Anonymous Logon: Understanding the Security Battleground with NT Authority

Anonymous Logon allows unauthenticated access to system resources, which attackers can exploit. Understanding how it works, the risks it poses, and how to harden against it is critical for modern Windows security.

What You Will Learn

• What is Anonymous Logon
• How attackers exploit it
• Why are they a security risk
• How Windows handles anonymous logons today
• Risk mitigation best practices

Anonymous Logon Explained

Anonymous logon refers to a type of network access where a user can log in to a system or network resource without authentication credentials, such as a username or password. This type of access is typically granted to allow basic, unauthenticated access to certain resources for public use or for specific purposes.

Types of Anonymous Logons

• Public Access: Access to public resources such as FTP servers or web servers.
• Legacy Access: Older protocols that were designed for backward compatibility can be exploited.

In some cases, anonymous logons are used to access publicly available files or services on a network, such as FTP servers, where users can download files without needing to create an account or provide login credentials.

Understanding the NT logon process and the three types of interactive logons (local, domain, and trusted domain) is crucial for managing user access and securing systems.

If you’re seeing NT AUTHORITY\ANONYMOUS LOGON in your logs, the bigger question isn’t what it means — it’s where else legacy authentication may still be enabled across your environment.
Want a step-by-step guide to identifying and reducing legacy authentication exposure?

NT Authority Explained

NT Authority refers to a variety of predefined, special-purpose Windows accounts and groups that are part of the operating system functionality, enabling core OS services and capabilities to function. They facilitate resource access and control security boundaries within the Windows systems. The “NT” stands for New Technology and refers to the Windows NT operating system line.

When you see “NT Authority” in the context of permissions or access control lists (ACLs), it typically indicates that the consent or privilege is being granted to a system-level entity rather than to a specific user or group. For example, “NT AuthoritySYSTEM” refers to the local system account, which has high privileges on the system.

Some common NT Authority security principles include:

1. NT AuthoritySYSTEM: Represents the Local System account, which has full control over the system.
2. NT AuthorityAuthenticated Users: Represents all users who have authenticated to the domain.
3. NT AuthorityNetwork Service: Represents the Network Service account, which is a built-in account with low-level privileges.
4. NT AuthorityLocal Service: Represents the Local Service account, which is a built-in account with low-level privileges similar to Network Service.

Login failed for user NT AUTHORITYANONYMOUS LOGON Error

The error message “Login failed for user NT AUTHORITYANONYMOUS LOGON” occurs due to difficulties in transmitting credentials through Windows Authentication. This might be caused by issues like incorrect Linked Server security settings or failure to register Service Principal Names (SPNs). Failure to register a SPN can cause integrated authentication to fall back to NTLM versions instead of Kerberos.

Recommendations:

• Ensure correct user assignment in Linked Server security settings.
• Fix SPN registration issues.

Anonymous Logon Windows Vulnerabilities

Anonymous logon Windows vulnerabilities refer to security risks associated with allowing anonymous access to resources within a network or system. The most significant vulnerability is unrestricted access. Anyone can potentially access the system or service, including unauthorized individuals. This can lead to:

• Enumeration of user accounts
• DOS attacks
• Brute-Force Attacks
• Unauthenticated access to shares

Disable Anonymous logon policy via GPO

In the Anonymous logon policy:

• Disable HTTP authentication
• Only use the guest account with the Common Internet File System (CIFS) protocol

Anonymous logon Registry Settings

Default special identity group

Anonymous logon is among the default special identity groups in Windows Server. The Anonymous Logon group isn’t a member of the Everyone group by default. The attribute describes a special identity group, and a value represents the corresponding property of the group. In the case of Anonymous Logon, the attribute is “Well-known SID/RID” and the value is “S-1-5-7 as you see in the table below:

Before Windows Server 2003, the Everyone group on computers, including those with Windows 2000 and earlier versions, automatically included the Anonymous Logon group. However, starting from Windows Server 2003, the Everyone group consists solely of Authenticated Users and Guest, with the exclusion of Anonymous Logon by default.

If you wish to modify this setting and include the Anonymous Logon group within the Everyone group, you can do so via the Registry Editor. Go to the ComputerHKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa key and set the value of the everyoneincludesanonymous DWORD to 1.

Best Practices for Hardening Anonymous Logon

Securing and hardening the Anonymous Logon feature is crucial to preventing unauthorized access and potential security breaches. While disabling Anonymous Logon altogether is the most secure approach, it might not always be feasible due to specific application requirements.

By proactively hardening configurations around anonymous access and monitoring systems, organizations can reduce threats associated with anonymous logons. Here are some best practices:

• Disable anonymous SID/names: Disable null session pipes or restrict anonymous connections by not allowing anonymous SID/names in access tokens.
• Enable additional auditing: Monitor audit account logon events and account management to detect anonymous activity. Forward logs to a secure centralized server.
• Apply latest security updates: Patch and update systems regularly to ensure known anonymous logon vulnerabilities are addressed.
• Let Everyone permissions apply to anonymous users: Disable this setting.
• Configure Kerberos Authentication in Active Directory: Only use to check and delete tickets from the current Windows anonymous logon session.
• Restrict Security Accounts Manager (SAM) Access: Configure the “Network access: Restrict clients allowed to make remote calls to SAM” setting.
• CIS Benchmark Compliance: setting ‘Ensure ‘Network access: Do not allow anonymous enumeration of SAM accounts’ is set to ‘Enabled’, which controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM)

Key Takeaways

• Anonymous logon facilitates unauthenticated network access.
• Attackers abuse anonymous logons for null session attacks.
• Newer Windows Server releases disable anonymous logons.
• Enabling the feature increases security risks.
• We strongly recommend blocking and monitoring anonymous access.
  
  Next Step – Want to apply these insights further? Check out our guide to secure your legacy authentication paths?

Strengthen Your Windows Security with CalCom CHS

CalCom Hardening Solution (CHS) helps organizations eliminate risks from Anonymous logon attacks. By automating server hardening, CHS enforces secure policies, blocks legacy configurations, and ensures continuous compliance with Windows security standards.

CHS is a baseline hardening solution designed to address the needs of IT operations and security teams. CHS significantly reduces operational costs and eliminates service downtime by indicating the impact of a security baseline change directly on the production environment. CHS’s automated process simulates the effect of a change in a production environment, thus saving the need for testing changes in a lab environment.