4

My spider senses are tingling when I found this "NT AUTHORITY\ANONYMOUS LOGON" account on a SQL Server logins. I tried to research the matter and I even have a book about SQL Server management. Also all the web searches I've done seem to relate only to login problems. The account is not on the local SQL express installation that I have, so I don't really know if someone added it there and if so, why.

Anyways my take on this is as follows: This account seems to allow login for every people that are in my domain. This just seems wrong and I want to shut it down. My concern is, that if I shut down this account, will applications start to fail login ? Is user/password login considered "anonymous" in this regard ? In other words, do other than AD-accounts need this for the login to work ?

I wish I could just test it, but it could do some damage in production environment.

Improve this question
1
  • 1
    That isn't a login that's created by default (for obvious reasons). You need to find out what is using it to do work, and change it to use a more secure login ASAP. Commented Feb 12, 2013 at 14:18

1 Answer 1

Reset to default
5

This account seems to allow login for every people that are in my domain

That is actually incorrect. It allows access to anyone that cannot be authenticated. Members of your domains will successfully authenticate and they will be rejected.

On a serious note: there is absolutely ZERO reasons to have this login enabled. It was added intentionally to your system by somebody, this is not a default configuration. If I'd venture a guess, it would be that somebody tried to configure integrated authentication with impersonation on a web application and did not understand the requirement for 'double hop' constrained delegation. Needless to say, the 'solution' is a huge security hole that requires immediate action. You need to identify the application that uses this login and fix the authentication as appropriate (the link contains the primer on how to set up constrained delegation).

Improve this answer
1
  • Ah of course, domain users aren't anonymous, even if they aren't set up in the SQL Server itself. Commented Feb 14, 2013 at 9:44

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.