Windows 事件查看器中有许多成功的登录和注销请求

tag-icon tag-icon windows-7 event-log
Windows 事件查看器中有许多成功的登录和注销请求

我每天都会收到来自本地网络中同一台计算机的数千个登录和注销请求。似乎计算机每次都从不同的端口进行连接。

这可能是什么原因造成的?危险吗?

两台计算机均使用 Windows 7 Pro SP1。

事件日志示例:

An account was successfully logged on.

Subject:
    Security ID:        NULL SID
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0

Logon Type:         3

New Logon:
    Security ID:        ANONYMOUS LOGON
    Account Name:       ANONYMOUS LOGON
    Account Domain:     NT AUTHORITY
    Logon ID:       0x77f9286b
    Logon GUID:     {00000000-0000-0000-0000-000000000000}

Process Information:
    Process ID:     0x0
    Process Name:       -

Network Information:
    Workstation Name:   <name>
    Source Network Address: <ip>
    Source Port:        5436

Detailed Authentication Information:
    Logon Process:      NtLmSsp 
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only):   NTLM V1
    Key Length:     128

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
    - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

答案1

我讨厌这些匿名登录记录。它们没什么好担心的。以下是详细信息,以及完整文章的链接,其中还详细介绍了如何禁用它们。

  • 事件 4624 null sid 是有效事件,但不是实际用户的登录事件。
  • 没有网络信息的原因是这只是本地系统活动。Windows 在自言自语。
  • “匿名”登录早已成为 Windows 域的一部分 - 简而言之,它是允许其他计算机在网上邻居中找到您的计算机的权限

http://www.morgantechspace.com/2013/10/event-4624-null-sid-repeated-security.html

相关内容