Event ID 4624 ANONYMOUS LOGON and ImpersonationLevel %%1833

EnterpriseArchitect 6,061 Reputation points
2024-08-02T07:10:09.0966667+00:00

People,

When querying my Domain Controllers in my domains, I can see there are multiple servers and computers are still showing the Event ID 4624: 4624(S) An account was successfully logged on. - Windows 10 | Microsoft Learn

 

UserName: ANONYMOUS LOGON
LogonType: 3 (Network) ImpersonationLevel: %%1833

 

Does it mean the above servers and computers are still using old NTLM V1 and LM authentication?

Auditing and restricting NTLM authentication using Group Policy – 4sysops

HOWTO: Detect NTLMv1 Authentication - The things that are better left unspoken (dirteam.com)

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
Windows for business | Windows Server | User experience | PowerShell
Windows for business | Windows Server | Devices and deployment | Configure application groups
{count} votes

Accepted answer
  1. Yanhong Liu 14,205 Reputation points Microsoft External Staff
    2024-08-06T06:57:40.2466667+00:00

    Hello,

    Thank you for posting in Q&A forum.

    Event ID 4624 with the "ANONYMOUS LOGON" username and LogonType 3 (Network) generally indicates that an anonymous user is accessing a resource over the network. This doesn't necessarily mean that NTLMv1 or LM authentication is being used.

    The official link is described below: Audit use of NTLMv1 on a domain controller - Windows Server | Microsoft Learn

    The logic of the NTLM Auditing is that it will log NTLMv2-level authentication when it finds NTLMv2 key material on the logon session. It logs NTLMv1 in all other cases, which include anonymous sessions. Therefore, our general recommendation is to ignore the event for security protocol usage information when the event is logged for ANONYMOUS LOGON.

    There are also two known scenarios where authentication actually uses NTLMv2, but NTLMv1 is reported in the event log. For example, you test with a Windows 7 client connecting to a file share on Windows Server 2008 R2. The network trace showed the authentication was actually using NTLMv2 but reporting NTLMv1 in the event log. Please refer to the following links: Audit event shows authentication package as NTLMv1 instead of NTLMv2 - Windows Server | Microsoft Learn

    I hope the information above is helpful.

    Best Regards,

    Yanhong Liu

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    2 people found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.