Monitoring for Anonymous Active Directory Access

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2

In the previous procedure, you enabled security monitoring for anonymous access by setting auditing. The auditing is set on the objects that are accessed anonymously by applications and services from other domain controllers, member servers, or workstations in the domain.

Note

To complete this procedure, you need software that is capable of aggregating the Security event logs on all domain controllers into a single log. In addition, you need software that can query the Security event log, based on the criteria in this procedure.

To make the analysis of the aggregated Security event logs easier, export the aggregated Security event logs to a database, such as Microsoft Access. Collect the event logs for about 30 days to ensure that all applications and services have attempted anonymous access, and pay special attention to applications and services that are running on Windows NT 4.0 in the security context of Local System.

Requirements

  • Credentials: Domain Admins

  • Tools: unspecified database product

To monitor for anonymous Active Directory access

  1. Collect Security event logs for 30 days on all domain controllers.

  2. Aggregate the event logs from each domain controller into a database.

  3. Identify the anonymous access events in the aggregated event logs by querying the Security event log for any events with Event ID = 565 (directory service access events) and the text “anonymous” (case insensitive) in the event.

    Identify the logon IDs that generated the anonymous access for the events that meet the criteria in the previous step.

    The output of this query contains the list of the logon IDs that generated the anonymous access.

  4. Identify the logon and logoff events associated with the logon IDs that you identified in the previous step, by querying the results of the events in the previous step for Event ID = 528 (logon events) or Event ID = 540 (logoff events).

  5. Identify the domain controllers, member servers, or workstations where the logon and logoff events that you identified in the previous step originated.

  6. Identify the applications or services that are running on the domain controllers, member servers, or workstations where the anonymous access originated.

    Examples of applications or services that require anonymous access include Routing and Remote Access Service running on Windows NT 4.0, Microsoft SQL Server running on Windows NT 4.0 (with Integrated or Mixed SQL logon), and print servers running on Windows NT 4.0.