"Anonymous" logons - what, me worry?

So much to learn, so little time, so many other things I'd rather be doing…

But, for some reason, when I stumbled over that nagging note to periodically dive into the Windows "Component Services" and muddle through the quagmire of cryptic events logged under "Event Viewer ", I made myself do a quick check of it this morning (a lot like looking a zonealarm-ing firewall log -- are you rolling your eyes and saying "oh no... "?) .

After methodically perusing a plethora of curious and puzzling events logged there, one in particular caught my undivided attention, so I decided to try to determine just what it was trying to alert me to. After devoting way too much time to the issue, I perceived enough information to be concerned, but still was unable to clarify the potential severity of the situation. So, I am hoping that someone here can save me a whole lot more time and interpret this gobbledy-gook for me. Under componet services, security, I noted the event info pasted-in at the bottom of this post.

What the heck does that mean? Am I in trouble, or is this just harmless "noise "? The "ANONYMOUS LOGON" concerns me, as a normal "true" logon by me-myself has my user ID and does NOT look like this. I found some info on "NtLmSsp" and according to the MS knowledge base it can be a source of INsecurity and there are patches to fix security problems for it, although in theory I am up to date in patches except for one that locks me out of internet access via IE (that problematic patch would be Q813489: "Cumulative Patch for Internet Explorer 6 Service Pack 1 - A number of identified security vulnerabilities in Microsoft Internet Explorer could allow an attacker to compromise your Microsoft Windows-based systems ")... I have done scans with Swatit and Adaware and Spybot and according to them all, my PC is "clean" (any recommendations on a good freeware anti-trojan?).

PS: This reminded me that I have yet another long-ignored note to check on something curious (yeh I got a whole bunch of those critters...) to which I likely should have paid immediate attention, but I been busy…. A while back, I downloaded a freeware PIM (from winpicks.com) that somehow managed to set up a logon (appeared on my regular logon screen - of course I deinstalled the PIM and deleted the logon) that I did not realize that it was going to set up (but possibly it may have been something that I missed in the EULA?). Anyway, the other day I went into "safe mode" and noted that there was also an "anonymous" logon there with the same graphic "icon" (a guitar) as the other now suspicious logon. Their could be a logical explanation for all this, and if that is the case I invite the winpicks folks to clarify their establishing a seemingly unauthorized logon on my system (without my realizing it…) -- I will try to contact them on that separately, but I am now in a hurry to figure out what is going on, so I am going to go ahead and post this here anyway…

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 5/17/2003
Time: 10:47:59 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: xxxxxxxxxxxxxxx
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: xxxxxxxx
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}

 

don't worry, you're fine.

you must be on a LAN, right?

"Event ID 540 is a successful "network" logon as in mapping a network drive. Your computer keeps checking for Network connections or shared folders, etc... on a regular basis to make sure you are connected. "

check out this thread on dslreports.com to see someone who has asked essentially the same question as you.

hth



mark

 

Thanks for the feedback Mark -- point, I noted in the log that this logon does not occur consistently, as I assumed that it would based on your repsonse, it surfaces from 1 to 5 times per day, usually about 3 or 4 hours apart (I guess somewhat that is consistent), and I cannot tie it to any other events... And am I on a LAN. To me, no I am not, not a real LAN, but technically I have an ehternet modem and my ISP throughs that into the classification of a LAN, so I guess I am on a LAN so to speak... Further, I have that option for networking/shared folders disallowed for security purposes if that is relevant...

And, after I posted the anonymous logon "problem" above, I finally noted "GUID" as the logon user ID, and what the heck, I went ahead and googled it, and refer to the pasted-in text below to see what it turned up... So, I am posting this as an FYI in case anyone else out there runs into the anonymous logon by "GUID ". BUT, I am still a little perplexed, even given Mark's explanation. Does this all evolve from a COOKIE as implied by the text below? Was this generated by the PIM freeware? Why didn't my spyware components catch this? should it have been caught? Is there a spyware component that WILL catch this? Why aren't I at the beach enjoying life?

What is GUID.org?
GUID.org is an Internet service that assigns anonymous user IDs to web browsers. These anonymous IDs can then be used by other web sites for many purposes. For example, a site may use your GUID to recognize you when you return. GUID.org does not collect or store any information about users - see our privacy policy. The anonymous user IDs created by GUID.org are stored in cookies on your browser - see our cookie definition for more info.
You may "opt out" and tell GUID.org to remove your GUID. You may also see your GUID, if you are curious about what they look like.

If you are a web site and would like to use GUIDs, please read our usage instructions. The GUID.org technology is patent pending, but you can still read about how it works. You can also read a little about our history.

We welcome feedback about this site and the service we provide. Please send email to feedback@guid.org.

 

Keywester

That is NT itself doing "nt things "!Smile!

NT does many of these in normal usage. Not to worry!

BTW: NT of course will also ,be in 2k or XP, unless you are running the original NT.

If you have a good 2 way Firewall or are behind a router or even better, both. If you are clean of viri/worms/trojans and spyware. Have no remote access setup. No unsecured user/logins. And stay behind and maintain all the above, then you are safer than 95% of all computer users.

So go have a Hinnie and forget it!

Mike