0

I've been asked to look at a server as it was running slow. Now I'll admit servers are not my thing, but i think it was as much a case of a second pair of eyes as anything.

One thing that we did discover is the following in the security event log.

Subject:
Security ID:        NULL SID

Account Name:       -
Account Domain:     -
Logon ID:       0x0

Logon Type:         3

New Logon:
Security ID:        ANONYMOUS LOGON
Account Name:       ANONYMOUS LOGON
Account Domain:     <removed>
Logon ID:       0x10b45932
Logon GUID:     {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID:     0x0
Process Name:       -

Network Information:
Workstation Name:   
Source Network Address: 117.21.191.69
Source Port:        58758

I have seen this SO thread here troubling anonymous Logon events in Windows Security event log which says that we should lock the server down, so we will do some more reading on this.

However our main concern now is simply does the above login mean that someone from China (if thats genuinely where the ip originates) has access to the server on some level? In which case, I guess there are bigger problems than just securing the server now...

I have tried the suggestion in the above post, about trying to connect via netbios, and I get the authentication box, not anonymous login, so I guess thats ok.

Matt
  • 123
  • 5
  • Why are these ports exposed to the internet in the first place? – EEAA Apr 24 '17 at 19:29
  • Like I said, I am not a server person. But from google, that port is the tcp/udp port finder, so I am not sure if I can block it or not! – Matt Apr 24 '17 at 19:33
  • Of course you can block it, and should block it, along with all other ports that you don't need to have exposed to the internet. – EEAA Apr 24 '17 at 19:34
  • Thanks. So if I want to use this as a web server, thats everything but http, https and rdp? – Matt Apr 24 '17 at 19:37
  • Yes, and ideally, RDP shouldn't be exposed either. Put it behind a VPN. – EEAA Apr 24 '17 at 19:38
  • rdp is already on a non standard port, I knew enough to do that. Thanks, I'll see what I can do, whats the worst that can happen :-o – Matt Apr 24 '17 at 19:40
  • Well, that will only thwart the laziest of script kiddies. Please consider that you're likely not a good person to be managing this server. Hire someone to help you get things straightened out. – EEAA Apr 24 '17 at 19:42
  • Heh, like I said at the start, I readily admit my lack of knowledge here, Im just a second pair of eyes, but I'll pass it on :-) – Matt Apr 24 '17 at 19:43

1 Answers1

0

The Source Port is the port that the remote computer is connecting FROM, not the port it is connecting TO. You'd be well served to analyze your network firewall logs to see what port the remote computer is trying to connect TO on this server.

Note that if this server is running a website under IIS and the website is configured to use Anonymous authentication then this activity is perfectly normal. Logon Type 3 is a network logon (obviously) and anonymous connections to IIS would fall under this logon type.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172