Access Denied--Evaluating Anonymous Events in the Security Log

I find a high number of anonymous logons and logoffs in my server Security logs each day. In both event ID 528 (Logon) and event ID 538 (Logoff), the user is listed as NT AUTHORITY/ANONYMOUS. What are these anonymous logons and logoffs, and what risk do they present?

Windows 2000 and Windows NT support anonymous logons that let users browse the servers on the network in Network Neighborhood and their shares' Network Neighborhood. When you double-click a computer in Network Neighborhood to view its shared folders, you usually haven't yet logged on to that computer. Your workstation connects anonymously to the server and queries the server for its shared folders. Then, when you actually map a drive to one of those shared folders, your workstation logs on to the server with your username and password. Contrary to popular belief, these anonymous logons don't provide access to any folders or other objects. However, the anonymous logons do present a risk: They let potential intruders connect anonymously and enumerate all the shared folders, usernames, and SIDs on a computer. Intruders can use this information to launch an attack. For example, even if you rename the Administrator account to protect the account from attack, an intruder who uses the proper APIs can enumerate the users on the computer and look for one whose SID ends in 500 (the built-in Administrator account SID always ends in 500) and thus discover the new name for the Administrator account. A familiar intruder tool called RedButton can perform this search for you.

To disable anonymous connections, look in any Group Policy Object (GPO) under \computer configuration\windows settings\security settings\local policies\security options and set Additional restrictions for anonymous connections to Do not allow enumeration of SAM accounts and shares. If you enable this policy, you need to know about some caveats. For example, some applications, such as Microsoft Exchange 2000 Server (as well as earlier versions of Exchange), communicate with one another on multiple machines by using anonymous connections. For more information about the risks associated with anonymous logons, see the Microsoft article "Restricting Information Available to Anonymous Logon Users" (

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.