Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
An anonymous session connected from <computer name or ip address> has attempted to open an LSA policy handle on this machine. The attempt was rejected with STATUS_ACCESS_DENIED to prevent leaking security sensitive information to the anonymous caller.
The application that made this attempt needs to be fixed. Please contact the application vendor. As a temporary workaround, this security measure can be disabled by setting the \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\TurnOffAnonymousBlock DWORD value to 1.
This message will be logged at most once a day.
|English: This information is only available to subscribers. An example of English, please!|
|Concepts to understand:|
What is the role of LsaSrv?
What is a DWORD?
See ME839569 for a workaround on this problem.
From a newsgroup post: "This event means than an anonymous caller tried to access the LSA policy database. In this case, since the first parameter is "LOCALCOMPUTERNAME", I'm assuming that it's coming from a service on the machine running as LocalService (or LocalSystem, if the machine is not domain joined). You could look at network Logon events (528/540, logon type 3) for "Anonymous" around the same time, to try to locate the logon and gather more information.
The event itself means that Windows did not disclose any information to the anonymous caller, so you only need to act on it if you're encountering some other symptom. However to make it go away, you need to find where it's coming from and have the application vendor issue a fix."
|Private comment: Subscribers only. See example of private comment|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (1) - More links...|
|Custom search for *****: Google - Bing - Microsoft - Yahoo|
Send comments or solutions
- Notify me when updated