I can't figure out how to entirely disable anonymous logon on Windows Server 2016 which is not a domain controller (regular instance). With the settings currently set I'm truly surprised to see such logons come through which stands opposite to description of corresponding settings in SecPol.msc I' have turned logon auditing on.
I have the following entries set in Local Policy Settings:
Network access: Allow anonymous SID/Name translation : disable
Network access: Do not allow anonymous enumeration of SAM accounts: Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled
Network access: Let Everyone permissions apply to anonymous users: Disabled
Network access: Named Pipes that can be accessed anonymously: None
Network access: Shares that can be accessed anonymously: None
What's more I've completely disabled NTLMv1 by settings "Send NTLMv2 responsly only" in secpol.msc.
Still, I'm getting the following Audit Success entries in event log:
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: ANONYMOUS LOGON
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0xDC9CEC8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: xxxxxxx
Source Port: 59691
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 0
Also, the following attempt failed:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: ADMIN
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: \\xxxxx
Source Network Address: xxxxxxx
Source Port: 1339
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Right now, I'm using automated offline log analysis to block the prior.
Any idea how to block anonymous logon entirely?
