Hi Folks;

I was lokking at the event viewer on my Windows 2k3 server and noticed a few entries (under "System") like this:

*********************

Event Type: Error
Event Source: LsaSrv
Event Category: None
Event ID: 6033
Date: 8/31/2007
Time: 6:41:04 AM
User: N/A
Computer: C25344-56637

Description:
An anonymous session connected from xxx.xxx.xxx.xxx has attempted to open an LSA policy handle on this machine. The attempt was rejected with STATUS_ACCESS_DENIED to prevent leaking security sensitive information to the anonymous caller.
The application that made this attempt needs to be fixed. Please contact the application vendor. As a temporary workaround, this security measure can be disabled by setting the \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\TurnOffAnonymousBlock DWORD value to 1.
This message will be logged at most once a day.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

*********************

Of course, the entry shows a real ip instead of x's.

Also, under "Security" i have a few "Anonymous Login" (538/540) like this:

*******************************

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 10/6/2007
Time: 12:32:27 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: C25344-56637
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x15AADDF5)
Logon Type: 3

*******************************

Does anyone know what it is or... if is there something i can do?
Thanks in advance.

E.Brito

This is likely more a random scan than a particular individual targeting your server directly. However, I would throw a firewall on your server ASAP as it would prevent this type of access altogether.

Just to throw my two cents in, why aren't you running a firewall in the first place such as Kyle suggested? The Windows firewall can handle this type of network traffic, and if anything will let you sleep a little better at night knowing the server isn't having to deal with this type of network interrupt.

You guys are right, the Windows Firewall was off (i don't know why).
By the way, do you know any good firewall to install on Windows 2003 Server?

I just found out why the Windows Firewall was off.
Because when we turn it on, the ThePlanet monitoring system doesn't work.
To get ir working with the firewall we need to allow a few IP's (from ThePlanet) to have access to all ports and Windows Firewall doesn't have an option to enter port range.
I believe someone has a solution for that because i saw a lot of people saying on this forum that, they use Windows Firewall.
Hope someone can help me with that.

Which ports do you need to have open for the monitoring?