Disabling Logging of Anonymous Logon Events

We constantly get anonymous logon events on our servers. Are these logons something to worry about? Could someone maliciously exploit these logons? Can we disable anonymous logons? And can we block these events from appearing in our Security logs?

You don't have to worry about someone logging on to a server console anonymously, because Windows doesn't allow that.

Anonymous logon events in your Security log look more dangerous than they really are. By default, the information you can access when you connect anonymously is extremely limited—basically, you can access only a list of shared folders and usernames. (I know; that gives an intruder a list of targets, but there are lots of other ways to get usernames.)

You can completely disable anonymous logons (aka null sessions), but doing so might affect accessibility by users in trusting domains. Before changing policies throughout your domain, I suggest testing them on a limited number of systems. Windows XP and later provide the six policies listed below for controlling what information can be accessed anonymously. (These policies are in the Microsoft Management Console—MMC—Local Security Policy snap-in under Computer ConfigurationWindows SettingsSecuritySettingsLocal PoliciesSecurityOptions.)

The default values for these policies are acceptable for servers on a typical internal LAN. For hardened servers, such as Internet servers, I recommend disabling policies 1 and 4, enabling policies 2 and 3, and specifying empty lists for policies 5 and 6.

You can't specifically disable logging of anonymous logon events. In general, trying to prevent Windows from logging "noise" is futile. The only approach that works is to implement a log management solution that filters out the noise for you.