Anonymous Logon

w^rl0rd · May 2006

How does a user become a member of the Anonymous Logon group? I know that this is done automatically, but how does a user access network resources bypassing authentication? Could someone provide an example of an Anonymous Logon user?

eurotrash · May 2006

1. By not authenticating.
2. Perhaps by adding the Anonymous Logon group to the folder's ACL?
3. A standalone PC accessing said folder?

I'm not saying that's how it is, just an idea.

w^rl0rd · May 2006

Per MS:

Anonymous Logon -
Represents users and services that access a computer and its resources through the network without using an account name, password, or domain name.

How does a user get onto the network without authenticating in the first place? The whole concept of an Anonymous Logon defies the NT authentication process. How does one log on anonymously?

Silver Bullet · May 2006

You are accessing this website Anonymously. Most websites for that matter are accessed anonymously using the built-in IUSR account in Microsoft. The anonymous user doesn't know the IUSR password as it is generally handled by the OS.....but you as an IIS administrator can manage that Password if you want. You then apply permissions to the IUSR account that you use for the Anonymous access.

Does that help?

w^rl0rd · May 2006

Silver Bullet wrote:

Does that help?

Somewhat. I'm familiar with how it works w/ IIS, because you don't neccessarily need to authenticate users accessing your website, but
what about an NTFS folder residing somewhere on a server within my enterprise? How would someone "anonymously" access this folder? Lets say that the Everyone group has access to this folder and that Anonymous Logon is part of the Everyone group.

eurotrash · May 2006

Anon isn't part of the Everyone group.

Silver Bullet · May 2006

The Special Accounts like IUSR are members of the Anonymous Logon Group. They are authenticating..... but they are authenticating transparently with the IUSR username and password.

what about an NTFS folder residing somewhere on a server within my enterprise?

If you had an IUSR account enabled for anonymous access to your resources then you would add the IUSR account to the ACL of that resource and apply the permissions you wanted them to have.

I think you are making this more complicated than what it is.

eurotrash · May 2006

Here's a scenario:

A couple days ago in My Network Places I saw my flatmate's workgroup. I double clicked it and was able to access it, I could see the shares.
However I was unable to access the shares as I was unauthenticated.

Now if he were to add the Anon Logon to the permissions on the share, perhaps I would have been able to access it?

Perhaps it isn't even meant to be used for that, maybe more like retricting anonymous (unauthenticated) users from i.e. viewing your *whatever*, etc.

About the IUSR_xxxxxx account, I don't believe that has anything to do with the Anonymous Logon group. The IUSR account as was said is for accessing the website without needing to have a username + pwd, it will just assign that account to you. But the fact that you are using that account means that you aren't anonymous anymore, you are IUSR_xxxxx. IUSR is also a member of the Guests group and Authenticated Users, so it would be pretty pointless to have a user in both the AL and AU groups.

sprkymrk · May 2006

Yes, I have typically seen this in regard to IIS, ASP.net, and especially Pre-Windows 2000 Compatible Access (W9x, NT4 RAS servers, and some others). You can use Group Policy (Computer Config\Windows Settings\Security Settings\Local Policies\Security Options) to configure the following settings for more security (but be careful about compatibility issues):

Network access: Allow anonymous SID/Name translation - Disabled Network access: Do not allow anonymous enumeration of SAM accounts - Enabled Network access: Do not allow anonymous enumeration of SAM accounts and shares - EnabledNetwork access: Let Everyone permissions apply to anonymous users - Disabled

Hope that helps. Sorry I don't have a better explanation of all the different reasons anonymous logons appear in the event logs.

eurotrash · May 2006

sprkymrk wrote:

Sorry I don't have a better explanation of all the different reasons anonymous logons appear in the event logs.

Anytime an unauthenticated session/connection is attempted?

Silver Bullet · May 2006

_omni_ wrote:

The IUSR account as was said is for accessing the website without needing to have a username + pwd, it will just assign that account to you.

UHHHH.....wouldn't that be anonymous

sprkymrk · May 2006

_omni_ wrote:

Anon isn't part of the Everyone group.

As long as you are using a 100% W2K3 domain. If you are in a W2K domain, anon is part of the everyone group:
http://technet2.microsoft.com/WindowsServer/en/Library/1494bf2c-b596-4785-93bb-bc86f8e548d51033.mspx?mfr=true

From that link a snippet reads as follows:
The Anonymous Logon group is no longer a member of the Everyone group. This change will impact anonymous users attempting to access resources hosted on computers running Windows XP Professional and members of the Windows Server 2003 family. (......) Because Administrators did not realize that anonymous users were members of the Everyone group they might have inadvertently granted them access to resources only intended for authenticated users.

_omni_ wrote:

About the IUSR_xxxxxx account, I don't believe that has anything to do with the Anonymous Logon group.

Yes it does. Check your OWA logs if you are running an Exchange 5.5 server on W2K (I know, I know - working on upgrading to E2K3 on W2K3 right now...

). Whenever someone accesses the logon page, before they authenticate (when they are at the "Type Your Mailbox" page) it logs them as Anonymous/IUSR. Also seen it in other cases as well. However, in the case of w^rl0rd's question, I think you're right. He's seeing it in places other than web access.

w^rl0rd · May 2006

_omni_ wrote:

Here's a scenario:

A couple days ago in My Network Places I saw my flatmate's workgroup. I double clicked it and was able to access it, I could see the shares.
However I was unable to access the shares as I was unauthenticated.

Now if he were to add the Anon Logon to the permissions on the share, perhaps I would have been able to access it?

Now that is what I'm looking for! OK, and yes I may have been making this harder than it is.

If I have a folder w/ it's ACL allowing Anonymous Logon and someone plugged into my network having already locally authenticated locally, they could just type in the UNC path to this folder and access it w/o being prompted for domain credentials. Right?

eurotrash · May 2006

Silver Bullet wrote:

_omni_ wrote:

The IUSR account as was said is for accessing the website without needing to have a username + pwd, it will just assign that account to you.

UHHHH.....wouldn't that be anonymous

I don't think so. Granted, the user accessing the site is anonymous, but he is using the IUSR account which is an authenticated account, and therefore not anonymous to the system (and thus not a member of the Anonymous Logon group).

Silver Bullet · May 2006

Apparently Microsoft considers the IUSR_Computername account to be anonymous access

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/f594e137-e2da-4b22-ab58-f8edba938802.mspx?mfr=true

The top line reads:
Anonymous authentication gives users access to the public areas of your Web or FTP site without prompting them for a user name or password. By default, the IUSR_computername account is used to allow anonymous access.

And I apoologize w^orld.....I thought you were just looking for an explanation of Anonymous Logons. Didn't realise you were troubleshooting a problem here.

Going to get a cold beer now.

w^rl0rd · May 2006

I appreciate all of the help, but this whole discussion about the iusr account not being the same as anonymous is silly. His point was that you don't really know who iusr actually is, hence making him "anonymous." But if we can clarify my above post, we should be golden. Thanks.

w^rl0rd · May 2006

Silver Bullet wrote:

And I apoologize w^orld.....I thought you were just looking for an explanation of Anonymous Logons. Didn't realise you were troubleshooting a problem here.

Going to get a cold beer now.

Not troubleshooting a problem, just giving a scenerio that would help me understand. Enjoy that beer.

Silver Bullet · May 2006

w^rl0rd wrote:

If I have a folder w/ it's ACL allowing Anonymous Logon and someone plugged into my network having already locally authenticated locally, they could just type in the UNC path to this folder and access it w/o being prompted for domain credentials. Right?

No....I just tested on my lab. Shared a folder on my Server and attempted to access it from another computer and was denied.

Folder was shared as only having the Anonymous Logon Group with Full Control Share Permissions.

sprkymrk · May 2006

_omni_ wrote:

Silver Bullet wrote:

_omni_ wrote:

The IUSR account as was said is for accessing the website without needing to have a username + pwd, it will just assign that account to you.

UHHHH.....wouldn't that be anonymous

I don't think so. Granted, the user accessing the site is anonymous, but he is using the IUSR account which is an authenticated account, and therefore not anonymous to the system (and thus not a member of the Anonymous Logon group).

Hi _omni_, check through this a little for some clarification:
http://support.microsoft.com/default.aspx?scid=KB;en-us;142868&sd=tech

Specifically, it mentions the following:
When the Internet Information Server product is installed, Setup creates a user account on the server computer to be used for anonymous connections. The username of this account has the form IUSR_<computer_name>. For example, if the server computer name is WEB1, the username created will be IUSR_WEB1. The same anonymous-logon user account is set up for all Internet Information Server services installed on the computer. The account is made a member of the computer's Guest group. This will, in most cases, give anonymous client requests access to public content published on the server.

And as I mentioned, I've seen my logs - they tell me the same thing. Ok, now don't razz me :P about still running a 5.5 Exchange server, it's embarrassing enough!

sprkymrk · May 2006

Sorry about the above post - I type WAYYY slow...

sprkymrk · May 2006

Silver Bullet wrote:

w^rl0rd wrote:

If I have a folder w/ it's ACL allowing Anonymous Logon and someone plugged into my network having already locally authenticated locally, they could just type in the UNC path to this folder and access it w/o being prompted for domain credentials. Right?

No....I just tested on my lab. Shared a folder on my Server and attempted to access it from another computer and was denied.

Folder was shared as only having the Anonymous Logon Group with Full Control Share Permissions.

What were the NTFS permissions used?

Silver Bullet · May 2006

sprkymrk wrote:

Silver Bullet wrote:

w^rl0rd wrote:

If I have a folder w/ it's ACL allowing Anonymous Logon and someone plugged into my network having already locally authenticated locally, they could just type in the UNC path to this folder and access it w/o being prompted for domain credentials. Right?

No....I just tested on my lab. Shared a folder on my Server and attempted to access it from another computer and was denied.

Folder was shared as only having the Anonymous Logon Group with Full Control Share Permissions.

What were the NTFS permissions used?

Anonymous Logon NTFS permissions were:
Read & Execute
List Folder Contents
Read

eurotrash · May 2006

w^rl0rd wrote:

If I have a folder w/ it's ACL allowing Anonymous Logon and someone plugged into my network having already locally authenticated locally, they could just type in the UNC path to this folder and access it w/o being prompted for domain credentials. Right?

Perhaps. That's the idea I get, but I can't try it because my computers are all in a domain.

Now to get back to arguing a point that I'm completely theorising on but am sure I'm right:

The top line reads:
Anonymous authentication gives users access to the public areas of your Web or FTP site without prompting them for a user name or password. By default, the IUSR_computername account is used to allow anonymous access.

I believe it is referring to the concept of anonymous access. Where, oh where can you see anything that says "The IUSR account then automatically becomes a member of the Anonymous Logon group..."?

If you wanted real anonymous access, you would configure the website to grant the Anonymous Logon group access instead of the IUSR account. The fact that the IUSR account must authenticate with the system in order to be used makes it, well, AUTHENTICATED and therefore a member of the Authenticated Users and not the Anonymous Logons.

eurotrash · May 2006

Silver Bullet wrote:

w^rl0rd wrote:

If I have a folder w/ it's ACL allowing Anonymous Logon and someone plugged into my network having already locally authenticated locally, they could just type in the UNC path to this folder and access it w/o being prompted for domain credentials. Right?

No....I just tested on my lab. Shared a folder on my Server and attempted to access it from another computer and was denied.

Folder was shared as only having the Anonymous Logon Group with Full Control Share Permissions.

Perhaps a policy disables anonymous network access?

sprkymrk · May 2006

And did you log in from a computer that was a member of a domain? Then you are not anon possibly, are you? (asking) In which case were there any other permissions applied to other groups?

Try accessing the share through a net use \\servername\sharename u:"" ""

(that's a u: no space, double quote no space double quote SPACE double quote no space double quote) - if I remember correctly....

Silver Bullet · May 2006

Silver Bullet wrote:

w^rl0rd wrote:

If I have a folder w/ it's ACL allowing Anonymous Logon and someone plugged into my network having already locally authenticated locally, they could just type in the UNC path to this folder and access it w/o being prompted for domain credentials. Right?

No....I just tested on my lab. Shared a folder on my Server and attempted to access it from another computer and was denied.

Folder was shared as only having the Anonymous Logon Group with Full Control Share Permissions.

HEHE.....quoting myself.

Now on the other hand. I removed the Anonymous Logon group and added the everyone group and WINNER! WINNER! CHICKEN DINNER!
I was then able to access it from another computer that IS NOT ON THE DOMAIN. But again, could not with only the Anonymous Logon group in the ACL.

_omni_ wrote:

Now to get back to arguing a point that I'm completely theorising on but am sure I'm right:
Quote:
The top line reads:
Anonymous authentication gives users access to the public areas of your Web or FTP site without prompting them for a user name or password. By default, the IUSR_computername account is used to allow anonymous access.

I believe it is referring to the concept of anonymous access. Where, oh where can you see anything that says "The IUSR account then automatically becomes a member of the Anonymous Logon group..."?

If you wanted real anonymous access, you would configure the website to grant the Anonymous Logon group access instead of the IUSR account. The fact that the IUSR account must authenticate with the system in order to be used makes it, well, AUTHENTICATED and therefore a member of the Authenticated Users and not the Anonymous Logons.

icon_biggrin.gif

Well......we need to tell Microsoft and Sybex then. In the back of my Sybex 70-290 book there is a definitions section. In that Definitions section is a definition of Anonymous Logon Groups and it says:
Anonymous Logon Group A Windows Server 2003 special group that includes users who access the computer through anonymous logons. Anonymous logons occur when users gain access through special accounts, such as the IUSR_computername and TsInternetUser user accounts. Usually a password is not required, so that anyone can log on.

sprkymrk · May 2006

Silver Bullet wrote:

But again, could not with only the Anonymous Logon group in the ACL.

In W2K3, anonymous group is no longer a member of the everyone group.

eurotrash · May 2006

I stand firmly by my convictions!

I'm gonna do a test now and prove you all wrong

Silver Bullet · May 2006

sprkymrk wrote:

And did you log in from a computer that was a member of a domain? Then you are not anon possibly, are you? (asking) In which case were there any other permissions applied to other groups?

Try accessing the share through a net use \\servername\sharename u:"" ""

(that's a u: no space, double quote no space double quote SPACE double quote no space double quote) - if I remember correctly....

You are close on the command. Yes I can map the share through CLI but when I attempt to access it with Anonymous LOGON group Share/NTFS permissions....DENIED

No.....the computer I am testing the access to the share is not on the domain.

sprkymrk · May 2006

_omni_ wrote:

I believe it is referring to the concept of anonymous access. Where, oh where can you see anything that says "The IUSR account then automatically becomes a member of the Anonymous Logon group..."?

Hey, didn't you read my post?

sprkymrk wrote:

When the Internet Information Server product is installed, Setup creates a user account on the server computer to be used for anonymous connections. The username of this account has the form IUSR_<computer_name>. For example, if the server computer name is WEB1, the username created will be IUSR_WEB1. The same anonymous-logon user account is set up for all Internet Information Server services installed on the computer. The account is made a member of the computer's Guest group. This will, in most cases, give anonymous client requests access to public content published on the server.

Silver Bullet · May 2006

sprkymrk wrote:

Silver Bullet wrote:

But again, could not with only the Anonymous Logon group in the ACL.

In W2K3, anonymous group is no longer a member of the everyone group.

I know.....that is why I tested it that way

Anonymous Logon

Comments