我不知道如何完全禁用非域控制器(常规实例)的 Windows Server 2016 上的匿名登录。使用当前设置的设置,我真的很惊讶地看到这样的登录通过,这与我已打开登录审核的 SecPol.msc 中相应设置的描述相反。
我有以下条目放在本地策略设置中:
网络访问:允许匿名 SID/名称转换:禁用
网络访问:不允许匿名枚举 SAM 帐户:已启用
网络访问:不允许匿名枚举 SAM 帐户和共享:已启用
网络访问:让每个人的权限应用于匿名用户:已禁用
网络访问:可匿名访问的命名管道:无
网络访问: 可匿名访问的共享:无
而且,我已经通过在 secpol.msc 中设置“仅发送 NTLMv2 响应”完全禁用了 NTLMv1。
尽管如此,我仍然在事件日志中收到以下审核成功条目:
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: ANONYMOUS LOGON
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0xDC9CEC8
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: xxxxxxx
Source Port: 59691
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 0
此外,以下尝试也失败了:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: ADMIN
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: \\xxxxx
Source Network Address: xxxxxxx
Source Port: 1339
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
现在,我正在使用自动离线日志分析来阻止先前的操作。
知道如何完全阻止匿名登录吗?