Anonymous Logons

[Mich]

I'm starting to have users call our help desk with the following error (or something like it):
You cannot logon because your security log is full. Only a local administrator can log on.

I'll log on to the computer, look at the security log, and, sure enough, it's full. It's full of 538s (user logoff) and 540s (user logon). The user name that keeps creating these events is Anonymous Logon. Anonymous Logon (AL) is constantly hitting these computers. AL will logon then right back off 5 times a second, thus filling the security log. They all appear to be successful audits.

I'll clear the log so the user can sign on, but the next day they call with the same error.

My question is, how do I tell who/what AL is?

Thanks in advance,
Mick

 

[krusifix]

By default, security logging in WinXP Pro overwrites events older than 7 days. It sounds like someone or some application has changed this to the "Do not overwrite events (clear log manually)" setting.

You can view the settings and change them in the event viewer. Start | Run | type "eventvwr" without the quotes and press Enter. Then in the event viewer window left-hand pane, right-click on Security and select Properties. You can change the maximum size of the log file and choose between three different ways to handle a full log file.

Its is possible that if these computers are hooked up to a network that they might be making the network connections in the workgroup and using the Anonymous Logon to do so.


I hope this help somewhat.