Re: IIS Lockdown - access denied securing PF

From: Karl Levinson [x y] MVP (levinson_k@excite.com)
Date: 10/23/02 

From: "Karl Levinson [x y] MVP" <levinson_k@excite.com>
Date: Wed, 23 Oct 2002 09:50:39 -0400

Well, I'm just guessing, but perhaps Exchange changed them, or perhaps the
files are in use by Exchange or by someone and cannot be modified, or
perhaps the permissions are not as you expect. I might suggest you try
enabling auditing of file access failure and then check the windows security
log to see what is being denied access.

Of course, you may have the same problem changing the NTFS auditing
property, but that too would be a clue, especially if you use a method that
tells you which file cannot be modified and why.

=============

Note that to enable logging of access to files or registry settings, you
must both enable logging in the overall computer policy AND also add
auditing settings on individual folders or registry keys in the NTFS
security properties in Windows Explorer or the REGEDT32 registry editor.
[Using REGEDIT will not work.] To log file access, the files must be on an
NTFS-formatted partition.

Note also that to enable logging of security events on a Windows domain, you
must change the auditing policy on all domain controllers. Changing the
auditing policy on the computers in the domain enables logging of failed
logins to the computers using local accounts and would not necessarily log
attempts to log into the domain.

Consider changing the Windows event log settings to be appropriate for your
environment. Consider increasing the maximum log size to retain more
information. Be careful not to log too much, or you might find that your
logs contain only a few minutes or hours worth of data. Finally, check the
logs to be sure logs are really being captured.

For more information on enabling and configuring auditing, see the articles
below:
http://nsa1.www.conxion.com/win2k/download.htm a.k.a. http://www.nsa.gov
[look for the NSA Security Recommendation Guides for Windows 2000 and also
Group Policy]
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/
13w2kadc.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q310399 - XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300549 - 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q248260 - 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q301640 - 2000, file
access settings
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300958 - 2000,
monitoring for unauthorized user access
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q157238 - NT
http://www.labmice.net/troubleshooting/EventLog.htm

[Thanks to Thomas Deml and others]

"Matt Vaughan" <hifidel@NOSPAMyahoo.com> wrote in message
news:Ov9QihpeCHA.1596@tkmsftngp10...
> Yes, the my Exchange admin account. How can these permissions have
changed?
>
>
> "Karl Levinson [x y] MVP" <levinson_k@excite.com> wrote in message
> news:uNUHxXgeCHA.4228@tkmsftngp08...
> > I'm guessing IISlockdown is trying to change NTFS permissions on those
> > directories. Are you logged in with an account that has the privileges
to
> > do so?
> >
> > "Matt Vaughan" <hifidel@NOSPAMyahoo.com> wrote in message
> > news:uyxxT5feCHA.1760@tkmsftngp12...
> > > I get the following message when running the IIS Lockdown tool on my
> > backend
> > > Exchange server:
> > >
> > > Warning: Unable to secure content (M:\Domain.com\Public Folders):
Access
> > is
> > > denied.
> > > Warning: Stopped processing this directory after 3 failures
> > > (M:\Domain.com\Public Folders\Bulletin Boards
> > >
> > > This warning also comes up for each public folder.
> > >
> > > Any ideas?
> > >
> > >
> > > -Matt
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: 403 forbidden error when redircting from http to https
    ... How can I enable auditing / logging on my computer / server? ... Note that to enable logging of access to files or registry settings, ... security properties in Windows Explorer or the REGEDT32 registry editor. ... must change the auditing policy on all domain controllers. ...
    (microsoft.public.inetserver.iis.security)
  • Re: 403 forbidden error when redircting from http to https
    ... > How can I enable auditing / logging on my computer / server? ... > Note that to enable logging of access to files or registry settings, ... > security properties in Windows Explorer or the REGEDT32 registry editor. ... > must change the auditing policy on all domain controllers. ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS Lockdown - access denied securing PF
    ... > Well, I'm just guessing, but perhaps Exchange changed them, or perhaps the ... > enabling auditing of file access failure and then check the windows ... > Note that to enable logging of access to files or registry settings, ... > security properties in Windows Explorer or the REGEDT32 registry editor. ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS denied access to this machine
    ... > I have just installed IIS on Windows XP Pro and when I go ... Try enabling auditing of failed login events and file access failures on all ... Note that to enable logging of access to files or registry settings, ... must change the auditing policy on all domain controllers. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Printer Disapear and Strange Admin Objects
    ... however with the audit policy we have one more question. ... > This module describes how to set different settings that apply to auditing. ... > Microsoft Windows XP - Audit Policy ... >> where printers disapear from the active directory on a local site. ...
    (microsoft.public.windows.server.active_directory)