Re: Is this normal behavior or an attack?
- From: JNeilWix <JNeilWix@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 22 May 2007 05:52:00 -0700
Thank you for the response. I had more or less assumed most of what you
pointed out. There are three key sites on IIS. 1) OWA/OMA; 2) Citrix Remote
access; 3) A website for public use (also has some function restricted to
emplyee access.) I'll be getting with the web developer about #3,
specifically. I was hoping someone here could comment on the functions of
the listed DLLs and the protocol file. Is access to any of these required by
OWA/OMA for instance? Is there anything in the information from the event
log that would, if properly decoded, help me identify which site/app was
causing the access?
"David Wang" wrote:
It depends..
w3wp.exe itself does not require those resources, but you may be
running code inside of w3wp.exe that require those resources.
However, if you don't expect such access, then you can view such log
entries as security breach denied.
If you want to get rid of these event log entries, then you will have
to figure out what code running on IIS6 is causing it and stop it. IIS
really doesn't have anything to do with it other than restraining the
process identity and denying the security breach.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
On May 21, 10:53 am, JNeilWix <JNeil...@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote:
Please see the Security Log event below. It appears that I get a similar
entry in the Security log periodically. This example involves
C:\WINDOWS\system32\drivers\etc\protocol Sometimes it involves other files as
well. Namely c:\windows\system32\msdart.dll,
C:\WINDOWS\system32\msjetoledb40.dll, C:\WINDOWS\system32\msjet40.dll, or
C:\WINDOWS\system32\mswstr10.dll.
It appears that w3wp.exe is attempting to access these files and is being
denied access. Is there ever a legitimate reason for w3wp.exe to access any
of these files as the Internet Guest user, or are these likely indicative of
some sort of attempt to circumvent security?
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 5/20/2007
Time: 9:28:35 PM
User: XXXXX-EXCH\IUSR_XXXXX-DC
Computer: XXXXX-EXCH
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINDOWS\system32\drivers\etc\protocol
Handle ID: -
Operation ID: {0,391908395}
Process ID: 5540
Image File Name: C:\WINDOWS\system32\inetsrv\w3wp.exe
Primary User Name: NETWORK SERVICE
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E4)
Client User Name: IUSR_XXXXX-DC
Client Domain: XXXXX-EXCH
Client Logon ID: (0x0,0x175BE8B8)
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
WriteAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x120189
For more information, see Help and Support Center athttp://go.microsoft.com/fwlink/events.asp.
- Follow-Ups:
- Re: Is this normal behavior or an attack?
- From: David Wang
- Re: Is this normal behavior or an attack?
- References:
- Re: Is this normal behavior or an attack?
- From: David Wang
- Re: Is this normal behavior or an attack?
- Prev by Date: Re: IIS 6.0 Windows Authentication 401 Every Request
- Next by Date: Re: Is this normal behavior or an attack?
- Previous by thread: Re: Is this normal behavior or an attack?
- Next by thread: Re: Is this normal behavior or an attack?
- Index(es):
Relevant Pages
|
