+ Reply to Thread
Page 1 of 2 1 2 Last
Results 1 to 25 of 48

Thread: Anonymous Logon

  1. Senior Member
    Join Date
    Jan 2003
    Location
    Orange County, CA.
    Posts
    337

    Certifications
    A+, Network+, MCP - Windows XP, MCSA - Windows Server 2003, MCTS - Exchange Server 2007
    #1

    Default Anonymous Logon

    How does a user become a member of the Anonymous Logon group? I know that this is done automatically, but how does a user access network resources bypassing authentication? Could someone provide an example of an Anonymous Logon user?
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Nov 2005
    Location
    UK
    Posts
    863

    Certifications
    MCSE 2003, MCSA:M, MCDST
    #2
    1. By not authenticating.
    2. Perhaps by adding the Anonymous Logon group to the folder's ACL?
    3. A standalone PC accessing said folder?

    I'm not saying that's how it is, just an idea.
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Jan 2003
    Location
    Orange County, CA.
    Posts
    337

    Certifications
    A+, Network+, MCP - Windows XP, MCSA - Windows Server 2003, MCTS - Exchange Server 2007
    #3
    Per MS:

    Anonymous Logon -
    Represents users and services that access a computer and its resources through the network without using an account name, password, or domain name.



    How does a user get onto the network without authenticating in the first place? The whole concept of an Anonymous Logon defies the NT authentication process. How does one log on anonymously?
    Reply With Quote Quote  

  5. Infrequent Poster Silver Bullet's Avatar
    Join Date
    Aug 2004
    Posts
    677

    Certifications
    A+, Network+, Server+, APS, MCP, MCSA:M 2003 MCSE 2003 MCTS(70-649), VCP3, VCP4, VCP5, TCSE, CCNA, DCUCSS, CCNP, CCIE
    #4
    You are accessing this website Anonymously. Most websites for that matter are accessed anonymously using the built-in IUSR account in Microsoft. The anonymous user doesn't know the IUSR password as it is generally handled by the OS.....but you as an IIS administrator can manage that Password if you want. You then apply permissions to the IUSR account that you use for the Anonymous access.

    Does that help?
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Jan 2003
    Location
    Orange County, CA.
    Posts
    337

    Certifications
    A+, Network+, MCP - Windows XP, MCSA - Windows Server 2003, MCTS - Exchange Server 2007
    #5
    Quote Originally Posted by Silver Bullet
    Does that help?
    Somewhat. I'm familiar with how it works w/ IIS, because you don't neccessarily need to authenticate users accessing your website, but
    what about an NTFS folder residing somewhere on a server within my enterprise? How would someone "anonymously" access this folder? Lets say that the Everyone group has access to this folder and that Anonymous Logon is part of the Everyone group.
    Reply With Quote Quote  

  7. Senior Member
    Join Date
    Nov 2005
    Location
    UK
    Posts
    863

    Certifications
    MCSE 2003, MCSA:M, MCDST
    #6
    Anon isn't part of the Everyone group.
    Reply With Quote Quote  

  8. Infrequent Poster Silver Bullet's Avatar
    Join Date
    Aug 2004
    Posts
    677

    Certifications
    A+, Network+, Server+, APS, MCP, MCSA:M 2003 MCSE 2003 MCTS(70-649), VCP3, VCP4, VCP5, TCSE, CCNA, DCUCSS, CCNP, CCIE
    #7
    The Special Accounts like IUSR are members of the Anonymous Logon Group. They are authenticating..... but they are authenticating transparently with the IUSR username and password.

    what about an NTFS folder residing somewhere on a server within my enterprise?
    If you had an IUSR account enabled for anonymous access to your resources then you would add the IUSR account to the ACL of that resource and apply the permissions you wanted them to have.

    I think you are making this more complicated than what it is.
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    Nov 2005
    Location
    UK
    Posts
    863

    Certifications
    MCSE 2003, MCSA:M, MCDST
    #8
    Here's a scenario:

    A couple days ago in My Network Places I saw my flatmate's workgroup. I double clicked it and was able to access it, I could see the shares.
    However I was unable to access the shares as I was unauthenticated.

    Now if he were to add the Anon Logon to the permissions on the share, perhaps I would have been able to access it?

    Perhaps it isn't even meant to be used for that, maybe more like retricting anonymous (unauthenticated) users from i.e. viewing your *whatever*, etc.

    About the IUSR_xxxxxx account, I don't believe that has anything to do with the Anonymous Logon group. The IUSR account as was said is for accessing the website without needing to have a username + pwd, it will just assign that account to you. But the fact that you are using that account means that you aren't anonymous anymore, you are IUSR_xxxxx. IUSR is also a member of the Guests group and Authenticated Users, so it would be pretty pointless to have a user in both the AL and AU groups.
    Reply With Quote Quote  

  10. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #9
    Yes, I have typically seen this in regard to IIS, ASP.net, and especially Pre-Windows 2000 Compatible Access (W9x, NT4 RAS servers, and some others). You can use Group Policy (Computer Config\Windows Settings\Security Settings\Local Policies\Security Options) to configure the following settings for more security (but be careful about compatibility issues):
    • Network access: Allow anonymous SID/Name translation - Disabled
      Network access: Do not allow anonymous enumeration of SAM accounts - Enabled
      Network access: Do not allow anonymous enumeration of SAM accounts and shares - Enabled
      Network access: Let Everyone permissions apply to anonymous users - Disabled

    Hope that helps. Sorry I don't have a better explanation of all the different reasons anonymous logons appear in the event logs.
    Reply With Quote Quote  

  11. Senior Member
    Join Date
    Nov 2005
    Location
    UK
    Posts
    863

    Certifications
    MCSE 2003, MCSA:M, MCDST
    #10
    Quote Originally Posted by sprkymrk
    Sorry I don't have a better explanation of all the different reasons anonymous logons appear in the event logs.
    Anytime an unauthenticated session/connection is attempted?
    Reply With Quote Quote  

  12. Infrequent Poster Silver Bullet's Avatar
    Join Date
    Aug 2004
    Posts
    677

    Certifications
    A+, Network+, Server+, APS, MCP, MCSA:M 2003 MCSE 2003 MCTS(70-649), VCP3, VCP4, VCP5, TCSE, CCNA, DCUCSS, CCNP, CCIE
    #11
    Quote Originally Posted by _omni_
    The IUSR account as was said is for accessing the website without needing to have a username + pwd, it will just assign that account to you.
    UHHHH.....wouldn't that be anonymous
    Reply With Quote Quote  

  13. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #12
    Quote Originally Posted by _omni_
    Anon isn't part of the Everyone group.
    As long as you are using a 100% W2K3 domain. If you are in a W2K domain, anon is part of the everyone group:
    http://technet2.microsoft.com/Window....mspx?mfr=true

    From that link a snippet reads as follows:
    The Anonymous Logon group is no longer a member of the Everyone group. This change will impact anonymous users attempting to access resources hosted on computers running Windows XP Professional and members of the Windows Server 2003 family. (......) Because Administrators did not realize that anonymous users were members of the Everyone group they might have inadvertently granted them access to resources only intended for authenticated users.

    Quote Originally Posted by _omni_
    About the IUSR_xxxxxx account, I don't believe that has anything to do with the Anonymous Logon group.
    Yes it does. Check your OWA logs if you are running an Exchange 5.5 server on W2K (I know, I know - working on upgrading to E2K3 on W2K3 right now... ). Whenever someone accesses the logon page, before they authenticate (when they are at the "Type Your Mailbox" page) it logs them as Anonymous/IUSR. Also seen it in other cases as well. However, in the case of w^rl0rd's question, I think you're right. He's seeing it in places other than web access.
    Reply With Quote Quote  

  14. Senior Member
    Join Date
    Jan 2003
    Location
    Orange County, CA.
    Posts
    337

    Certifications
    A+, Network+, MCP - Windows XP, MCSA - Windows Server 2003, MCTS - Exchange Server 2007
    #13
    Quote Originally Posted by _omni_
    Here's a scenario:

    A couple days ago in My Network Places I saw my flatmate's workgroup. I double clicked it and was able to access it, I could see the shares.
    However I was unable to access the shares as I was unauthenticated.

    Now if he were to add the Anon Logon to the permissions on the share, perhaps I would have been able to access it?

    Now that is what I'm looking for! OK, and yes I may have been making this harder than it is.

    If I have a folder w/ it's ACL allowing Anonymous Logon and someone plugged into my network having already locally authenticated locally, they could just type in the UNC path to this folder and access it w/o being prompted for domain credentials. Right?
    Reply With Quote Quote  

  15. Senior Member
    Join Date
    Nov 2005
    Location
    UK
    Posts
    863

    Certifications
    MCSE 2003, MCSA:M, MCDST
    #14
    Quote Originally Posted by Silver Bullet
    Quote Originally Posted by _omni_
    The IUSR account as was said is for accessing the website without needing to have a username + pwd, it will just assign that account to you.
    UHHHH.....wouldn't that be anonymous
    I don't think so. Granted, the user accessing the site is anonymous, but he is using the IUSR account which is an authenticated account, and therefore not anonymous to the system (and thus not a member of the Anonymous Logon group).
    Reply With Quote Quote  

  16. Infrequent Poster Silver Bullet's Avatar
    Join Date
    Aug 2004
    Posts
    677

    Certifications
    A+, Network+, Server+, APS, MCP, MCSA:M 2003 MCSE 2003 MCTS(70-649), VCP3, VCP4, VCP5, TCSE, CCNA, DCUCSS, CCNP, CCIE
    #15
    Apparently Microsoft considers the IUSR_Computername account to be anonymous access

    http://www.microsoft.com/technet/pro....mspx?mfr=true

    The top line reads:
    Anonymous authentication gives users access to the public areas of your Web or FTP site without prompting them for a user name or password. By default, the IUSR_computername account is used to allow anonymous access.

    And I apoologize w^orld.....I thought you were just looking for an explanation of Anonymous Logons. Didn't realise you were troubleshooting a problem here.

    Going to get a cold beer now.
    Reply With Quote Quote  

  17. Senior Member
    Join Date
    Jan 2003
    Location
    Orange County, CA.
    Posts
    337

    Certifications
    A+, Network+, MCP - Windows XP, MCSA - Windows Server 2003, MCTS - Exchange Server 2007
    #16
    I appreciate all of the help, but this whole discussion about the iusr account not being the same as anonymous is silly. His point was that you don't really know who iusr actually is, hence making him "anonymous." But if we can clarify my above post, we should be golden. Thanks.
    Reply With Quote Quote  

  18. Senior Member
    Join Date
    Jan 2003
    Location
    Orange County, CA.
    Posts
    337

    Certifications
    A+, Network+, MCP - Windows XP, MCSA - Windows Server 2003, MCTS - Exchange Server 2007
    #17
    Quote Originally Posted by Silver Bullet
    And I apoologize w^orld.....I thought you were just looking for an explanation of Anonymous Logons. Didn't realise you were troubleshooting a problem here.

    Going to get a cold beer now.

    Not troubleshooting a problem, just giving a scenerio that would help me understand. Enjoy that beer.
    Reply With Quote Quote  

  19. Infrequent Poster Silver Bullet's Avatar
    Join Date
    Aug 2004
    Posts
    677

    Certifications
    A+, Network+, Server+, APS, MCP, MCSA:M 2003 MCSE 2003 MCTS(70-649), VCP3, VCP4, VCP5, TCSE, CCNA, DCUCSS, CCNP, CCIE
    #18
    Quote Originally Posted by w^rl0rd
    If I have a folder w/ it's ACL allowing Anonymous Logon and someone plugged into my network having already locally authenticated locally, they could just type in the UNC path to this folder and access it w/o being prompted for domain credentials. Right?
    No....I just tested on my lab. Shared a folder on my Server and attempted to access it from another computer and was denied.

    Folder was shared as only having the Anonymous Logon Group with Full Control Share Permissions.
    Reply With Quote Quote  

  20. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #19
    Quote Originally Posted by _omni_
    Quote Originally Posted by Silver Bullet
    Quote Originally Posted by _omni_
    The IUSR account as was said is for accessing the website without needing to have a username + pwd, it will just assign that account to you.
    UHHHH.....wouldn't that be anonymous
    I don't think so. Granted, the user accessing the site is anonymous, but he is using the IUSR account which is an authenticated account, and therefore not anonymous to the system (and thus not a member of the Anonymous Logon group).
    Hi _omni_, check through this a little for some clarification:
    http://support.microsoft.com/default...142868&sd=tech

    Specifically, it mentions the following:
    When the Internet Information Server product is installed, Setup creates a user account on the server computer to be used for anonymous connections. The username of this account has the form IUSR_<computer_name>. For example, if the server computer name is WEB1, the username created will be IUSR_WEB1. The same anonymous-logon user account is set up for all Internet Information Server services installed on the computer. The account is made a member of the computer's Guest group. This will, in most cases, give anonymous client requests access to public content published on the server.

    And as I mentioned, I've seen my logs - they tell me the same thing. Ok, now don't razz me :P about still running a 5.5 Exchange server, it's embarrassing enough!
    Reply With Quote Quote  

  21. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #20
    Sorry about the above post - I type WAYYY slow...
    Reply With Quote Quote  

  22. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #21
    Quote Originally Posted by Silver Bullet
    Quote Originally Posted by w^rl0rd
    If I have a folder w/ it's ACL allowing Anonymous Logon and someone plugged into my network having already locally authenticated locally, they could just type in the UNC path to this folder and access it w/o being prompted for domain credentials. Right?
    No....I just tested on my lab. Shared a folder on my Server and attempted to access it from another computer and was denied.

    Folder was shared as only having the Anonymous Logon Group with Full Control Share Permissions.
    What were the NTFS permissions used?
    Reply With Quote Quote  

  23. Infrequent Poster Silver Bullet's Avatar
    Join Date
    Aug 2004
    Posts
    677

    Certifications
    A+, Network+, Server+, APS, MCP, MCSA:M 2003 MCSE 2003 MCTS(70-649), VCP3, VCP4, VCP5, TCSE, CCNA, DCUCSS, CCNP, CCIE
    #22
    Quote Originally Posted by sprkymrk
    Quote Originally Posted by Silver Bullet
    Quote Originally Posted by w^rl0rd
    If I have a folder w/ it's ACL allowing Anonymous Logon and someone plugged into my network having already locally authenticated locally, they could just type in the UNC path to this folder and access it w/o being prompted for domain credentials. Right?
    No....I just tested on my lab. Shared a folder on my Server and attempted to access it from another computer and was denied.

    Folder was shared as only having the Anonymous Logon Group with Full Control Share Permissions.
    What were the NTFS permissions used?
    Anonymous Logon NTFS permissions were:
    Read & Execute
    List Folder Contents
    Read
    Reply With Quote Quote  

  24. Senior Member
    Join Date
    Nov 2005
    Location
    UK
    Posts
    863

    Certifications
    MCSE 2003, MCSA:M, MCDST
    #23
    Quote Originally Posted by w^rl0rd
    If I have a folder w/ it's ACL allowing Anonymous Logon and someone plugged into my network having already locally authenticated locally, they could just type in the UNC path to this folder and access it w/o being prompted for domain credentials. Right?
    Perhaps. That's the idea I get, but I can't try it because my computers are all in a domain.


    Now to get back to arguing a point that I'm completely theorising on but am sure I'm right:
    The top line reads:
    Anonymous authentication gives users access to the public areas of your Web or FTP site without prompting them for a user name or password. By default, the IUSR_computername account is used to allow anonymous access.
    I believe it is referring to the concept of anonymous access. Where, oh where can you see anything that says "The IUSR account then automatically becomes a member of the Anonymous Logon group..."?

    If you wanted real anonymous access, you would configure the website to grant the Anonymous Logon group access instead of the IUSR account. The fact that the IUSR account must authenticate with the system in order to be used makes it, well, AUTHENTICATED and therefore a member of the Authenticated Users and not the Anonymous Logons.

    Reply With Quote Quote  

  25. Senior Member
    Join Date
    Nov 2005
    Location
    UK
    Posts
    863

    Certifications
    MCSE 2003, MCSA:M, MCDST
    #24
    Quote Originally Posted by Silver Bullet
    Quote Originally Posted by w^rl0rd
    If I have a folder w/ it's ACL allowing Anonymous Logon and someone plugged into my network having already locally authenticated locally, they could just type in the UNC path to this folder and access it w/o being prompted for domain credentials. Right?
    No....I just tested on my lab. Shared a folder on my Server and attempted to access it from another computer and was denied.

    Folder was shared as only having the Anonymous Logon Group with Full Control Share Permissions.
    Perhaps a policy disables anonymous network access?
    Reply With Quote Quote  

  26. mikej412's caddy sprkymrk's Avatar
    Join Date
    Feb 2006
    Location
    Charleston, SC
    Posts
    4,976

    Certifications
    MCP (NT4 Server), MCSA 2000, MCSA 2003, CCNA, Security+, Network+
    #25
    And did you log in from a computer that was a member of a domain? Then you are not anon possibly, are you? (asking) In which case were there any other permissions applied to other groups?

    Try accessing the share through a net use \\servername\sharename u:"" ""

    (that's a u: no space, double quote no space double quote SPACE double quote no space double quote) - if I remember correctly....
    Reply With Quote Quote  

+ Reply to Thread
Page 1 of 2 1 2 Last

Social Networking & Bookmarks