs. > Yes, they do logon and logoff of the domain - typically to connect to > services that it needs. This one (the Event 540) was a logon to the > domain, where the previous was not a logoff from the domain proper. > > A Logon type 3 tells you that it was via the network, while a type 2 > is interactive (too bad you can't tell if it was actually at the > console). > Less common types are 4 (batch), 5 (service), 7 (unlocked > workstation), 8 (plaintext password) or 9 (impersonated logon). > > The Logon process and authentication package notes what type of > process was spawned to authenticate the user from the point it > connected to the session through authentication. You might see > Kerberos (network), NTLM (network), or User32/Negotiate (Local). > Realm associated events to MIT Kerberos realms should record as > Kerberos authentication. > > Bottom line: Ignore the SYSTEM (usually a service doing what it > needs) and the machine name events logging on. They are irrelevant > and generally service and process related to normal operation of the > network. Do, however, take note of the user logon and logoffs. The > Logon ID field will stay with the user from Logon through the logoff > of this session. You should be able to always associate a 540 Event > to a corresponding 538 Event. > However, be vigilant that a 538 is not always the same. One might > indicate a network logoff, one might indicate and net use > disconnection and another might record an Interactive logoff or an > auto disconnect. > > As to what to do about spurious events that mean nothing when dealing > with user activity, I'd suggest a more manageable solution such as a > syslog server for Windows events and filter the records that you want > going to the syslog server. This not only collects all of the > server's audit events at one place but also allows you to get rid of > the events that play no part in true auditing of the server. > > Do a Google search on
RE: [ActiveDir] Anonymous Logon
We were playing with KIWI and an addin called backlogNT that a lot of others were using and recommending. Looks like it's morphed into SNARE. http://www.intersectalliance.com/projects/SnareWindows/index.html -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2003 6:14 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon How are you sending the Windows event logs to a syslog server? Is that Kiwi as well? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 06, 2003 7:19 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Anonymous Logon > > > Cindy, > > I've evaluated and have recommended MonitorWare to our > Security Director for > the needs of our environment which is combined Enterprise with Cisco, > Windows, Unix (all flavors) ACDs, and Tandem systems. > > Clearly, our ability to send syslog formatted logs makes > sense, as we're not > the only players, just a bit more adaptable. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Rittenhouse, Cindy > Sent: Wednesday, August 06, 2003 3:11 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Anonymous Logon > > Does anyone have any experience with MonitorWare. Since I'll > need a syslog > server, I'd like one that will also work with the logs on our > Cisco devices? > > -Original Message- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 05, 2003 23:03 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Anonymous Logon > > > Cindy, > > If you're going to have to keep all audit entries, you're > going to have a > tough time. I can help decipher these records for you (I do a lot of > this!), but in a nutshell you've recorded a successful logoff > (the Event > 538) and a successful network logon via the Kerberos > authentication package > by the user PSDC1 - who looks to be a machine. In fact, one > of your DCs. > Yes, they do logon and logoff of the domain - typically to connect to > services that it needs. This one (the Event 540) was a logon > to the domain, > where the previous was not a logoff from the domain proper. > > A Logon type 3 tells you that it was via the network, while a > type 2 is > interactive (too bad you can't tell if it was actually at the > console). > Less common types are 4 (batch), 5 (service), 7 (unlocked > workstation), 8 > (plaintext password) or 9 (impersonated logon). > > The Logon process and authentication package notes what type > of process was > spawned to authenticate the user from the point it connected > to the session > through authentication. You might see Kerberos (network), > NTLM (network), > or User32/Negotiate (Local). Realm associated events to MIT > Kerberos realms > should record as Kerberos authentication. > > Bottom line: Ignore the SYSTEM (usually a service doing what > it needs) and > the machine name events logging on. They are irrelevant and generally > service and process related to normal operation of the network. Do, > however, take note of the user logon and logoffs. The Logon > ID field will > stay with the user from Logon through the logoff of this session. You > should be able to always associate a 540 Event to a > corresponding 538 Event. > However, be vigilant that a 538 is not always the same. One > might indicate > a network logoff, one might indicate and net use > disconnection and another > might record an Interactive logoff or an auto disconnect. > > As to what to do about spurious events that mean nothing when > dealing with > user activity, I'd suggest a more manageable solution such as a syslog > server for Windows events and filter the records that you > want going to the > syslog server. This not only collects all of the server's > audit events at > one place but also allows you to get rid of the events that > play no part in > true auditing of the server. > > Do a Google search on Windows Syslog and you'll find a number > of options - > one of which should suit. > > Hope this helps! > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone >
RE: [ActiveDir] Anonymous Logon
:o) My security logs are 180MB. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Wednesday, August 06, 2003 3:27 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon I would not have been surprised to see this on a web server, but the domain controllers being audited do not have either www or ftp services running. I was not prepared for the voluminous amount of system and anonymous entries in the log. I've increased the log size to 5MB on each DC and have them scheduled to backup to a remote server every day at 23:55. I'm looking into purchasing a syslog server, it seems the only viable way to manage this mess. -Original Message- From: rick reynolds [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 10:10 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Anonymous Logon If web services or ftp are running on those, both those services allow anon to access the main page, - Original Message - From: "Rittenhouse, Cindy" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, August 05, 2003 1:02 PM Subject: RE: [ActiveDir] Anonymous Logon > Rick, > The security logs in question are on my Windows 2000 domain controllers, > PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT > Authority\Anonymous Logon > User Logoff: > User Name: ANONYMOUS LOGON > Domain: NT AUTHORITY > Logon ID: (0x0,0xCB82F) > Logon Type: 3 > > and Event 540 NT Authority\System Logons > Successful Network Logon: > User Name: PSDC1$ > Domain: LC_POLICE > Logon ID: (0x0,0xCBE63) > Logon Type: 3 > Logon Process: Kerberos > Authentication Package: Kerberos > Workstation Name: > > These don't appear to give me any specific information. > > I need to keep records for 3 years that show when a user logged onto the > network and from which workstation. When I audit Account Logon, I get the > information, but the user is always System, so there is no easy way to > filter for a specific user name. When I use Audit Logon events, I can filter > by user name, but I'm filling 75% of the log with Anonymous and System > logons. I'm generating about 8MB of security log daily between the two DCs, > so I'm not sure what is the most efficient way to configure the audit policy > on my DCs. It seems that either way, the logs fill with quite a bit of > basically useless information. > > > -Original Message- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Monday, August 04, 2003 18:26 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Anonymous Logon > > > Cindy, > > My initial thought on this, understanding the process, is that everyone is > Anonymous when they first hit the server. A record of this 'anonymous' > access is made, and the process continues where you actually identify > yourself. > > Clearly, this is going to be different if you are running a web server, > where the access might be mostly anonymous, unless set to some manner of > authentication (Windows, Basic, etc.) > > Now, for more detail, if you want to post some of the records that you're > seeing (you should be able to follow the authentication trail via the ID's > in the audit records) I can help you identify what is going on and what the > anonymous access is all about. It would help to know what type of server > this is, as well. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy > Sent: Monday, August 04, 2003 1:35 PM > To: '[EMAIL PROTECTED]' > Subject: [ActiveDir] Anonymous Logon > > I successfully upgraded my NT domain to AD yesterday. I now find my DC > security log on the PDC emulator filling up twice a day. It is set to 2048 > KB, do not overwrite (I have to save them for 3 years). The majority of > events are Anonymous logons. Is it normal to have this quantity of Anonymous > logons? > > Cynthia Rittenhouse MCSE,CCNA > LAN Administrator > County of Lancaster > Lancaster, PA 17602 > Phone: (717)293-7274 > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List arc
RE: [ActiveDir] Anonymous Logon
Return Receipt Your RE: [ActiveDir] Anonymous Logon document : was James Day/Contractor/NPS received by: at: 08/06/2003 04:23:41 PM EDT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Anonymous Logon
I would not have been surprised to see this on a web server, but the domain controllers being audited do not have either www or ftp services running. I was not prepared for the voluminous amount of system and anonymous entries in the log. I've increased the log size to 5MB on each DC and have them scheduled to backup to a remote server every day at 23:55. I'm looking into purchasing a syslog server, it seems the only viable way to manage this mess. -Original Message- From: rick reynolds [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 10:10 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Anonymous Logon If web services or ftp are running on those, both those services allow anon to access the main page, - Original Message - From: "Rittenhouse, Cindy" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, August 05, 2003 1:02 PM Subject: RE: [ActiveDir] Anonymous Logon > Rick, > The security logs in question are on my Windows 2000 domain controllers, > PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT > Authority\Anonymous Logon > User Logoff: > User Name: ANONYMOUS LOGON > Domain: NT AUTHORITY > Logon ID: (0x0,0xCB82F) > Logon Type: 3 > > and Event 540 NT Authority\System Logons > Successful Network Logon: > User Name: PSDC1$ > Domain: LC_POLICE > Logon ID: (0x0,0xCBE63) > Logon Type: 3 > Logon Process: Kerberos > Authentication Package: Kerberos > Workstation Name: > > These don't appear to give me any specific information. > > I need to keep records for 3 years that show when a user logged onto the > network and from which workstation. When I audit Account Logon, I get the > information, but the user is always System, so there is no easy way to > filter for a specific user name. When I use Audit Logon events, I can filter > by user name, but I'm filling 75% of the log with Anonymous and System > logons. I'm generating about 8MB of security log daily between the two DCs, > so I'm not sure what is the most efficient way to configure the audit policy > on my DCs. It seems that either way, the logs fill with quite a bit of > basically useless information. > > > -Original Message- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Monday, August 04, 2003 18:26 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Anonymous Logon > > > Cindy, > > My initial thought on this, understanding the process, is that everyone is > Anonymous when they first hit the server. A record of this 'anonymous' > access is made, and the process continues where you actually identify > yourself. > > Clearly, this is going to be different if you are running a web server, > where the access might be mostly anonymous, unless set to some manner of > authentication (Windows, Basic, etc.) > > Now, for more detail, if you want to post some of the records that you're > seeing (you should be able to follow the authentication trail via the ID's > in the audit records) I can help you identify what is going on and what the > anonymous access is all about. It would help to know what type of server > this is, as well. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy > Sent: Monday, August 04, 2003 1:35 PM > To: '[EMAIL PROTECTED]' > Subject: [ActiveDir] Anonymous Logon > > I successfully upgraded my NT domain to AD yesterday. I now find my DC > security log on the PDC emulator filling up twice a day. It is set to 2048 > KB, do not overwrite (I have to save them for 3 years). The majority of > events are Anonymous logons. Is it normal to have this quantity of Anonymous > logons? > > Cynthia Rittenhouse MCSE,CCNA > LAN Administrator > County of Lancaster > Lancaster, PA 17602 > Phone: (717)293-7274 > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Anonymous Logon
Thanks to all for the references and responses. I think I'm on the right path, I've ordered the MonitorWare. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 00:22 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Nope - MonitorWare. Tested it and it worked well in the homogenous environment. Fairly configurable and it will allow me to use eventcomb first to determine what logs I want to send. This was I can get rid of the Service and SYSTEM related events and the extraneous 'crap' (technical term, you know) that has absolutely nothing to do with anything of value. http://www.eventreporter.com/en/ Regards, Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, August 07, 2003 8:14 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon How are you sending the Windows event logs to a syslog server? Is that Kiwi as well? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 06, 2003 7:19 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Anonymous Logon > > > Cindy, > > I've evaluated and have recommended MonitorWare to our Security > Director for the needs of our environment which is combined Enterprise > with Cisco, Windows, Unix (all flavors) ACDs, and Tandem systems. > > Clearly, our ability to send syslog formatted logs makes sense, as > we're not the only players, just a bit more adaptable. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, > Cindy > Sent: Wednesday, August 06, 2003 3:11 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Anonymous Logon > > Does anyone have any experience with MonitorWare. Since I'll need a > syslog server, I'd like one that will also work with the logs on our > Cisco devices? > > -Original Message- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 05, 2003 23:03 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Anonymous Logon > > > Cindy, > > If you're going to have to keep all audit entries, you're going to > have a tough time. I can help decipher these records for you (I do a > lot of this!), but in a nutshell you've recorded a successful logoff > (the Event > 538) and a successful network logon via the Kerberos authentication > package by the user PSDC1 - who looks to be a machine. In fact, one > of your DCs. > Yes, they do logon and logoff of the domain - typically to connect to > services that it needs. This one (the Event 540) was a logon to the > domain, where the previous was not a logoff from the domain proper. > > A Logon type 3 tells you that it was via the network, while a type 2 > is interactive (too bad you can't tell if it was actually at the > console). > Less common types are 4 (batch), 5 (service), 7 (unlocked > workstation), 8 (plaintext password) or 9 (impersonated logon). > > The Logon process and authentication package notes what type of > process was spawned to authenticate the user from the point it > connected to the session through authentication. You might see > Kerberos (network), NTLM (network), or User32/Negotiate (Local). > Realm associated events to MIT Kerberos realms should record as > Kerberos authentication. > > Bottom line: Ignore the SYSTEM (usually a service doing what it > needs) and the machine name events logging on. They are irrelevant > and generally service and process related to normal operation of the > network. Do, however, take note of the user logon and logoffs. The > Logon ID field will stay with the user from Logon through the logoff > of this session. You should be able to always associate a 540 Event > to a corresponding 538 Event. > However, be vigilant that a 538 is not always the same. One might > indicate a network logoff, one might indicate and net use > disconnection and another might record an Interactive logoff or an > auto disconnect. > > As to what to do about spurious events that mean nothing when dealing > with user activity, I'd suggest a more manageable solution such as a > syslog server for Windows e
RE: [ActiveDir] Anonymous Logon
Return Receipt Your RE: [ActiveDir] Anonymous Logon document : was James Day/Contractor/NPS received by: at: 08/07/2003 08:21:42 AM EDT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Anonymous Logon
Cindy, I've evaluated and have recommended MonitorWare to our Security Director for the needs of our environment which is combined Enterprise with Cisco, Windows, Unix (all flavors) ACDs, and Tandem systems. Clearly, our ability to send syslog formatted logs makes sense, as we're not the only players, just a bit more adaptable. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Wednesday, August 06, 2003 3:11 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon Does anyone have any experience with MonitorWare. Since I'll need a syslog server, I'd like one that will also work with the logs on our Cisco devices? -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 23:03 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, If you're going to have to keep all audit entries, you're going to have a tough time. I can help decipher these records for you (I do a lot of this!), but in a nutshell you've recorded a successful logoff (the Event 538) and a successful network logon via the Kerberos authentication package by the user PSDC1 - who looks to be a machine. In fact, one of your DCs. Yes, they do logon and logoff of the domain - typically to connect to services that it needs. This one (the Event 540) was a logon to the domain, where the previous was not a logoff from the domain proper. A Logon type 3 tells you that it was via the network, while a type 2 is interactive (too bad you can't tell if it was actually at the console). Less common types are 4 (batch), 5 (service), 7 (unlocked workstation), 8 (plaintext password) or 9 (impersonated logon). The Logon process and authentication package notes what type of process was spawned to authenticate the user from the point it connected to the session through authentication. You might see Kerberos (network), NTLM (network), or User32/Negotiate (Local). Realm associated events to MIT Kerberos realms should record as Kerberos authentication. Bottom line: Ignore the SYSTEM (usually a service doing what it needs) and the machine name events logging on. They are irrelevant and generally service and process related to normal operation of the network. Do, however, take note of the user logon and logoffs. The Logon ID field will stay with the user from Logon through the logoff of this session. You should be able to always associate a 540 Event to a corresponding 538 Event. However, be vigilant that a 538 is not always the same. One might indicate a network logoff, one might indicate and net use disconnection and another might record an Interactive logoff or an auto disconnect. As to what to do about spurious events that mean nothing when dealing with user activity, I'd suggest a more manageable solution such as a syslog server for Windows events and filter the records that you want going to the syslog server. This not only collects all of the server's audit events at one place but also allows you to get rid of the events that play no part in true auditing of the server. Do a Google search on Windows Syslog and you'll find a number of options - one of which should suit. Hope this helps! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Tuesday, August 05, 2003 3:03 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon Rick, The security logs in question are on my Windows 2000 domain controllers, PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT Authority\Anonymous Logon User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0xCB82F) Logon Type: 3 and Event 540 NT Authority\System Logons Successful Network Logon: User Name: PSDC1$ Domain: LC_POLICE Logon ID: (0x0,0xCBE63) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: These don't appear to give me any specific information. I need to keep records for 3 years that show when a user logged onto the network and from which workstation. When I audit Account Logon, I get the information, but the user is always System, so there is no easy way to filter for a specific user name. When I use Audit Logon events, I can filter by user name, but I'm filling 75% of the log with Anonymous and System logons. I'm generating about 8MB of security log daily between the two DCs, so I'm
Re: [ActiveDir] Anonymous Logon
Cindy, If you are going to retain logs for this period of time (lucky you, we have to retain them for 7 years!), then I would suggest upping your log size (in EventVwr) to something more practical like 200mb. 2mb isn't going to keep you going for 3 years (let alone a couple of weeks). Since you are setting to not overwrite, look into ways to archive off event logs when they reach their maximum size to ensure you don't lose event log entries.. What we have done is set them to 200mb (we generate about 100mb of logs per day per DC - 15 of them), and twice a day export a text readable version of the log for analysis (using things like DumpEL). We also have another script that compares the current size of the event log to its maximum setting size, and if it reaches > 85% of this limit, archive a binary format of the log to local disk which we then archive off to SAN / DVD-R. The auditors won't accept a version of the logs that can be edited (i.e. the text readable version), so we need to retain both the text and binary versions of the logs. We use the text readable versions for reporting, but for the actual presenting of formal charges / disciplinary proceedings we need the binary logs. How much you need to do would be dependant on your local auditing / policy / statutory requirements. I suggest you look into it to make sure you don't get caught out somewhere down the track. We routinely get asked to supply activity information for users over long periods (like 12-18 months), without event archiving like I described above, its almost impossible. Don't underestimate how much disk space archived logs can consume as well. We generate about 6-10gb of logs PER DAY (15 DC's, about 120 servers), and if we are auditing user activity (file access etc) on our main data servers, that can top 30gb PER DAY. You may need to look into long-term archiving strategies (SAN, Tape, Disk, WORM, DVD-R, CD-R) to hang onto this much information. *rant off* Glenn -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Monday, August 04, 2003 1:35 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Anonymous Logon I successfully upgraded my NT domain to AD yesterday. I now find my DC security log on the PDC emulator filling up twice a day. It is set to 2048 KB, do not overwrite (I have to save them for 3 years). The majority of events are Anonymous logons. Is it normal to have this quantity of Anonymous logons? Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 Phone: (717)293-7274 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Anonymous Logon
Does anyone have any experience with MonitorWare. Since I'll need a syslog server, I'd like one that will also work with the logs on our Cisco devices? -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 23:03 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, If you're going to have to keep all audit entries, you're going to have a tough time. I can help decipher these records for you (I do a lot of this!), but in a nutshell you've recorded a successful logoff (the Event 538) and a successful network logon via the Kerberos authentication package by the user PSDC1 - who looks to be a machine. In fact, one of your DCs. Yes, they do logon and logoff of the domain - typically to connect to services that it needs. This one (the Event 540) was a logon to the domain, where the previous was not a logoff from the domain proper. A Logon type 3 tells you that it was via the network, while a type 2 is interactive (too bad you can't tell if it was actually at the console). Less common types are 4 (batch), 5 (service), 7 (unlocked workstation), 8 (plaintext password) or 9 (impersonated logon). The Logon process and authentication package notes what type of process was spawned to authenticate the user from the point it connected to the session through authentication. You might see Kerberos (network), NTLM (network), or User32/Negotiate (Local). Realm associated events to MIT Kerberos realms should record as Kerberos authentication. Bottom line: Ignore the SYSTEM (usually a service doing what it needs) and the machine name events logging on. They are irrelevant and generally service and process related to normal operation of the network. Do, however, take note of the user logon and logoffs. The Logon ID field will stay with the user from Logon through the logoff of this session. You should be able to always associate a 540 Event to a corresponding 538 Event. However, be vigilant that a 538 is not always the same. One might indicate a network logoff, one might indicate and net use disconnection and another might record an Interactive logoff or an auto disconnect. As to what to do about spurious events that mean nothing when dealing with user activity, I'd suggest a more manageable solution such as a syslog server for Windows events and filter the records that you want going to the syslog server. This not only collects all of the server's audit events at one place but also allows you to get rid of the events that play no part in true auditing of the server. Do a Google search on Windows Syslog and you'll find a number of options - one of which should suit. Hope this helps! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Tuesday, August 05, 2003 3:03 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon Rick, The security logs in question are on my Windows 2000 domain controllers, PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT Authority\Anonymous Logon User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0xCB82F) Logon Type: 3 and Event 540 NT Authority\System Logons Successful Network Logon: User Name: PSDC1$ Domain: LC_POLICE Logon ID: (0x0,0xCBE63) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: These don't appear to give me any specific information. I need to keep records for 3 years that show when a user logged onto the network and from which workstation. When I audit Account Logon, I get the information, but the user is always System, so there is no easy way to filter for a specific user name. When I use Audit Logon events, I can filter by user name, but I'm filling 75% of the log with Anonymous and System logons. I'm generating about 8MB of security log daily between the two DCs, so I'm not sure what is the most efficient way to configure the audit policy on my DCs. It seems that either way, the logs fill with quite a bit of basically useless information. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, August 04, 2003 18:26 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, My initial thought on this, understanding the process, is that everyone is Anonymous when they first hit the server. A record of this 'anonymous' access is made, and the process continues where you actually identify yourself. Clearly, this is going to be different if you are running a web server, where the access might be mostly anonymo
RE: [ActiveDir] Anonymous Logon
>the logs fill with quite a bit of basically useless information. Welcome to the wonderful world of auditing in Windows, all or nothing :-] If you don't have to have the exact eventlog intact in it's entirety but just good records, a 3rd party tool like ELM[1] will do wonders to filter just the stuff you need to preserve. You could do it on the cheap with some scripting & RK tools or one of the serveral free syslog servers that are available. [1] Lots of options ELM is just easy to type :^) -Original Message- From: Rittenhouse, Cindy [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 1:03 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Anonymous Logon Rick, The security logs in question are on my Windows 2000 domain controllers, PSDC1 and PSDC2. When I Audit Logon Events, the log fills with Event 538 NT Authority\Anonymous Logon User Logoff: User Name: ANONYMOUS LOGON Domain: NT AUTHORITY Logon ID: (0x0,0xCB82F) Logon Type: 3 and Event 540 NT Authority\System Logons Successful Network Logon: User Name: PSDC1$ Domain: LC_POLICE Logon ID: (0x0,0xCBE63) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: These don't appear to give me any specific information. I need to keep records for 3 years that show when a user logged onto the network and from which workstation. When I audit Account Logon, I get the information, but the user is always System, so there is no easy way to filter for a specific user name. When I use Audit Logon events, I can filter by user name, but I'm filling 75% of the log with Anonymous and System logons. I'm generating about 8MB of security log daily between the two DCs, so I'm not sure what is the most efficient way to configure the audit policy on my DCs. It seems that either way, the logs fill with quite a bit of basically useless information. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, August 04, 2003 18:26 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anonymous Logon Cindy, My initial thought on this, understanding the process, is that everyone is Anonymous when they first hit the server. A record of this 'anonymous' access is made, and the process continues where you actually identify yourself. Clearly, this is going to be different if you are running a web server, where the access might be mostly anonymous, unless set to some manner of authentication (Windows, Basic, etc.) Now, for more detail, if you want to post some of the records that you're seeing (you should be able to follow the authentication trail via the ID's in the audit records) I can help you identify what is going on and what the anonymous access is all about. It would help to know what type of server this is, as well. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Monday, August 04, 2003 1:35 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Anonymous Logon I successfully upgraded my NT domain to AD yesterday. I now find my DC security log on the PDC emulator filling up twice a day. It is set to 2048 KB, do not overwrite (I have to save them for 3 years). The majority of events are Anonymous logons. Is it normal to have this quantity of Anonymous logons? Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 Phone: (717)293-7274 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Anonymous Logon
Cindy, My initial thought on this, understanding the process, is that everyone is Anonymous when they first hit the server. A record of this 'anonymous' access is made, and the process continues where you actually identify yourself. Clearly, this is going to be different if you are running a web server, where the access might be mostly anonymous, unless set to some manner of authentication (Windows, Basic, etc.) Now, for more detail, if you want to post some of the records that you're seeing (you should be able to follow the authentication trail via the ID's in the audit records) I can help you identify what is going on and what the anonymous access is all about. It would help to know what type of server this is, as well. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rittenhouse, Cindy Sent: Monday, August 04, 2003 1:35 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Anonymous Logon I successfully upgraded my NT domain to AD yesterday. I now find my DC security log on the PDC emulator filling up twice a day. It is set to 2048 KB, do not overwrite (I have to save them for 3 years). The majority of events are Anonymous logons. Is it normal to have this quantity of Anonymous logons? Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 Phone: (717)293-7274 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
