How do you get rid of IIS Anonymous Event Logs?

9 Oct 2006 1:42 PM

Freestar

This may be an obvious question, but I am new to IIS administration.

We have an Intranet site running on IIS on a w2k server. In the Security
Event Log we are getting lots of 'Event ID 538 ANONYMOUS LOGON' messages. We
want to get rid of these messages and have access logged by user name.

In the properties of the Intranet site (in the IIS snap-in for MMC), on the
'Directory Security' tab you can access a dialog box titled 'Authentication
Methods', on this there is a tick-box (currently ticked) for 'Anonymous
Access'. If I untick this option would it solve my problem?

Thanks.

9 Oct 2006 1:54 PM

Walter Weiss (EIRE)

Hi

In many cases, the user listed for this event will be "ANONYMOUS LOGON" from
"NT AUTHORITY" domain. This logon is used by processes that use the null
session logons (logons that do not require a user/password combination). Any
program or service that is using the System user account is in fact logging
in with null credentials.
If the operating system encounters a user without any credentials, the user
is regarded as having NULL credentials. When the system attempts to access a
secured network resource based on NULL credentials, this is referred to as a
NULL session. Access is only allowed if the remote machine allows NULL
session access. This is configurable through the registry. (See Knowledge
Base article 122702 for more information.)
One typical example is a computer that register itself with the Master
Browser for that network segment at startup. This registration will generate
several logon/logoffs from "ANONYMOUS USER". Since the registration is
renewed by default every 12 minutes, such events will occur at regular
intervals.

Maybe taht helps.

Walter

Show quoteHide quote

"Freestar" <Frees***@discussions.microsoft.com> wrote in message
news:0E6119C3-34D9-45DB-9634-56042AC7D774@microsoft.com...
> This may be an obvious question, but I am new to IIS administration.
>
> We have an Intranet site running on IIS on a w2k server. In the Security
> Event Log we are getting lots of 'Event ID 538 ANONYMOUS LOGON' messages.
> We
> want to get rid of these messages and have access logged by user name.
>
> In the properties of the Intranet site (in the IIS snap-in for MMC), on
> the
> 'Directory Security' tab you can access a dialog box titled
> 'Authentication
> Methods', on this there is a tick-box (currently ticked) for 'Anonymous
> Access'. If I untick this option would it solve my problem?
>
> Thanks.

9 Oct 2006 3:17 PM

Roger Abell [MVP]

Please notice that the system's security log is not the IIS log.
Unless you can correlate activity recorded in the IIS logs with
the anonymous logon events in the security log, as you probably
cannot based on what you have said, then these event are not
related to the configuration of your IIS services.
You need to follow fundemental Windows Server security
guides and configure Windows. There are settings that can
be used to disallow anonymous access that you can find in
the security options section of group policy applied to the
machine. You probably should get the Windows Server
2003 Security Guide from the MS website.
Show quoteHide quote

"Freestar" <Frees***@discussions.microsoft.com> wrote in message
news:0E6119C3-34D9-45DB-9634-56042AC7D774@microsoft.com...
> This may be an obvious question, but I am new to IIS administration.
>
> We have an Intranet site running on IIS on a w2k server. In the Security
> Event Log we are getting lots of 'Event ID 538 ANONYMOUS LOGON' messages.
> We
> want to get rid of these messages and have access logged by user name.
>
> In the properties of the Intranet site (in the IIS snap-in for MMC), on
> the
> 'Directory Security' tab you can access a dialog box titled
> 'Authentication
> Methods', on this there is a tick-box (currently ticked) for 'Anonymous
> Access'. If I untick this option would it solve my problem?
>
> Thanks.