RE: Auditing login attempts
From: Sandy Wood (sandy.wood@da.ocgov.com)
Date: 12/20/02
- Next message: Danno: "integrated authentication not working from redirect"
- Previous message: Brian Taylor: "IIS NT authentication , can not access HDD on other NT server"
- In reply to: Ray Hu [MSFT]: "RE: Auditing login attempts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Sandy Wood" <sandy.wood@da.ocgov.com> Date: Fri, 20 Dec 2002 09:40:02 -0800
Ray,
Thanks for taking the time to work me through this one
and to help explain the details of what's going on.
It does make sense that IIS will report failed logins via
W3SVC when a user, say, types in a wrong password at the
login box. I don't have Anonymous access enabled so the
user must have an NT account or else!
I'll continue to monitor both the System and Security
logs for all my login sucesses and failures.
Thanks again,
Sandy Wood
OCDA
>-----Original Message-----
>Hi Sandy,
>
>Thanks for the reply.
>
>I find the event entries. They are written by IIS
service instead of
>Security Subsystem. I find some documents about this.
This is normal
>behavior and it is by design. Here I'd like to summarize
how the IIS
>security event works.
>
>IIS works on a different level as security subsystem.
That is why both the
>security log and system log contains the failed error
for IIS. If there are
>any events concerning Security, the Security Subsystem
checks your security
>audit setting and write the events to Security Log. If
Web Service
>encounters an authentication failure, it also writes to
Events Log as a
>warning message. Since the Security Log is used
extensively by the Security
>Subsystem, therefore, W3SVC only write to the System
Log.
>
>The security log is best used to analyze the overall
security of a system.
>The W3SVC log in System log is best used for
troubleshooting. If you want
>to monitor the overall security events, I suggest you
monitor the security
>event log only. There are a lot of tools on Internet can
analyze security
>logs and generates report for you. If you just want to
monitor the failed
>logon requests from World Wide Web Publishing Service,
you can filter the
>system event log.
>
>By the way, the Worker Process of IIS logs to the
Application Event Log.
>For example, if a process crashes, it will write a log
entry in Application
>Log.
>
>Please let me know if this solves your problem or if you
would like further
>assistance.
>
>I look forward to hearing from you.
>
>Sincerely,
>
>Ray Hu
>Microsoft Online Support Engineer
>
>Get Secure! - www.microsoft.com/security
>
>=====================================================
>When responding to posts, please "Reply to Group" via
your newsreader so
>that others may learn and benefit from your issue.
>=====================================================
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>
>.
>
- Next message: Danno: "integrated authentication not working from redirect"
- Previous message: Brian Taylor: "IIS NT authentication , can not access HDD on other NT server"
- In reply to: Ray Hu [MSFT]: "RE: Auditing login attempts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
