0

I seem to be getting a lot of these entries in the Security event viewer. Around 8-12 every hour. I am wondering if a) I should be worried about it? or b) what actually is going on, Can anyone help?

Type: Success Audit
Source: Security
Category: Logon/Logoff
User: Network Service or IUSR_WIN2003


Logon attempt using explicit credentials:
 Logged on user:
    User Name:  NETWORK SERVICE
    Domain:     NT AUTHORITY
    Logon ID:       (0x0,0x3E4)
    Logon GUID: -
 User whose credentials were used:
    Target User Name:   IUSR_WIN2003
    Target Domain:  WILDEBB1
    Target Logon GUID: -

 Target Server Name:    localhost
 Target Server Info:    localhost
 Caller Process ID: 13224
 Source Network Address:    -
 Source Port:   -

Also just after this one was recorded iis stopped accepting connections and I had to reboot the server. The difference to this one is that the logon process used ADVAPI...

Event Type: Success Audit
Event Source:   Security
Event Category: Logon/Logoff 
Event ID:   540
Date:       05/06/2012
Time:       13:59:10
User:       WILDEAA1\IUSR_WIN2003
Computer:   WILDEAA1
Description:
Successful Network Logon:
    User Name:  IUSR_WIN2003
    Domain:     WILDEAA1
    Logon ID:       (0x0,0x5FDB22D)
    Logon Type: 8
    Logon Process:  Advapi  
    Authentication Package: Negotiate
    Workstation Name:   WILDEAA1
    Logon GUID: -
    Caller User Name:   NETWORK SERVICE
    Caller Domain:  NT AUTHORITY
    Caller Logon ID:    (0x0,0x3E4)
    Caller Process ID: 13224
    Transited Services: -
    Source Network Address: -
    Source Port:    -
Rippo
  • 169
  • 4
  • 13

1 Answers1

2

The IUSR account is the anonymous user account that gets created when you install IIS. Are you running any web sites on that server? You'll see a logon event whenever IIS tries to log the account on for an anonymous user.

Chris McKeown
  • 7,168
  • 1
  • 18
  • 26
  • Ah that explains that then, I am running a few websites via IIS, so everytime a new user hits the site we get a IUSR logon. makes sense. Ta – Rippo Jun 06 '12 at 07:54
  • I'm not sure that you'll see a logon event each time a new user hits the site, but I've not looked too deeply into it. I would imagine that the account would only need to be logged on if the ticket had expired. – Chris McKeown Jun 06 '12 at 07:59
  • ah so its related to forms authentication, thanks for clearing that up – Rippo Jun 06 '12 at 08:08
  • Not exactly! You'll still see IUSR logons even if you have no authentication methods. I was referring to the Kerberos (i.e. Windows) ticket. – Chris McKeown Jun 06 '12 at 08:15