We constantly get anonymous logon events on our servers.
Are these logons something to worry about? Could someone maliciously exploit
these logons? Can we disable anonymous logons? And can we block these events
from appearing in our Security logs?
You don't have to worry about someone logging on to a server console anonymously,
because Windows doesn't allow that.
Anonymous logon events in your Security log look more dangerous than they really are. By default, the information you can access when you connect anonymously is extremely limited—basically, you can access only a list of shared folders and usernames. (I know; that gives an intruder a list of targets, but there are lots of other ways to get usernames.)
You can completely disable anonymous logons (aka null sessions), but doing
so might affect accessibility by users in trusting domains. Before changing
policies throughout your domain, I suggest testing them on a limited number
of systems. Windows XP and later provide the six policies listed below for controlling
what information can be accessed anonymously. (These policies are in the Microsoft
Management Console—MMC—Local Security Policy snap-in under Computer
Configuration\Windows Settings\SecuritySettings\Local Policies\SecurityOptions.)
- Network access: Allow anonymous SID/Name translation
- Network access: Do not allow anonymous enumeration of SAM accounts
- Network access: Do not allow anonymous enumeration of SAM accounts and shares
- Network access: Let Everyone permissions apply to anonymous users
- Network access: Named Pipes that can be accessed anonymously
- Network access: Shares that can be accessed anonymously
The default values for these policies are acceptable for servers on a typical internal LAN. For hardened servers, such as Internet servers, I recommend disabling policies 1 and 4, enabling policies 2 and 3, and specifying empty lists for policies 5 and 6.
You can't specifically disable logging of anonymous logon events. In general,
trying to prevent Windows from logging "noise" is futile. The only approach
that works is to implement a log management solution that filters out the noise
for you.