Unknown Logon from a PC in my network

[Microbell]

Greetings Gents,

I have an issue I'm trying to resolve with a logon (Type 3) from another PC (In my Workgroup) through my network to my main PC and can't seem to prevent this logon from occurring through the Local Security Policy settings so I don't know if it's a normal Windows process from the networked PC or an outside force attempting to attack my highly secured PC through the network homegroup.

Network:

All 3 PC's running Windows 7 Pro64 bit and Ultimate32 bit connected to a router.... Cisco DPC3848VM which also controls 3 TIVO boxs and the main PC is sharing NOTHING with the other PC's. Two PC's are direct connect through ethernet cable and the problem PC through wireless TPCLink network card Below is the eventlog I'm addressing.

An account was successfully logged on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

New Logon:
	Security ID:		ANONYMOUS LOGON
	Account Name:		ANONYMOUS LOGON
	Account Domain:		NT AUTHORITY
	Logon ID:		0x4e2d2
	Logon GUID:		{00000000-0000-0000-0000-000000000000}

Process Information:
	Process ID:		0x0
	Process Name:		-

Network Information:
	Workstation Name:	
	Source Network Address:	-
	Source Port:		-

Detailed Authentication Information:
	Logon Process:		NtLmSsp 
	Authentication Package:	NTLM
	Transited Services:	-
	Package Name (NTLM only):	NTLM V1
	Key Length:		0

 <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
  <EventID>4624</EventID> 
  <Version>0</Version> 
  <Level>0</Level> 
  <Task>12544</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8020000000000000</Keywords> 
  <TimeCreated SystemTime="2017-08-12T17:38:51.393200100Z" /> 
  <EventRecordID>52245</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="808" ThreadID="884" /> 
  <Channel>Security</Channel> 
  <Computer>Microbell-PC</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data Name="SubjectUserSid">S-1-0-0</Data> 
  <Data Name="SubjectUserName">-</Data> 
  <Data Name="SubjectDomainName">-</Data> 
  <Data Name="SubjectLogonId">0x0</Data> 
  <Data Name="TargetUserSid">S-1-5-7</Data> 
  <Data Name="TargetUserName">ANONYMOUS LOGON</Data> 
  <Data Name="TargetDomainName">NT AUTHORITY</Data> 
  <Data Name="TargetLogonId">0x4e2d2</Data> 
  <Data Name="LogonType">3</Data> 
  <Data Name="LogonProcessName">NtLmSsp</Data> 
  <Data Name="AuthenticationPackageName">NTLM</Data> 
  <Data Name="WorkstationName" /> 
  <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data> 
  <Data Name="TransmittedServices">-</Data> 
  <Data Name="LmPackageName">NTLM V1</Data> 
  <Data Name="KeyLength">0</Data> 
  <Data Name="ProcessId">0x0</Data> 
  <Data Name="ProcessName">-</Data> 
  <Data Name="IpAddress">-</Data> 
  <Data Name="IpPort">-</Data> 
  </EventData>
  </Event>

I have several of these in event viewer and notice the log on ID's tend to change...

Logon ID: 0x3c7d85b
Logon ID: 0x3b39a89
Logon ID: 0x3b39a65
Logon ID: 0x39b183f

I've disabled the Guest Account and show only one account as being active and made sure no drive was sharing anything. Ran many tools on the problem PC which includes FRST (deep scan tool) looking for malware/hacks and can find nothing. I can't find anything in Wireshark logs that shows data is being moved but with the dam TIVO boxs talking all the time it's hard to weed though the logs even when you try and filter it.

Going backward through event logs this started around 6-25-2017 and I had no previous entries and no changes to the network or homegroup.

Anyone have an idea on whats going on? Can supply more info if needed. Please move the post to the correct subforum if I've posted in the wrong place.

 

[samuria]

Windows logs logon type 3 in most cases when you access a computer from elsewhere on the network. One of the most common sources of logon events with logon type 3 is connections to shared folders or printers.

 

[Microbell]

Windows logs logon type 3 in most cases when you access a computer from elsewhere on the network. One of the most common sources of logon events with logon type 3 is connections to shared folders or printers.

Thanks.

I do understand why it's being logged as type 3 but that still does not explain how other PC's that are powered off are logging on and as stated in my last post... all Sharing folders/drives/printers are OFF. For example I just powered up and have this listed again. All other PC's on the network are OFF.....meaning no other PC should be able to log on to this PC while powered OFF.

Correct?

Is this unknown account part of a "Super Account" on the base PC that I can't see and if it is would it not be logged under another type....say Type: 5, 2 or 4?

Or

Is it an attack from outside my network? This PC is pretty much locked down with Antivirus, Firewall, Sharing disabled and I'm constantly running tools and scans looking for new files/folders created and such so I'm pretty sure it's not malware on the PC.

Side Note:

I just removed myself (left) the Workgroup and renamed my local Workgroup and that event still occurs.

 

[samuria]

Could it come from the router

 

[Microbell]

Could it come from the router

Not sure...but would it not leave the routers IP address and not a blank space? I locked some more stuff stuff down in the Local Security Policy and removed some users groups (Everyone) on some of the drives and thought I might have it.

My logs last night only showed 3 failed logons from the deactivated "Guest" account (NONE today)by the time I was done but after logon today I had this....

An account was successfully logged on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

New Logon:
	Security ID:		ANONYMOUS LOGON
	Account Name:		ANONYMOUS LOGON
	Account Domain:		NT AUTHORITY
	Logon ID:		0x4605f
	Logon GUID:		{00000000-0000-0000-0000-000000000000}

Process Information:
	Process ID:		0x0
	Process Name:		-

Network Information:
	Workstation Name:	
	Source Network Address:	-
	Source Port:		-

Detailed Authentication Information:
	Logon Process:		NtLmSsp 
	Authentication Package:	NTLM
	Transited Services:	-
	Package Name (NTLM only):	NTLM V1
	Key Length:		0

I checked to make sure I still had "ANONYMOUS LOGON" blocked in the policy and it was... so I have no clue how that user is logging in. During some of my research on this I guess sometimes Windows uses this "ANONYMOUS LOGON" to logon but leaves a trace on what requested it. What concerns me is all the "Blank" info as I can't locate what/who is logging in.

 

[samuria]

The "anonymous" logon has been part of Windows domains for a long time--in short, it is the permission that allows other computers to find yours in the Network Neighborhood, find what file shares or printers you are sharing, etc.

It is also why Windows admins say never to grant share permissions to the "Everyone" group (unless you know what you are doing), because "Everyone" also includes "no one"--er, ANONYMOUS. Rest assured that unless you

Anyway, in this case you probably want to lock it down with Registy settings or better yet, Local or Group Policies. Look in your policy editor under Computer Configuration\Windows Settings\SecuritySettings\Local Policies\SecurityOptions for the following options:

Network access: Allow anonymous SID/Name translation
Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts and shares
Network access: Let Everyone permissions apply to anonymous users
Network access: Named Pipes that can be accessed anonymously
Network access: Shares that can be accessed anonymously

 

[Microbell]

The "anonymous" logon has been part of Windows domains for a long time--in short, it is the permission that allows other computers to find yours in the Network Neighborhood, find what file shares or printers you are sharing, etc.

It is also why Windows admins say never to grant share permissions to the "Everyone" group (unless you know what you are doing), because "Everyone" also includes "no one"--er, ANONYMOUS. Rest assured that unless you

Anyway, in this case you probably want to lock it down with Registy settings or better yet, Local or Group Policies. Look in your policy editor under Computer Configuration\Windows Settings\SecuritySettings\Local Policies\SecurityOptions for the following options:

Network access: Allow anonymous SID/Name translation
Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts and shares
Network access: Let Everyone permissions apply to anonymous users
Network access: Named Pipes that can be accessed anonymously
Network access: Shares that can be accessed anonymously

Thanks for the help Samuria....

Ok...this is what I have under those settings.....

Network access: Allow anonymous SID/Name translation [DISABLED]
Network access: Do not allow anonymous enumeration of SAM accounts [ENABLED]
Network access: Do not allow anonymous enumeration of SAM accounts and shares [DISABLED] <-----Needs Enabled*
Network access: Let Everyone permissions apply to anonymous users [DISABLED]
Network access: Named Pipes that can be accessed anonymously [BLANK SPACE nothing selected]
Network access: Shares that can be accessed anonymously [Not Defined]


So I only need to change the one with the * and that should lock down all users from accessing folders and files from the network? My goal here is to prevent outside network users whether on my network or internet from accessing all drives/folders on the PC as I've already removed myself from the home network (which should prevent that) and now dealing with internet/logon side of things.