Anonymous NTLM logons win7 machine

[6pack]

After putting my modem in bridged mode, I started getting these anonymous logon events in my home machine. I have Avast antivirus which has inbuilt firewall too, plus default windows firewall is also always on. Searched the web, and it says not to be alarmed if the source ip is 127.0.0.1. There were two successful logon attempts and one was from Japan and another from Newzealand. :huh: I did a reverse ip lookup on those ip addresses.
It also shows it was using 128bit encryption to make the logon attempt. :S

Both connections got logged off when I disconnected my net in the morning.
I saw these in event viewer when I was looking at possible cause why my net disconnection script was not working.

Event Id: 4624

An account was successfully logged on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

New Logon:
Security ID: ANONYMOUS LOGON
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x51c55d
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x0
Process Name: -

Network Information:
Workstation Name: HOD
Source Network Address: 118.236.xxx.xxx
Source Port: 3086

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 128

This event is generated when a logon session is created. It is generated on the computer that was accessed.

Logon Type: 3

New Logon:
Security ID: ANONYMOUS LOGON
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x5241f8
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x0
Process Name: -

Network Information:
Workstation Name: HOD
Source Network Address: 212.115.xxx.xxx
Source Port: 50222

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 128

So is someone hacking into my comp? And to get in my comp through two firewalls is :S

I think I'll be switching back to PPOE mode on router. The NAT on the router works quite well I say to keep these intrusions off.

EDIT: There were 4 more successful attempts from 4 different machines while I was typing this. None after I switched back to PPOE mode on router and enabled NAT.

 

[tush]

Why do you want it in Bridge Mode. Is it your ISPs requirement ?

Bridge Mode will give Public IP directly to the Network Card of your PC make it unsecure and directly accessible to the out side world.

We cannot really say that these logon events are of Hackers.

May be there is some application that you have installed that tries connecting its servers and you get those event logs.

Obviously Natting will prevent your network from being seen to the outside world, since via Natting you are on a private IP addressing internally and the Public IP is assinged to the external side of the modem router, thus Natting being the mediater/translater/resolver in between to help your Internal Network get to the internet. You do ipconfig /all in your OS cmd prompt and you should see private address like 192.x.x.x to your System via the DHCP of the Modem router or may be entered manually by you.

Make sure the Win7 you have is a Genuine Activated copy. Because with Geniune copy you have a OS with regular windows updates which keep patching any loopholes that could be exploited by hackers even though you have put a Firewall in place. And the Firewall in OS is a software firewall and hence it also requires updates to fix any inconsistance in itself.

Stick to PPOE and Natting that you are using is what I would recommend.

 

[6pack]

It is a genuine version of windows. And ntlmssp is making the connections if you see the quote properly. Its a windows component. I'm thinking windows software has this urge to connect to other windows computers without users knowledge for logon security testing - for troubleshooting purposes like remote logon or such.

I think it just wants to make sure the comp can be accessed in emergencies. But that's just my theory. I still haven't heard anything yet from the msn forums on this.

Also the reason I wanted the modem to be in bridged mode was to automatically switch on /off the dial up to my isp at night. With these things going on I have put the modem back in ppoe mode now.

 

[harmandeep]

time for some SOLESOM Training

 

[tush]

It is a genuine version of windows. And ntlmssp is making the connections if you see the quote properly. Its a windows component. I'm thinking windows software has this urge to connect to other windows computers without users knowledge for logon security testing - for troubleshooting purposes like remote logon or such.

I do see that but don't want to get into details of what ntlmssp is and it does. But you can control these event logs on Vista and later versions of OS as some of the auditing settings are enabled by default in these versions of OS. Hence you might not see these events on XP system in your scenario.

Go the following registry

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA

Modify the value of "SCENoApplyLegacyAuditPolicy" to 0 to disable it. Reboot is required for it to take effect.

Even though yours is a standalone PC you might want to implement this and check the behaviour.

For Details please check - Security auditing settings are not applied to Windows Vista-based and Window Server 2008-based computers when you deploy a domain-based policy

 

[6pack]

time for some SOLESOM Training

What's that? :huh:

I do see that but don't want to get into details of what ntlmssp is and it does. But you can control these event logs on Vista and later versions of OS as some of the auditing settings are enabled by default in these versions of OS. Hence you might not see these events on XP system in your scenario.

Go the following registry

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA

Modify the value of "SCENoApplyLegacyAuditPolicy" to 0 to disable it. Reboot is required for it to take effect.

.............

I searched and saw there's no such registry key in my machine. Since its not in a domain I think.

 

[tush]

I searched and saw there's no such registry key in my machine. Since its not in a domain I think.

If its not there then create one. The type should be of DWORD. After that reboot the system for changes to take effect.

 

[6pack]

I'm using windows 7. I don't think I'll take chances doing that. The modem NAT has taken care of that problem for now.

 

[logistopath]

From what results google search yielded, I understand that this anonymous logon is not a security scare. Rather it is seen when Computer Browser Service tries to list the computers in My Network Places. It will not be seen if you disable "Computer Browser Service" in your services list (rather, change it to manual start instead of disabling). Also disable "File and Printer sharing" if you do not use the same.
NT AUTHORITY\ANONYMOUS LOGON in event log EVERY 12 minutes - Microsoft Security

 

[6pack]

I checked that - Computer Browser service is already in manual start mode. And File and printer sharing was disabled in rasdial as well as in lan adapter too.

I've read that these logons happen even if not connected to a network. The main thing we have to see here is the type of logon. 3 in my case which means it came from external computer. Else mostly it is 5 or 2 or 1 etc.

Logon type 3 gets in event log everytime some computer on network successfully logs on to your pc. Funny thing is I haven't shared anything and have already disabled file and network sharing, yet I got these logons. :S

 

[tush]

I'm using windows 7. I don't think I'll take chances doing that. The modem NAT has taken care of that problem for now.

Okay thats great. But its mentioned in the microsoft article "Windows Vista and later versions of Windows...." that covers Win7 as well, even though in "applies to" it doesnt include Win7. I dont see any harm in implementing it after taking a backup of the system. However I understand your concern