I am currently examining the security event logs from a Windows 7 machine, below is one of the logs
Just wondering if anyone has come across information similar to this, in particular the relevance of the "ANONYMOUS LOGON" and also the mention of a particular workstation name"**-VAIO"
There are various discussions on forums that this could possibly be other computers trying to find out what file shares/printers are being shared.
Any assistance will be greatly appreciated.
D
An account was successfully logged on.
Subject
Security ID NULL SID
Account Name -
Account Domain -
Logon ID 0x0
Logon Type 3
New Logon
Security ID ANONYMOUS LOGON
Account Name ANONYMOUS LOGON
Account Domain NT AUTHORITY
Logon ID 0x10eee8a2
Logon GUID {00000000-0000-0000-0000-000000000000}
Process Information
Process ID 0x0
Process Name -
Network Information
Workstation Name **-VAIO
Source Network Address 192.168.0.104
Source Port 51346
Detailed Authentication Information
Logon Process NtLmSsp
Authentication Package NTLM
Transited Services -
Package Name (NTLM only) NTLM V1
Key Length 128
Although they can be indicative of problems, null connections between machines are still very common in Windows networks. It doesn't necessarily indicate anything interesting, unless you ask yourself the question "should the box at 192.168.0.104 be accessing this box?" (from where you have the log) - if the answer is "no way" then you might want to dig further.
additional
There's some info on the changes made to NTLM authentication on