SQL Server 2008 – is “NT AUTHORITYANONYMOUS LOGON” login “mandatory”?

Posted on

Question :

My spider senses are tingling when I found this “NT AUTHORITYANONYMOUS LOGON” account on a SQL Server logins. I tried to research the matter and I even have a book about SQL Server management. Also all the web searches I’ve done seem to relate only to login problems. The account is not on the local SQL express installation that I have, so I don’t really know if someone added it there and if so, why.

Anyways my take on this is as follows: This account seems to allow login for every people that are in my domain. This just seems wrong and I want to shut it down. My concern is, that if I shut down this account, will applications start to fail login ? Is user/password login considered “anonymous” in this regard ? In other words, do other than AD-accounts need this for the login to work ?

I wish I could just test it, but it could do some damage in production environment.

Answer :

This account seems to allow login for every people that are in my domain

That is actually incorrect. It allows access to anyone that cannot be authenticated. Members of your domains will successfully authenticate and they will be rejected.

On a serious note: there is absolutely ZERO reasons to have this login enabled. It was added intentionally to your system by somebody, this is not a default configuration. If I’d venture a guess, it would be that somebody tried to configure integrated authentication with impersonation on a web application and did not understand the requirement for ‘double hop’ constrained delegation. Needless to say, the ‘solution’ is a huge security hole that requires immediate action. You need to identify the application that uses this login and fix the authentication as appropriate (the link contains the primer on how to set up constrained delegation).

Leave a Reply

Your email address will not be published. Required fields are marked *