Event 1007: The share denied anonymous access to the client

Question

the body of evevnt is: " **The share denied anonymous access to the client. Client Name: \10.139.70.35 Client Address: 10.139.70.35:49157 Share Name: \*\in Share Path: ??\C:\Users\jodat\Desktop\in Source: SMBServer Task Category: (1007) Keywords: Audit Failure,Audit Failure User: SYSTEM Computer: kaj.smbmm.ir Channel Microsoft-Windows-SMBServer/Security

• Security [ UserID] S-1-5-18 SharePath ??\C:\Users\jodat\Desktop\in ClientName \10.139.70.35** "

1. Does it mean that: client 10.139.70.35 wants to access folder C:\Users\jodat\Desktop\in which belongs to user jodat on server kaj.smbmm.ir but that was not successful?
2. filder "in" is a share folder?
3. what is the manner which client wants to access the folder?
4. Was user jodat logged in during the access?
5. What about user SYSTEM? who is it? was it jodat?
6. Why UserID is S-1-5-18?

Regards Ali

Answer 1

1. Yes. I would refrain from posting internal host names and users on the Internet though. The event doesn't necessarily say that the share belongs to "jodat", but it's implied based on the folder path.

2. Yes, the share name would be "in"

3. The client tried to access the folder via SMB, such as "net use", explorer ("Run") or mapping the drive in another fashion.

4. No idea, you would not know that just from the 1007 event.

5. & 6. S-1-5-18 is the SID for the "SYSTEM" account which is built into Windows. It's the user that technically logged the event. It's not really relevant in this case and can be ignored.