NT AUTHORITY\ANONYMOUS LOGON - ID 540

[anthonymel]

I have been noticing lately that my server has been receiving even ID 540 quite a bit. However the source address seems to be a foreign ip address with a foreign workstation name. Now this computer does have IIS running on it but it does not serve web pages.

I know I need a firewall put in. I'm in the process of buying ISA 2004. But how can I possibly stop this problem now or at least not allow anonymous logons.

Thanks in advance,

Anthony

 

[Niksen]

you can use IPsec.

easy to set up: block all traffic from the specific ip address or ranges of addresses.

bst rgds

 

[anthonymel]

Do I even need to allow anonymous logon? The source port on these logs was 0. How dangerous is this?

Also, can this be blocked when I do get the ISA server?

 

[Niksen]

IF the server isnt supposed to be public, you should allways disable anonymous logon via GPO.

It sounds as it would be wise to investigate these logons some more, its hard to say if its innocent or not.

and yes, you can block this traffic with ISA, Isa will only forward requests and/or packets if you tell it to.


good luck

 

[anthonymel]

I'm currently using my router to do some ip filtering and port blocking and in just two days the number of outside anonymous logons has dropped by 80%. It's a decent netopia 4500 series router.

Can someone with more experience with an ISA server tell me why would having the ISA server in addition to my router's filtering abilities be beneficial? In other words want can the ISA server do that my router can't.


Thanks

Anthony