Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Thursday, August 16, 2018 2:12 PM
We have a Windows Server 2008 R2 Service Pack 1. We use Active Directory for authentication/authorization.
IIS is being used on this server to serve some internal apps (that are virtual applications under a root website). These apps require Windows Authentication. Authorization to these apps is set to specific AD security groups.
Recently we have noticed the authorization gets changed to "All Users" in addition to the specific security groups. This is obviously a security lapse.
To capture who might be doing this and when, we turned on the Microsoft-Windows-IIS-Configuration/Operational log using Event Viewer. To test this we made some changes to one of the IIS apps and about 16 events got logged in the event log.
We removed "All Users" from authorization, and waited to see if it changes. Sure enough few days later "All Users" have been added back to few (not all) apps. But unfortunately nothing got logged in that log.
Is there another way to capture these changes?
Friday, August 17, 2018 8:24 AM
I suggest you to use configuration auditing.
IIS configuration auditing is a feature that would let you monitor the changes that are done to the IIS configuration store. It generates event messages (similar to those generated by enabling metabase auditing in the previous versions). It would display the configuration element which was changed, user who initiated the change, and the original and the new value of the element.
To enable the configuration auditing feature, follow the below steps:
- Open Event Viewer (Administrative Tools –> Event Viewer)
- Expand the “Application and Service Logs”
- Expand “Microsoft”, and expand “Windows”
- Expand “IIS-Configuration”, and right click on “Operational”, and choose “Enable Log”
Reference:
IIS 7.5 – How to enable IIS Configuration Auditing?
Regards
Deepak
Friday, August 17, 2018 2:48 PM
As I have mentioned in my question - that log is turned on already.
Friday, August 17, 2018 10:12 PM
Unfortunately IIS configuration audit has its limitation
Key points to remember
- If someone uses appcmd to modify the IIS configuration, you will see the config auditing entry for the same, but the PID won’t be a valid one. That is because that appcmd process is actually completed, so you won’t find it in the task manager’s processes list. But, you will still see the user information which initiated the change.
- Manual changes to the configuration store are not audited. For example, if you use appcmd or MWA, it is captured, but if someone modifies the value of a section in the applicationHost.config directly such as by opening it in Notepad.exe, that won’t be recorded in the audit logs.
In the worst case, enable NTFS file audit to see which account modified the configuration file, and that might give you some hints.
Monday, August 20, 2018 2:57 PM
Hi lextm
Which particular applicationHost.config file should I turn on auditing for? Please see screenshot of folder list:
Tuesday, August 21, 2018 6:37 AM
You had asked,"Which particular applicationHost.config file should I turn on auditing for? "
As other community member already informed you that you will not be able to track manual changes because of the limitation.
Regards
Deepak
Tuesday, August 21, 2018 8:07 PM
Based on your responses its appears you're not reading these threads completely.
>>>enable NTFS file audit to see which account modified the configuration file
...this is what I'm trying to achieve