Anonymous Logon Explained
Anonymous logon refers to a type of network access where a user can log in to a system or network resource without providing any authentication credentials such as a username or password. This type of access is typically granted to allow basic, unauthenticated access to certain resources for public use or for specific purposes.
In some cases, anonymous logon might be used for accessing publicly available files or services on a network, such as anonymous FTP (File Transfer Protocol) servers where users can download files without needing to create an account or provide login credentials. To manage user access, you need to understand the NT logon process and the three types of interactive logons: local, domain, and trusted domain that NT uses to validate accounts on a local or remote system.
Simply put an anonymous logon is the process of accessing a system without authentication. An anonymous user is an account used for unauthenticated access.
NT Authority Explained
NT Authority is the name given to a variety of predefined, special-purpose Windows accounts and groups that are part of the operating system functionality, allowing core OS services and capabilities to work. They facilitate resource access and control security boundaries within the Windows systems. The “NT” stands for New Technology and refers to the Windows NT operating system line.
When you see “NT Authority” in the context of permissions or access control lists (ACLs), it typically indicates that the permission or privilege is being granted to a system-level entity rather than to a specific user or group. For example, “NT Authority\SYSTEM” refers to the local system account, which has high privileges on the system.
Some common NT Authority security principles include:
- NT Authority\SYSTEM: Represents the Local System account, which has full control over the system.
- NT Authority\Authenticated Users: Represents all users who have authenticated to the domain.
- NT Authority\Network Service: Represents the Network Service account, which is a built-in account with low-level privileges.
- NT Authority\Local Service: Represents the Local Service account, which is a built-in account with low-level privileges similar to Network Service.
Login failed for user NT authority anonymous logon
Occasionally, when attempting to reach a linked server, an error may arise indicating “Login failed for user NT AUTHORITY\ANONYMOUS LOGON.” This occurs due to employing Windows authentication, and SQL Server encounters difficulty in transmitting your credentials to the linked server. There needs to be first the correct assigning and mapping of the users credentials in the Linked Server security setting.
The error message also occurs when a server is restarted and fails to register the Service Principal Name (SPN). Failure to register a SPN can cause integrated authentication to fall back to NTLM instead of Kerberos.
CIS Benchmark setting 'Ensure ‘Network access: Do not allow anonymous enumeration of SAM accounts’ is set to ‘Enabled’ controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM).
The recommended state for this setting is: Enabled.
The error ‘login failed for user nt authority anonymous logon’ occurs because establishing trust with Windows NT 4.0-based domains is not possible. Additionally, client computers running older Windows operating systems like Windows NT 3.51 and Windows 95 may encounter issues when trying to access resources on the server.
Users accessing file and print servers anonymously won’t be able to see the shared network resources without authentication. However, with the policy setting enabled, anonymous users can access resources if they have permissions specifically granted to the built-in group, ANONYMOUS LOGON.
This describes the scenario where anonymous users can access resources with permissions explicitly granted to the built-in group, ANONYMOUS LOGON, even when the policy setting is enabled. This means that despite the policy being in place, resources can still be accessed by anonymous users if they have the appropriate permissions assigned to them.
CIS Benchmark setting 'Ensure ‘Network access: Let Everyone permissions apply to anonymous users’ is set to ‘Disabled’ determines what additional permissions are assigned for anonymous connections to the computer.
The recommended state for this setting is: Disabled.
Default Value:
Disabled. (Anonymous users can only access those resources for which the built-in group ANONYMOUS LOGON has been explicitly given permission.)
Anonymous Logon Windows Vulnerabilities
Anonymous logon Windows vulnerabilities refer to security risks associated with allowing anonymous access to resources within a network or system. The most significant vulnerability is unrestricted access. Anyone can potentially access the system or service, including unauthorized individuals. This can lead to:
- Enumeration of user accounts
- DOS attacks
- Brute-Force Attacks
- Unauthenticated access to shares
Anonymous logon policy setting via GPO
Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.
0. Anonymous logon
Registry Hive | HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER |
Registry Path | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 |
Value Name | 1A00 |
Value Type | REG_DWORD |
Value | 196608 |
Default special identity group
Anonymous logon is among the default special identity groups in Windows Server. The Anonymous Logon group isn’t a member of the Everyone group by default. The attribute describes a special identity group and a value represents the corresponding property of the group. In the case of Anonymous Logon, the attribute is “Well-known SID/RID” and the value is “S-1-5-7 as you see in the table below:
Attribute | Value |
Well-known SID/RID | S-1-5-7 |
Object class | Foreign Security Principal |
Default location in Active Directory | CN=WellKnown Security Principals, CN=Configuration, DC=<forestRootDomain> |
Default user rights | None |
Before Windows Server 2003, the Everyone group on computers, including those with Windows 2000 and earlier versions, automatically included the Anonymous Logon group. However, starting from Windows Server 2003, the Everyone group consists solely of Authenticated Users and Guest, with the exclusion of Anonymous Logon by default.
If you wish to modify this setting and include the Anonymous Logon group within the Everyone group, you can do so via the Registry Editor. Go to the Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa key and set the value of the everyoneincludesanonymous DWORD to 1.
Best Practices
Securing and hardening the Anonymous Logon feature is crucial to prevent unauthorized access and potential security breaches. While disabling Anonymous Logon altogether is the most secure approach, it might not always be feasible due to specific application requirements.
By proactively hardening configurations around anonymous access and monitoring systems, organizations can reduce threats associated with anonymous logons. Here are some best practices:
- Disable anonymous SID/names: Disable null session pipes or restrict anonymous connections by not allowing anonymous SID/names in access tokens.
- Enable additional auditing: Audit account logon events, account management, logon events to monitor anonymous activity. Forward logs to a secured centralized server.
- Apply latest security updates: Patch and update systems regularly to ensure known anonymous logon vulnerabilities are addressed.
- Disable the “Let Everyone permissions apply to anonymous users” setting
- Limit access to security accounts like the Security Accounts Manager (SAM) by configuring the “Network access: Restrict clients allowed to make remote calls to SAM” setting
If you would like to consult with one of our server hardening experts and see a FREE DEMO, Get in touch.