MonitorWare Knowledge Base

Hi,

I started this track so that comments on our security event 538 paper can be made available publically (if intended to do so). I would appreciate any postings.

The paper itself is available at:

http://www.monitorware.com/Common/en/SecurityReference/Event-ID-538-Explained.asp

Thanks,
Rainer

I saw your request for comments on the LogAnalysis mailing list, and thought I'd contribute the following experiences.

While the logon type may be inaccurate in the 538 event, you can correlate to the associated 528 (Logon) event using the Logon ID which looks something like (0x0,0x5B45F1). This Logon ID is used for all security events occuring during that logon session, including the 538 event.

I've also found that, for domain controllers and members servers, you will typically have fewer 538 events than 528 events. I believe this is attributed to users undocking/BSOD/powering off - where no actual logoff occurs - and the resources being used simply timeout.

Thanks
Gord T.

A logon audit is generated when a logon session is created, after a call to LogonUser() or AcceptSecurityContext(). The logon session is uniquely identified by a number called a Logon ID, which is listed in the audit.

A logoff audit is generated when a logon session is destroyed. The logoff audit can be correlated to the logon audit using the Logon ID, regardless of the logon type code.

A logon session is associated with a token, and can't be destroyed until the token is destroyed. A token can't be destroyed while it is being used.

When an application or system component requests access to the token, the system increases the reference count on the token, to keep it around even if the original owner goes away. A well-behaved application closes the handle to the token when it's finished with it, causing the reference count to be decremented. When the reference count reaches 0, the token is destroyed, the logon session is destroyed, and the logoff event 538 is generated.

A poorly-behaved application can exhibit a class of bug called a token leak. A token leak is when an application requests access to the token, increasing the reference count, and then loses track of the handle- in effect, the reference count is never decremented and can never reach 0, and Windows can't destroy the token and generate the logon event.

We identified a number of token leak issues in the OS and fixed them for SP4. It is still possible for tokens to leak; the existing token architecture has no back-reference capability associated with the reference count so we can't eliminate this class of bug at this time. We identify and fix all token leaks that we find in the OS, but many third party applications have this problem.

For reference, logon types are all listed in NTLSA.H in the Platform SDK.

>So, does a 538 occur if the machine is undocked/when the machine blue
>screens/power button is hit? If so, is this after the server's
>configured disconnect time, or immediately when the TCP session
>disconnects at the client?
Logoff events are generated after undock, if the net adapter goes away and network sessions go away. Whether they are associated with TCP close depends on the service authenticating the user (IIS vs. SMB server, etc.)- if the remote machine actually disconnects or is forcibly disconnected you will see them. They tend not to be generated when the OS is not running due to unexpected power outage. They might be generated after hibernate, if they were queued before power was removed.

Eric

Thus far I've not been able to find any clear cut answers on the net as to why I'm seeing massive numbers of 538 logoff events and NO corresponding logons.

This is a fresh installation of Win2k Server with all service packs/security fixes in place, Baseline Security Analyzer recommendations put in place, various Local Security Policy settings locked down ('No Access without explicit anonymous permissions', for instance), and every other possible security lock down (as far as I'm currently aware of) enabled. I've thoroughly done everything I can to secure this machine, and yet I'm continually seeing these confounded ANONYMOUS LOGIN events...

Specific details as follows:

User Logoff:

User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Login ID: (0x0,0x36125)
Logon Type: 3

Please, does anyone know what in the blazes is going on, here? Forgive my irritation, but it's really pissing me off-- I can't afford to run an insecure system and must get to the bottom of this issue! I've locked down every possible (as far as I know) Anonymous access point and STILL am getting hit.

Are you running IIS? If so, have you checked the IIS events to see if there are any corresponding 'GET 304' events?

I have the same problem as you and am following this thread with interest.
For what it's worth, all of my users access the server via Citrix terminal server sessions.
Very occasionally, when nothing else is going on, two of these mystery events occur three minutes after the hour and three minutes after the half hour.

Anonymous wrote:Thus far I've not been able to find any clear cut answers on the net as to why I'm seeing massive numbers of 538 logoff events and NO corresponding logons.

This is a fresh installation of Win2k Server with all service packs/security fixes in place, Baseline Security Analyzer recommendations put in place, various Local Security Policy settings locked down ('No Access without explicit anonymous permissions', for instance), and every other possible security lock down (as far as I'm currently aware of) enabled. I've thoroughly done everything I can to secure this machine, and yet I'm continually seeing these confounded ANONYMOUS LOGIN events...

Specific details as follows:

User Logoff:

User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Login ID: (0x0,0x36125)
Logon Type: 3

Please, does anyone know what in the blazes is going on, here? Forgive my irritation, but it's really pissing me off-- I can't afford to run an insecure system and must get to the bottom of this issue! I've locked down every possible (as far as I know) Anonymous access point and STILL am getting hit.

I too am experiencing exactly this behavior (anonymous logoff -- no corresponding logon).

I too have no idea why they occur

But I thought I'd attempt to describe the environment in which my server 'lives' and see if there are any similarities with yours.

My server is part of an NT domain (I am not a domain admin, just a server admin). THe domain to which it belongs has a trust relationship with a 'new' domain that is ActiveDirectory based. Most users are authenticated by way of the new domain; a few are authenticated locally on 'my' server itself.

I really can't tell if either valid local acount logons or valid AD logon events, or both; have any relationship to the spurious events. I mention it only in an attempt to explain my environment so as to determine if we have anything in common that might indicate a starting point for determination of this 'thing'.

Anonymous wrote:Thus far I've not been able to find any clear cut answers on the net as to why I'm seeing massive numbers of 538 logoff events and NO corresponding logons.

This is a fresh installation of Win2k Server with all service packs/security fixes in place, Baseline Security Analyzer recommendations put in place, various Local Security Policy settings locked down ('No Access without explicit anonymous permissions', for instance), and every other possible security lock down (as far as I'm currently aware of) enabled. I've thoroughly done everything I can to secure this machine, and yet I'm continually seeing these confounded ANONYMOUS LOGIN events...

Specific details as follows:

User Logoff:

User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Login ID: (0x0,0x36125)
Logon Type: 3

Please, does anyone know what in the blazes is going on, here? Forgive my irritation, but it's really pissing me off-- I can't afford to run an insecure system and must get to the bottom of this issue! I've locked down every possible (as far as I know) Anonymous access point and STILL am getting hit.

I too am experiencing exactly this behavior (anonymous logoff -- no corresponding logon).

I too have no idea why they occur

But I thought I'd attempt to describe the environment in which my server 'lives' and see if there are any similarities with yours.

My server is part of an NT domain (I am not a domain admin, just a server admin). THe domain to which it belongs has a trust relationship with a 'new' domain that is ActiveDirectory based. Most users are authenticated by way of the new domain; a few are authenticated locally on 'my' server itself.

I really can't tell if either valid local acount logons or valid AD logon events, or both; have any relationship to the spurious events. I mention it only in an attempt to explain my environment so as to determine if we have anything in common that might indicate a starting point for determination of this 'thing'.

Anonymous wrote:

Anonymous wrote:Thus far I've not been able to find any clear cut answers on the net as to why I'm seeing massive numbers of 538 logoff events and NO corresponding logons.

This is a fresh installation of Win2k Server with all service packs/security fixes in place, Baseline Security Analyzer recommendations put in place, various Local Security Policy settings locked down ('No Access without explicit anonymous permissions', for instance), and every other possible security lock down (as far as I'm currently aware of) enabled. I've thoroughly done everything I can to secure this machine, and yet I'm continually seeing these confounded ANONYMOUS LOGIN events...

Specific details as follows:

User Logoff:

User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Login ID: (0x0,0x36125)
Logon Type: 3

Please, does anyone know what in the blazes is going on, here? Forgive my irritation, but it's really pissing me off-- I can't afford to run an insecure system and must get to the bottom of this issue! I've locked down every possible (as far as I know) Anonymous access point and STILL am getting hit.

I too am experiencing exactly this behavior (anonymous logoff -- no corresponding logon).

I too have no idea why they occur

But I thought I'd attempt to describe the environment in which my server 'lives' and see if there are any similarities with yours.

My server is part of an NT domain (I am not a domain admin, just a server admin). THe domain to which it belongs has a trust relationship with a 'new' domain that is ActiveDirectory based. Most users are authenticated by way of the new domain; a few are authenticated locally on 'my' server itself.

I really can't tell if either valid local acount logons or valid AD logon events, or both; have any relationship to the spurious events. I mention it only in an attempt to explain my environment so as to determine if we have anything in common that might indicate a starting point for determination of this 'thing'.

I have a new server without IIS and/or FTP - just OS only! (W2K+SP4+All Sec Patches) And every 15 minutes double entry:
User Logoff:

User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Login ID: (0xxxxxxx)*
Logon Type: 3

*Login ID is always different

Any updates on the PROBLEM?

Try turning off the "Computer Browser" service. This worked for me.

Keith
kmcbee@fpl.com

Constant anonymous logons listed as #538 in your security log is caused by computers in your network sending acks to confirm netbios over tcp/ip communication. Set you zone alarm trusted zones to HIGH then look at the Zone Alarm firewall log file and you will see this is confirmed. Superficially this appears benign, but I read an extensive dialog on the vulnerability of this to port scanners. I highly suggest everyone read this:

http://grc.com/su-fixit.htm

Hey guys..

Hope this link from microsoft will solve your issiues:

http://support.microsoft.com/?kbid=246261


Cheers..
Bhuv1