What is user account 'NT AUTHORITY\ANONYMOUS LOGON' ?

SQLServerCentral is supported by Red Gate Software Ltd.

Popular Topics

Home

Members

Calendar

Who's On

Home » SQL Server 2008 » Security (SS2K8) » What is user account 'NT AUTHORITY\ANONYMOUS...

What is user account 'NT AUTHORITY\ANONYMOUS LOGON' ?

Rate Topic

Display Mode

Topic Options

Author

Message

don-357257

Posted Monday, February 25, 2013 9:34 AM

Forum Newbie

Group: General Forum Members
Last Login: Monday, February 25, 2013 4:59 PM
Points: 4, Visits: 113

I have recently inherited a SQL Instance containing a number of databases.
These databases contain a user account called 'NT AUTHORITY\ANONYMOUS LOGON' and this user account is granted a specific select permission on a specific user table.
(The public role has also been assigned various select privileges to various tables, so presumably the 'NT AUTHORITY\ANONYMOUS LOGON' user account also has these privileges.

But I don't understand what this user account is......

Who uses it?
Who is able to connect to the database with this user account?
(There is also a server login called 'NT AUTHORITY\ANONYMOUS LOGON' which is mapped to the equivalent account in each database.

I've done an internet search and come across numerous posts related to error messages for "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'."
But I want to take one step back and find out why such a user account is needed in the first place?

Any thoughts?

Post #1423666

K. Brian Kelley

Posted Monday, February 25, 2013 9:50 AM

Keeper of the Duck

Group: Moderators
Last Login: Wednesday, May 08, 2013 5:14 AM
Points: 6,583, Visits: 1,787

When the OS can't validate who you are, you are NT AUTHORITY\ANONYMOUS LOGON. You typically see this in double hop situations like when you have a client connecting to SSRS and SSRS isn't on the same server as the SQL Server where the DB is located. As you might have guessed, they shouldn't have done this. Typically the right answer is to get Kerberos delegation correct.

It sounds like you need to track down the whys as to this security hole and figure out where it's coming from and get that fixed.

K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog |

LinkedIn | Twitter

Post #1423671

don-357257

Posted Monday, February 25, 2013 12:45 PM

Forum Newbie

Group: General Forum Members
Last Login: Monday, February 25, 2013 4:59 PM
Points: 4, Visits: 113

Thanks Brian, it looks like I need to do some further investigation.

Unfortunately the previous dba has now left the company.

Being relatively new to the role myself, I need to learn more about Kerberos delegation......

I am rather worried about non-validated users having permission to read some db tables, and I can't think of what valid reasons there may be to allow this.

Presumably we have the guest user account 'if' we wanted general users to perform certain actions with the database.
Thus NT AUTHORITY\ANONYMOUS seems to be quite a security risk - though I appreciate I don't fully understand the purpose of the account, or implications of having it.

If you're able to direct me to any further reading on this topic, I would gratefully receive it Smile

Post #1423749

K. Brian Kelley

Posted Monday, February 25, 2013 1:02 PM

Keeper of the Duck

Group: Moderators
Last Login: Wednesday, May 08, 2013 5:14 AM
Points: 6,583, Visits: 1,787

I have an article on here that talks about Kerberos authentication:

Configuring Kerberos Authentication

That's a good starting point to understand what is happening.

K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog |

LinkedIn | Twitter

Post #1423755

« Prev Topic | Next Topic »

Permissions