Re: Is this normal behavior or an attack?

Is there anything in the information from the event log that
would, if properly decoded, help me identify which site/app
was causing the access?

Unless the event log entry is written by IIS, you really cannot
identify actions by site/app. This is because IIS runs site/app code
on a thread inside the process, and non-IIS related monitoring only
see the thread/process doing something but have no idea what site/app
is running on that thread. Only IIS has this information -- so unless
IIS is logging that event log entry, you have no generic way to
correlate site/app code, unless you isolate one site/app per process
or app pool identity.

I assume you are running Exchange 2003/2007 on this machine, in which
case OWA/OMA runs as LocalSystem process account and is therefore
unlikely to be the cause of those event log entries. You will be
looking for code running in AppPools configured to run as Network
Service.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//




On May 22, 5:52 am, JNeilWix <JNeil...@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote:
Thank you for the response. I had more or less assumed most of what you
pointed out. There are three key sites on IIS. 1) OWA/OMA; 2) Citrix Remote
access; 3) A website for public use (also has some function restricted to
emplyee access.) I'll be getting with the web developer about #3,
specifically. I was hoping someone here could comment on the functions of
the listed DLLs and the protocol file. Is access to any of these required by
OWA/OMA for instance? Is there anything in the information from the event
log that would, if properly decoded, help me identify which site/app was
causing the access?



"David Wang" wrote:
It depends.

w3wp.exe itself does not require those resources, but you may be
running code inside of w3wp.exe that require those resources.

However, if you don't expect such access, then you can view such log
entries as security breach denied.

If you want to get rid of these event log entries, then you will have
to figure out what code running on IIS6 is causing it and stop it. IIS
really doesn't have anything to do with it other than restraining the
process identity and denying the security breach.

//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

On May 21, 10:53 am, JNeilWix <JNeil...@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote:
Please see the Security Log event below. It appears that I get a similar
entry in the Security log periodically. This example involves
C:\WINDOWS\system32\drivers\etc\protocol Sometimes it involves other files as
well. Namely c:\windows\system32\msdart.dll,
C:\WINDOWS\system32\msjetoledb40.dll, C:\WINDOWS\system32\msjet40.dll, or
C:\WINDOWS\system32\mswstr10.dll.
It appears that w3wp.exe is attempting to access these files and is being
denied access. Is there ever a legitimate reason for w3wp.exe to access any
of these files as the Internet Guest user, or are these likely indicative of
some sort of attempt to circumvent security?

Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 5/20/2007
Time: 9:28:35 PM
User: XXXXX-EXCH\IUSR_XXXXX-DC
Computer: XXXXX-EXCH
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINDOWS\system32\drivers\etc\protocol
Handle ID: -
Operation ID: {0,391908395}
Process ID: 5540
Image File Name: C:\WINDOWS\system32\inetsrv\w3wp.exe
Primary User Name: NETWORK SERVICE
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E4)
Client User Name: IUSR_XXXXX-DC
Client Domain: XXXXX-EXCH
Client Logon ID: (0x0,0x175BE8B8)
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
WriteAttributes

Privileges: -
Restricted Sid Count: 0
Access Mask: 0x120189

For more information, see Help and Support Center athttp://go.microsoft.com/fwlink/events.asp.- Hide quoted text -

- Show quoted text -


.

Relevant Pages

  • Re: Process serving application pool terminated unexpectedly
    ... Running it on w3wp might be more interesting, but this server has ... > IIS Crash/Hang Agent is not the same thing as IIS State. ... > When you are dealing with a crash, ... > These exceptions correlate in number and time with warnings in Event log. ...
    (microsoft.public.inetserver.iis)
  • iis 6 exception issue
    ... We have a customer who is experiencing several issues after migrating their ... make sense due to the security changes in iis 6 compared to 5. ... the domain service account, ... No errors are reported in the event log when an 'empty' executable is called ...
    (microsoft.public.inetserver.iis.security)
  • Re: Why will this code run on server 2000 but not on server2003
    ... Have you checked the event log (the security even log; ... You may also want to post this to an IIS newsgroup to see if you get faster ... There were a LOT of security changes between IIS5 and IIS6. ... >>> Public Function GetUsers() ...
    (microsoft.public.windows.server.active_directory)
  • RE: Auditing login attempts
    ... It does make sense that IIS will report failed logins via ... I'll continue to monitor both the System and Security ... >IIS works on a different level as security subsystem. ... >system event log. ...
    (microsoft.public.inetserver.iis.security)
  • Re: How to restart OWA
    ... restart it-self). ... No where in the event log ID i see an error for IIS or OWA ... Then I get 1001 IMC is stopping followed by 1004 IMC is ...
    (microsoft.public.exchange.admin)