If you enable (success) auditing for "Audit Logon Events" or "Audit Account
Logon Events" will it log I_User account logon's? Obviously, my concern
would be for a high traffic web server getting an essentail DOS attack
against itself due to a high volume amount of logging in the security logs.

The descriptions on MS site don't say specifically either way...

TIA,

ML

From my WAS test it doesn't show any massive logging.
4 events -

a) id = 680 -> iusr a/c
b) id = 552 -> network service (app pool)
c) id = 540 -> sucessful login (iusr)
d) id = 576 -> SeChangeNotifyPrivilege (iusr)

and another round if the app pool was recycle.

I only enable 'fail' entry to be logged in W2k live production box.

--
Regards,
Bernard Cheah
http://support.microsoft.com/
Please respond to newsgroups only ...



"ML.net" <mattlunzer@hotmail.com> ????
news:eeR2CdFwDHA.1996@TK2MSFTNGP12.phx.gbl...
[quoted text, click to view]

IIS does cache user tokens (amongst many other things) for performance
reasons. You are not going to see a IUSR logon for every request.

Event logs entries like the ones you are concerned with are not going to DoS
your box since event logs usually recycles over itself. It's going to
possibly prevent you from carrying out repudiation, though.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
[quoted text, click to view]
If you enable (success) auditing for "Audit Logon Events" or "Audit Account
Logon Events" will it log I_User account logon's? Obviously, my concern
would be for a high traffic web server getting an essentail DOS attack
against itself due to a high volume amount of logging in the security logs.

The descriptions on MS site don't say specifically either way...

TIA,

ML