What is the ILS_ANONYMOUS_USER account?

fcm

5/7/24, 10:21 AM

On a Microsoft Windows domain, on a public IP server, I found a login using the account ILS_ANONYMOUS_USER.
This is Microsoft created domain wide account, not specific to one server.
Is this right?

note:
This is a security issue that may affect every Microsoft domain.
High risk of ransomware, viruses and similar

106

1 + 5

active-directory

microsoft

windows-server-2019

Greg Askew

5/7/24, 10:50 AM

A domain account is prefixed with the domain SID. If the account is not prefixed with the domain SID, it is not a domain account. That information (the SID of the security principal and therefore the domain SID) is in every event log message of this type, so you should be able to identify this locally. It probably is not "Microsoft-created" given the obtuseness and archaic nature of the related product. An account name can be anything and used by anyone, anytime and anywhere.

fcm

5/7/24, 12:31 PM

@GregAskew the account SID, is a domain account : S-1-5-21-1013649999-431189999-937769972-1354, also DistinguishedName is CN=ILS_ANONYMOUS_USER,CN=Builtin,DC=REDACTED,DC=com This account is used internally by Windows for inter-server communication; however, references on MS doc are very obscure: disable the account and domain fail in multiple areas.

Greg Askew

5/7/24, 12:33 PM

The approach is the same as with any other account. Test in a non-production environment first.

fcm

5/7/24, 12:40 PM

please, on your domain just do: **Get-ADUser -Identity ILS_ANONYMOUS_USER** and report back.

fcm

5/10/24, 1:07 AM

Will be interesting to know why those anonymous 'experts' downvote a very serious Windows security issue without explanation. This is the exact reason why this site is losing adepts. The fact that you don't understands the question is not enough to downvote.

Score:-1

Server

fcm

5/7/24, 1:31 PM

We have a firewall protected RDP server, however, using an unknown (to me) method, someone was able using Remote Desktop, login interactively on the server.
I noticed the break-in by chance: only one user allowed access at a time and trying to get in, found someone else inside.
We have MalwareBytes (recomended) and it stop a known ransomware download.

It's important to notice that ILS_ANONYMOUS_USER is a password-less account.

I contacted the Microsoft Security Response Center [email protected], however their answer is hard to believe:

Subject: RE: Windows - SecurityFeatureBypass - Remote RDP login using ILS_ANONYMOUS_USER VULN-098797 CRM:0450000683

Hello,

Thank you for contacting the Microsoft Security Response Center (MSRC). What you're reporting appears to be a bug/product suggestion, but does not meet the definition of a security vulnerability.

As such, this thread is being closed and no longer monitored. We apologize for any inconvenience this may have caused. ....

However, the security vulnerability is present and Microsoft is not taking any action.
The solution is on each server restrict login to this account using GPEDIT.MSC:

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny Logon locally.

You can check a potential 'visit' by looking for C:\Users\ILS_ANONYMOUS_USER if the folder is there, you are out of luck. Give yourself permission as administrator, change the ownership if needed and look at the 'Downloads' folder, hopefully no bad files are there. On my case, I have scanners, multiple files with usernames, others with thousands of passwords, also a few old Microsoft's decommissioned apps known to have elevation issues.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: What is the ILS_ANONYMOUS_USER account?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.