4.7.3. The ANONYMOUS LOGON network logon session

When a Windows systems starts, it creates several logon sessions (depending on Windows versions), including a network logon session to represent anonymous access. This network logon session is known as the ANONYMOUS LOGON network logon session.

Logon sessions created at startup by a Windows Server 2003 can be enumerated using the logonsessions tool [44].

Z:\>logonsessions

Logonsesions v1.1
Copyright (C) 2004 Bryce Cogswell and Mark Russinovich
Sysinternals - wwww.sysinternals.com


[0] Logon session 00000000:000003e7:
    User name:    WORKGROUP\W2K3DFLT$
    Auth package: NTLM
    Logon type:   (none)
    Session:      0
    Sid:          S-1-5-18
    Logon time:   21/01/2005 03:49:29
    Logon server:
    DNS Domain:
    UPN:

[1] Logon session 00000000:00006e13:
    User name:
    Auth package: NTLM
    Logon type:   (none)
    Session:      0
    Sid:          (none)
    Logon time:   21/01/2005 03:49:29
    Logon server:
    DNS Domain:
    UPN:

[2] Logon session 00000000:000003e5:
    User name:    NT AUTHORITY\LOCAL SERVICE
    Auth package: Negotiate
    Logon type:   Service
    Session:      0
    Sid:          S-1-5-19
    Logon time:   21/01/2005 03:49:30
    Logon server:
    DNS Domain:
    UPN:

[3] Logon session 00000000:000003e4:
    User name:    NT AUTHORITY\NETWORK SERVICE
    Auth package: Negotiate
    Logon type:   Service
    Session:      0
    Sid:          S-1-5-20
    Logon time:   21/01/2005 03:49:30
    Logon server:
    DNS Domain:
    UPN:

[4] Logon session 00000000:0000e0cc:
    User name:    NT AUTHORITY\ANONYMOUS LOGON
    Auth package: NTLM
    Logon type:   Network
    Session:      0
    Sid:          S-1-5-7
    Logon time:   21/01/2005 03:49:39
    Logon server:
    DNS Domain:
    UPN:

[5] Logon session 00000000:00010a42:
    User name:    W2K3DFLT\Administrator
    Auth package: NTLM
    Logon type:   Interactive
    Session:      0
    Sid:          S-1-5-21-2330557087-2467616270-843640848-500
    Logon time:   21/01/2005 03:49:48
    Logon server: W2K3DFLT
    DNS Domain:
    UPN:

A Windows Server 2003 system creates 5 logon sessions at system startup:

Because the ANONYMOUS LOGON network logon session is created at startup, when a NULL session is established, Windows does not need to create another logon session.

Hence, logon rights are not verified and it is not possible to prevent NULL sessions by removing the network logon right for ANONYMOUS LOGON, as one might expect.