Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

What is user account 'NT AUTHORITY\ANONYMOUS LOGON' ? Expand / Collapse
Author
Message
Posted Monday, February 25, 2013 9:34 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Wednesday, July 30, 2014 4:08 AM
Points: 4, Visits: 166
I have recently inherited a SQL Instance containing a number of databases.
These databases contain a user account called 'NT AUTHORITY\ANONYMOUS LOGON' and this user account is granted a specific select permission on a specific user table.
(The public role has also been assigned various select privileges to various tables, so presumably the 'NT AUTHORITY\ANONYMOUS LOGON' user account also has these privileges.

But I don't understand what this user account is......

Who uses it?
Who is able to connect to the database with this user account?
(There is also a server login called 'NT AUTHORITY\ANONYMOUS LOGON' which is mapped to the equivalent account in each database.

I've done an internet search and come across numerous posts related to error messages for "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'."
But I want to take one step back and find out why such a user account is needed in the first place?

Any thoughts?
Post #1423666
Posted Monday, February 25, 2013 9:50 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Monday, August 18, 2014 8:24 AM
Points: 6,634, Visits: 1,871
When the OS can't validate who you are, you are NT AUTHORITY\ANONYMOUS LOGON. You typically see this in double hop situations like when you have a client connecting to SSRS and SSRS isn't on the same server as the SQL Server where the DB is located. As you might have guessed, they shouldn't have done this. Typically the right answer is to get Kerberos delegation correct.

It sounds like you need to track down the whys as to this security hole and figure out where it's coming from and get that fixed.


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #1423671
Posted Monday, February 25, 2013 12:45 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Wednesday, July 30, 2014 4:08 AM
Points: 4, Visits: 166
Thanks Brian, it looks like I need to do some further investigation.

Unfortunately the previous dba has now left the company.

Being relatively new to the role myself, I need to learn more about Kerberos delegation......

I am rather worried about non-validated users having permission to read some db tables, and I can't think of what valid reasons there may be to allow this.

Presumably we have the guest user account 'if' we wanted general users to perform certain actions with the database.
Thus NT AUTHORITY\ANONYMOUS seems to be quite a security risk - though I appreciate I don't fully understand the purpose of the account, or implications of having it.

If you're able to direct me to any further reading on this topic, I would gratefully receive it


Post #1423749
Posted Monday, February 25, 2013 1:02 PM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Monday, August 18, 2014 8:24 AM
Points: 6,634, Visits: 1,871
I have an article on here that talks about Kerberos authentication:

Configuring Kerberos Authentication

That's a good starting point to understand what is happening.


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #1423755
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse