Anonymous Logon Explained
Anonymous logon refers to a type of network access where a user can log in to a system or network resource without providing any authentication credentials such as a username or password. This type of access is typically granted to allow basic, unauthenticated access to certain resources for public use or for specific purposes.
In some cases, anonymous logon might be used for accessing publicly available files or services on a network, such as anonymous FTP (File Transfer Protocol) servers where users can download files without needing to create an account or provide login credentials.
Simply put an
anonymous logon
is the process of accessing a system without authentication. An
anonymous user
is an account used for unauthenticated access.
NT Authority Explained
NT Authority is the name given to a variety of predefined, special-purpose Windows accounts and groups that are part of the operating system functionality, allowing core OS services and capabilities to work. They facilitate resource access and control security boundaries within the Windows systems. The “NT” stands for New Technology and refers to the Windows NT operating system line.
When you see “NT Authority” in the context of permissions or access control lists (ACLs), it typically indicates that the permission or privilege is being granted to a system-level entity rather than to a specific user or group. For example, “NT Authority\SYSTEM” refers to the local system account, which has high privileges on the system.
Some common NT Authority security principles include:
NT Authority\SYSTEM: Represents the Local System account, which has full control over the system.
NT Authority\Authenticated Users: Represents all users who have authenticated to the domain.
NT Authority\Network Service: Represents the Network Service account, which is a built-in account with low-level privileges.
NT Authority\Local Service: Represents the Local Service account, which is a built-in account with low-level privileges similar to Network Service.
Login failed for user NT authority anonymous logon
Occasionally, when attempting to reach a linked server, an error may arise indicating “Login failed for user NT AUTHORITY\ANONYMOUS LOGON.” This occurs due to employing Windows authentication, and SQL Server encounters difficulty in transmitting your credentials to the linked server. There needs to be first the correct assigning and mapping of the users credentials in the Linked Server security setting.
The error message also occurs when a server is restarted and fails to register the Service Principal Name (SPN). Failure to register a SPN can cause integrated authentication to fall back to
NTLM instead of Kerberos
.
CIS Benchmark setting '
Ensure ‘Network access: Do not allow anonymous enumeration of SAM accounts’ is set to ‘Enabled’
controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM).
The recommended state for this setting is: Enabled.
The error ‘login failed for user nt authority anonymous logon’ occurs because establishing trust with Windows NT 4.0-based domains is not possible. Additionally, client computers running older Windows operating systems like Windows NT 3.51 and Windows 95 may encounter issues when trying to access resources on the server.
Users accessing file and print servers anonymously won’t be able to see the shared network resources without authentication. However, with the policy setting enabled, anonymous users can access resources if they have permissions specifically granted to the built-in group, ANONYMOUS LOGON.
This describes the scenario where anonymous users can access resources with permissions explicitly granted to the built-in group, ANONYMOUS LOGON, even when the policy setting is enabled. This means that despite the policy being in place, resources can still be accessed by anonymous users if they have the appropriate permissions assigned to them.
CIS Benchmark setting '
Ensure ‘Network access: Let Everyone permissions apply to anonymous users’
is set to ‘Disabled’ determines what additional permissions are assigned for anonymous connections to the computer.
The recommended state for this setting is: Disabled.
Default Value
:
Disabled. (Anonymous users can only access those resources for which the built-in group ANONYMOUS LOGON has been explicitly given permission.)
Anonymous Logon Windows Vulnerabilities
Anonymous logon Windows vulnerabilities refer to security risks associated with allowing anonymous access to resources within a network or system. The most significant vulnerability is unrestricted access. Anyone can potentially access the system or service, including unauthorized individuals. This can lead to:
Enumeration of user accounts
DOS attacks
Brute-Force Attacks
Unauthenticated access to shares
Anonymous logon policy setting via GPO
Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.
0. Anonymous logon
Registry Hive
HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER
Registry Path
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
Value Name
Value Type
REG_DWORD
Value
196608
Default special identity group
Anonymous logon
is among the default special identity groups in Windows Server. The Anonymous Logon group isn’t a member of the Everyone group by default. The attribute describes a special identity group and a value represents the corresponding property of the group. In the case of Anonymous Logon, the attribute is “Well-known SID/RID” and the value is “S-1-5-7 as you see in the table below:
Default location in Active Directory
CN=WellKnown Security Principals, CN=Configuration, DC=<forestRootDomain>
Default user rights
Before Windows Server 2003, the Everyone group on computers, including those with Windows 2000 and earlier versions, automatically included the Anonymous Logon group. However, starting from Windows Server 2003, the Everyone group consists solely of Authenticated Users and Guest, with the exclusion of Anonymous Logon by default.
If you wish to modify this setting and include the Anonymous Logon group within the Everyone group, you can do so via the Registry Editor. Go to the
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
key and set the value of the
everyoneincludesanonymous
DWORD to
1
.
Restrict clients allowed to make remote calls to SAM
Best Practices
Securing and hardening the Anonymous Logon feature is crucial to prevent unauthorized access and potential security breaches. While disabling Anonymous Logon altogether is the most secure approach, it might not always be feasible due to specific application requirements.
By proactively hardening configurations around anonymous access and monitoring systems, organizations can reduce threats associated with anonymous logons. Here are some best practices:
Disable anonymous SID/names: Disable null session pipes or restrict anonymous connections by not allowing anonymous SID/names in access tokens.
Enable additional auditing: Audit account logon events, account management, logon events to monitor anonymous activity. Forward logs to a secured centralized server.
Apply latest security updates: Patch and update systems regularly to ensure known anonymous logon vulnerabilities are addressed.
Disable the “Let Everyone permissions apply to anonymous users” setting
Limit access to security accounts like the
Security Accounts Manager
(SAM) by configuring the “Network access: Restrict clients allowed to make remote calls to SAM” setting
If you would like to consult with one of our server hardening experts and see a
FREE DEMO
, Get in touch.
Privacy Overview
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
|
Cookie
|
Duration
|
Description
|
|
cookielawinfo-checbox-analytics
|
11 months
|
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
|
|
cookielawinfo-checbox-functional
|
11 months
|
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
|
|
cookielawinfo-checbox-others
|
11 months
|
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
|
|
cookielawinfo-checkbox-necessary
|
11 months
|
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
|
|
cookielawinfo-checkbox-performance
|
11 months
|
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
|
|
PHPSESSID
|
session
|
This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
|
|
viewed_cookie_policy
|
11 months
|
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
|
|
_GRECAPTCHA
|
5 months 27 days
|
This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
|
|
__cfduid
|
1 month
|
The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.
|
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
|
Cookie
|
Duration
|
Description
|
|
bcookie
|
2 years
|
This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
|
|
lang
|
session
|
This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
|
|
lidc
|
1 day
|
This cookie is set by LinkedIn and used for routing.
|
|
__stidv
|
1 year
|
This cookie is used by ShareThis. This cookie is used for sharing the content from the website to social networks.
|
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
|
Cookie
|
Duration
|
Description
|
|
YSC
|
session
|
This cookies is set by Youtube and is used to track the views of embedded videos.
|
|
_gat
|
1 minute
|
This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.
|
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
|
Cookie
|
Duration
|
Description
|
|
_ga
|
2 years
|
This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
|
|
_gid
|
1 day
|
This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
|
|
__stid
|
1 year
|
The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.
|
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
|
Cookie
|
Duration
|
Description
|
|
bscookie
|
2 years
|
This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
|
|
IDE
|
1 year 24 days
|
Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
|
|
test_cookie
|
15 minutes
|
This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
|
|
VISITOR_INFO1_LIVE
|
5 months 27 days
|
This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
|
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
|
Cookie
|
Duration
|
Description
|
|
AnalyticsSyncHistory
|
1 month
|
No description
|
|
CONSENT
|
16 years 8 months 26 days 14 hours
|
No description
|
|
drift_campaign_refresh
|
30 minutes
|
No description
|
|
fpestid
|
1 year
|
No description
|
|
st_samesite
|
session
|
No description
|
|
UserMatchHistory
|
1 month
|
Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.
|
