Event ID 576/538 - Guest Logon

Recently, I got a message when I logged onto my pc that the event viewer
logs were full.

When I took a look in the security logs in event viewer, I saw pages and
pages of Event ID 576, followed by 538 using the guest id. In terms of
timing, the 538 was always about 1 second after the 576.

What would cause these messages and if it was a hacker, was it successful or
not and what would he have had access to?

At the bottom of this message are the details of the 538 and 576.

Some details of my pc:

1. My pc is running XP Pro fully patched. I don't use any Peer to Peer
file sharing programs.
2. I have run Computer Associates, Macafee and Kaspersky Anti virus. No
virus found.
3. I have run Adaware, Windows defender, and trial Trojan Hunter - No
malware found
4. Remote desktop was enabled on the pc but was hardened so that after 3
failed logon attempts, the system would lock the account out for 30 minutes.
I was also not using the default port for Remote Desktop so that it couldn't
be detected in a random port scan.
5. This pc (Computer A) was not behind a hardware firewall, but did have
Sygate firewall running. Sygate was configured to accept incoming
connections from only 1 IP address (Computer B), which was the IP address
from the pc from which I would start the remote desktop. I know this would
work because if I did try and ping Computer A from Computer B, I would get a
response. If however, I tried to ping Computer A from any other IP address,
I would get timeout messages.
6. File and print sharing was enabled, but no shares were created. Net
share from a dos prompt shows only the default shares were enabled.
7. Event viewer did not show any failed guest logons.

Here are the messages:

Event ID 576

Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0x1EC738B8)
Privileges: SeChangeNotifyPrivilege

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Event ID 538

User Logoff:
User Name: Guest
Domain: WORK
Logon ID: (0x0,0x1EC7356E)
Logon Type: 3

If you have simple file sharing enabled on your XP Pro computer then users
can possibly access network shares as guest and if you have no need for that
disable simple file sharing [to allowed authenticated access], verify that
the built in guest account is disabled, and disable file and print sharing
if you do not need to share resources with another network computer or have
it managed remotely via Computer Management, etc. The upside to simple file
sharing is that a network user will never be able to have more than guest
access to your computer and be able only to access shares that include
everyone group for both share and folder/NTFS permission .However with a
properly configured firewall only users on your local network could possibly
access your shares. If you are using high speed internet then you need a
firewall such as consumer grade router that can protect your network. While
software firewalls are great as an additional layer of defense they can be
modified, misconfigured, or disabled by malware or user and a "hardware"
needs to be your first line of defense. Such consumer devices are extremely
affordable. The Linksys WRT54G is an example and comes with built in
wireless though the wireless part should be configured with WPA security or
disabled if not currently used.

http://support.microsoft.com/kb/307874 --- simple file sharing

As far as your security log filling up. In the properties of the security
log increase the size of it from default if that has not been done already
to say at least 10mb and also in properties select overwrite events as
needed if that does not violate any computer use policy or security policy.
Note that on any Windows computer that has file and print sharing enabled
you will see anonymous logons in the security log which primarily are used
for network browse list maintenance and such events are not a concern
assuming other security best practices such as using a firewall and
configuring shares/computer for principle of least privilege are being used.

Steve


"-carmen" <no@spam.com> wrote in message
news:rEQUi.152298$Da.35126@pd7urf1no...
> Recently, I got a message when I logged onto my pc that the event viewer
> logs were full.
>
> When I took a look in the security logs in event viewer, I saw pages and
> pages of Event ID 576, followed by 538 using the guest id. In terms of
> timing, the 538 was always about 1 second after the 576.
>
> What would cause these messages and if it was a hacker, was it successful
> or not and what would he have had access to?
>
> At the bottom of this message are the details of the 538 and 576.
>
> Some details of my pc:
>
> 1. My pc is running XP Pro fully patched. I don't use any Peer to Peer
> file sharing programs.
> 2. I have run Computer Associates, Macafee and Kaspersky Anti virus. No
> virus found.
> 3. I have run Adaware, Windows defender, and trial Trojan Hunter - No
> malware found
> 4. Remote desktop was enabled on the pc but was hardened so that after 3
> failed logon attempts, the system would lock the account out for 30
> minutes. I was also not using the default port for Remote Desktop so that
> it couldn't be detected in a random port scan.
> 5. This pc (Computer A) was not behind a hardware firewall, but did have
> Sygate firewall running. Sygate was configured to accept incoming
> connections from only 1 IP address (Computer B), which was the IP address
> from the pc from which I would start the remote desktop. I know this
> would work because if I did try and ping Computer A from Computer B, I
> would get a response. If however, I tried to ping Computer A from any
> other IP address, I would get timeout messages.
> 6. File and print sharing was enabled, but no shares were created. Net
> share from a dos prompt shows only the default shares were enabled.
> 7. Event viewer did not show any failed guest logons.
>
> Here are the messages:
>
> Event ID 576
>
> Special privileges assigned to new logon:
> User Name:
> Domain:
> Logon ID: (0x0,0x1EC738B8)
> Privileges: SeChangeNotifyPrivilege
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
> Event ID 538
>
> User Logoff:
> User Name: Guest
> Domain: WORK
> Logon ID: (0x0,0x1EC7356E)
> Logon Type: 3
>
>

> Note that on any Windows computer that has file and print sharing enabled
> you will see anonymous logons in the security log which primarily are used
> for network browse list maintenance and such events are not a concern
> assuming other security best practices such as using a firewall and
> configuring shares/computer for principle of least privilege are being
> used.

Could you provide a bit more details in regards to what these network browse
lists are? I read on the net that these could be one cause but there was no
details as to what that means.

I assumed it was people using my network places, but when I try that on this
pc that is direct connected to the net using a cable modem, I get a message
that browsing is disabled and to contact the admistrator....so I'm wondering
how others are browsing the network?

The browse list is what you see in My Network Places or with the net view
command. Most traffic for it is on port 138 UDP. In the background, assuming
it least one computer is enabled for it, you have browser elections and
creating of master browsers and backup browsers which collect and distribute
the browse list. One thing to check if you are having a problem with My
Network Places with the error you get is that Client for Microsoft Networks
is enabled on your network adapter, that the workstation service is started,
and that netbios over tcp/ip is enabled on your computer in the properties
of your network adapter for tcp/ip properties/advanced - wins. You can run
the command net config workstation to verify that Client for Microsoft
Networks is enabled and working and the command nbtstat -n to see if netbios
over tcp/ip is enabled and working properly on your computer. Below is the
example of the output from those commands.

Steve

http://www.comptechdoc.org/os/window...snfinding.html --- info
on browse list maintenance

D:\WINDOWS\system32>net config workstation
Computer name \\STEVE-XP
Full Computer name steve-xp
User name Steve

Workstation active on
NetbiosSmb (000000000000)
NetBT_Tcpip_{19C66C86-CB8F-40CF-95C3-E6E755957325} (000795EC77CA)

Software version Windows 2002

Workstation domain XP-2A
Workstation Domain DNS Name (null)
Logon domain STEVE-XP

COM Open Timeout (sec) 0
COM Send Count (byte) 16
COM Send Timeout (msec) 250
The command completed successfully.

******************************************************************************

D:\WINDOWS\system32>nbtstat -n

Local Area Connection:
Node IpAddress: [192.168.1.201] Scope Id: []

NetBIOS Local Name Table

Name Type Status
---------------------------------------------
STEVE-XP <00> UNIQUE Registered
XP-2A <00> GROUP Registered
STEVE-XP <20> UNIQUE Registered
XP-2A <1E> GROUP Registered
XP-2A <1D> UNIQUE Registered
..__MSBROWSE__.<01> GROUP Registered

"-carmen" <no@spam.com> wrote in message
news:p%VUi.154389$Da.132730@pd7urf1no...
>> Note that on any Windows computer that has file and print sharing enabled
>> you will see anonymous logons in the security log which primarily are
>> used for network browse list maintenance and such events are not a
>> concern assuming other security best practices such as using a firewall
>> and configuring shares/computer for principle of least privilege are
>> being used.
>
> Could you provide a bit more details in regards to what these network
> browse lists are? I read on the net that these could be one cause but
> there was no details as to what that means.
>
> I assumed it was people using my network places, but when I try that on
> this pc that is direct connected to the net using a cable modem, I get a
> message that browsing is disabled and to contact the admistrator....so I'm
> wondering how others are browsing the network?
>