Unexpected anonymous login in Windows security logs
First, ANONYMOUS LOGON
is not the Guest account, so let's not conflate the two. They're separate things. Unless your server is grossly misconfigured, these events are probably harmless. For instance, Windows will never let someone log on interactively to the computer with an anonymous logon.
There are certain little bits of information that, by default, Windows will give out anonymously. For instance, another computer on the network attempting to enumerate file shares on your computer. That will log an anonymous logon. Because they didn't have to authenticate to a user account just to see if you're hosting any file shares.
You'll see such anonymous logons also referred to as null sessions. To create a null session, try this:
C:\>net use \\PC01\ipc$ "" /user:""
The command completed successfully.
That will trigger a security event exactly like the one you posted above. But I haven't exactly hacked your machine at this point... so it isn't much to worry about per se. There isn't much you can do with a null session. And you can further restrict it with GPOs/Local Security Policy:
- Network access: Allow anonymous SID/Name translation
- Network access: Do not allow anonymous enumeration of SAM accounts
- Network access: Do not allow anonymous enumeration of SAM accounts and shares
- Network access: Let Everyone permissions apply to anonymous users
- Network access: Named Pipes that can be accessed anonymously
- Network access: Shares that can be accessed anonymously
(These policies are in the Microsoft Management Console—MMC—Local Security Policy snap-in under Computer Configuration\Windows Settings\SecuritySettings\Local Policies\SecurityOptions.)
But as EEAA said, what you should worry about is that someone in Taiwan even has the required network connectivity to your machine to even make that network connection in the first place. That means your firewall has holes in it that you should close.
I would close everything except 3389 so that you can access your computer remotely, and port 80 and 443 if it's a web server... or just what you need, like EEAA said. We don't know what all your VPS does. :)