Repeated Anonymous Logons in the Security Event Log??

TheMSsForum.com: The Microsoft Software Forum

Running Windows XP Home on a 2 computer home network through a Linksys
router with NAT and most incoming ports blocked. Anyone have an idea as
to why the sec log would have dozens of Anonymous logons throughout the
day?

Any suggestions would be greatly appreciated.

Thank you in advance.
Top

Repeated Anonymous Logons in the Security Event Log?? by Bill

Bill
Mon Apr 19 17:29:09 CDT 2004


>-----Original Message-----
>Running Windows XP Home on a 2 computer home network
through a Linksys
>router with NAT and most incoming ports blocked. Anyone
have an idea as
>to why the sec log would have dozens of Anonymous logons
throughout the
>day?
>
>Any suggestions would be greatly appreciated.
>
>Thank you in advance.
>
>.
>
First thing I would do is check your security policy and
make sure you have disabled anomous sessions/logins. Just
because you have most ports closed does not mean the
anomous sessions cannot be created. Often times the ports
that are hardest to close are the most exploited such as
the infamous port range of 135-139. There are others as
well, but first I would recommend that you make sure you
have anomous logins disabled.

-Bill
Top

Re: Repeated Anonymous Logons in the Security Event Log?? by Steven

Steven
Mon Apr 19 18:09:41 CDT 2004

Why do you have only most incoming ports blocked?? What do you have open? Go to
http://scan.sygatetech.com/ to do a self scan and see if it reports netbios ports
such as 135 - 139 and 445 open to the world. It is also normal to see some of these
events if you are sharing resources on your network. Windows networking does use null
sessions for among other things maintaining the browse list. I would be more
concerned it you are seeing logons to your computer at times when you are not
accessing it. XP Home is particularly vulnerable to attempts from the internet since
it does not have the security features for sharing like XP pro does. --- Steve


"Lem Lo" <asdf@asdf.com> wrote in message news:408449A2.8050604@asdf.com...
> Running Windows XP Home on a 2 computer home network through a Linksys
> router with NAT and most incoming ports blocked. Anyone have an idea as
> to why the sec log would have dozens of Anonymous logons throughout the
> day?
>
> Any suggestions would be greatly appreciated.
>
> Thank you in advance.
>


Top

Re: Repeated Anonymous Logons in the Security Event Log?? by Lem

Lem
Tue Apr 20 00:32:48 CDT 2004

Thanks for the info Steve.. good points. The reason I can only block
some ports is that I'm using a Linksys router and it only allows for 5
rules.. for example blocking ports 1-23 and 25-255 would count as 2
rules. Also, UDP and TCP use the same set of rules, so it's a total of 5
rules.. not 5 each. What I did to determine the ports to block/unblock
is to block everything until something did not work then select that
port to unblock.

I've used network sniffer to try to see incoming logons from the
internet.. nothing obvious. The ISP is AOL via broadband and some of
the junk is encrypted, so I cannot tell for sure what is going on at all
times.

I'll double check, but I think the logons are indeed at times when it is
in use.

Thanks again for your help.


Steven L Umbach wrote:
> Why do you have only most incoming ports blocked?? What do you have open? Go to
> http://scan.sygatetech.com/ to do a self scan and see if it reports netbios ports
> such as 135 - 139 and 445 open to the world. It is also normal to see some of these
> events if you are sharing resources on your network. Windows networking does use null
> sessions for among other things maintaining the browse list. I would be more
> concerned it you are seeing logons to your computer at times when you are not
> accessing it. XP Home is particularly vulnerable to attempts from the internet since
> it does not have the security features for sharing like XP pro does. --- Steve
>
>
> "Lem Lo" <asdf@asdf.com> wrote in message news:408449A2.8050604@asdf.com...
>
>>Running Windows XP Home on a 2 computer home network through a Linksys
>>router with NAT and most incoming ports blocked. Anyone have an idea as
>>to why the sec log would have dozens of Anonymous logons throughout the
>>day?
>>
>>Any suggestions would be greatly appreciated.
>>
>>Thank you in advance.
>>
>
>
>


Top

Re: Repeated Anonymous Logons in the Security Event Log?? by Steven

Steven
Tue Apr 20 11:08:42 CDT 2004

I think you are talking about the "outbound rules" which are nice to have however all
the various NAT devices such as the Linksys by default block ALL uninitiated inbound
traffic so unless you are port forwarding to a computer on your lan you should be
safe from any direct inbound hack attempts. A port scan from one of the self scan
sites as the one I suggested will tell if you have vulnerable ports exposed to the
internet. --- Steve


"Lem Lo" <asdf@asdf.com> wrote in message news:4084B600.6030206@asdf.com...
> Thanks for the info Steve.. good points. The reason I can only block
> some ports is that I'm using a Linksys router and it only allows for 5
> rules.. for example blocking ports 1-23 and 25-255 would count as 2
> rules. Also, UDP and TCP use the same set of rules, so it's a total of 5
> rules.. not 5 each. What I did to determine the ports to block/unblock
> is to block everything until something did not work then select that
> port to unblock.
>
> I've used network sniffer to try to see incoming logons from the
> internet.. nothing obvious. The ISP is AOL via broadband and some of
> the junk is encrypted, so I cannot tell for sure what is going on at all
> times.
>
> I'll double check, but I think the logons are indeed at times when it is
> in use.
>
> Thanks again for your help.
>
>
> Steven L Umbach wrote:
> > Why do you have only most incoming ports blocked?? What do you have open? Go to
> > http://scan.sygatetech.com/ to do a self scan and see if it reports netbios ports
> > such as 135 - 139 and 445 open to the world. It is also normal to see some of
these
> > events if you are sharing resources on your network. Windows networking does use
null
> > sessions for among other things maintaining the browse list. I would be more
> > concerned it you are seeing logons to your computer at times when you are not
> > accessing it. XP Home is particularly vulnerable to attempts from the internet
since
> > it does not have the security features for sharing like XP pro does. --- Steve
> >
> >
> > "Lem Lo" <asdf@asdf.com> wrote in message news:408449A2.8050604@asdf.com...
> >
> >>Running Windows XP Home on a 2 computer home network through a Linksys
> >>router with NAT and most incoming ports blocked. Anyone have an idea as
> >>to why the sec log would have dozens of Anonymous logons throughout the
> >>day?
> >>
> >>Any suggestions would be greatly appreciated.
> >>
> >>Thank you in advance.
> >>
> >
> >
> >
>
>


Top