Re: Is this normal behavior or an attack?

It depends.

w3wp.exe itself does not require those resources, but you may be
running code inside of w3wp.exe that require those resources.

However, if you don't expect such access, then you can view such log
entries as security breach denied.

If you want to get rid of these event log entries, then you will have
to figure out what code running on IIS6 is causing it and stop it. IIS
really doesn't have anything to do with it other than restraining the
process identity and denying the security breach.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//







On May 21, 10:53 am, JNeilWix <JNeil...@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote:
Please see the Security Log event below. It appears that I get a similar
entry in the Security log periodically. This example involves
C:\WINDOWS\system32\drivers\etc\protocol Sometimes it involves other files as
well. Namely c:\windows\system32\msdart.dll,
C:\WINDOWS\system32\msjetoledb40.dll, C:\WINDOWS\system32\msjet40.dll, or
C:\WINDOWS\system32\mswstr10.dll.
It appears that w3wp.exe is attempting to access these files and is being
denied access. Is there ever a legitimate reason for w3wp.exe to access any
of these files as the Internet Guest user, or are these likely indicative of
some sort of attempt to circumvent security?

Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 5/20/2007
Time: 9:28:35 PM
User: XXXXX-EXCH\IUSR_XXXXX-DC
Computer: XXXXX-EXCH
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINDOWS\system32\drivers\etc\protocol
Handle ID: -
Operation ID: {0,391908395}
Process ID: 5540
Image File Name: C:\WINDOWS\system32\inetsrv\w3wp.exe
Primary User Name: NETWORK SERVICE
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E4)
Client User Name: IUSR_XXXXX-DC
Client Domain: XXXXX-EXCH
Client Logon ID: (0x0,0x175BE8B8)
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
WriteAttributes

Privileges: -
Restricted Sid Count: 0
Access Mask: 0x120189

For more information, see Help and Support Center athttp://go.microsoft.com/fwlink/events.asp.


.

Relevant Pages

  • Organisational aspects in security design
    ... the fundament of IT security. ... assignment of responsibilities through to the distribution of control ... Lack of resources or unsuitable resources ... Rights of admission and of access to hardware and software are applied ...
    (comp.security.misc)
  • Re: Distribution group kept changing
    ... Could be anything, public folders, calendars, folders in a mailbox. ... Trying to locate the resources the group is being applied to could be extremely difficult unless you have a very small deployment or you have scripts that can enumerate through all permissions. ... if a distribution group is being used to secure ANY exchange resource, exchange will security enable the group....with "security enable the group" is what is meant by converting a distribution group to a security group ... These groups we created are distribution groups and for email purposes. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Distribution group kept changing
    ... Trying to locate the resources the group is being applied to could be ... Most likely, which exchange ... exchange will security enable the group....with "security enable the group" ... These groups we created are distribution groups and for email purposes. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Roles in context
    ... domain resources if you were in the machine's administrator group" the ... to resources it is instead the security identifier of the logged ... Brown's security book: ... > AzMan is a component of Windows Server 2003 which can also be installed on ...
    (microsoft.public.dotnet.security)
  • Re: Child Domain Structure
    ... the principle reason i presumed a child domain would be suitable is thus. ... the location for the child is actually overseas and although the security of ... users at the remote location and those in the parent domain. ... will require access to resources at both locations and some resource ...
    (microsoft.public.windows.server.active_directory)