|
|
You're in the
iis security
group:Is this normal behavior or an attack?
iis security:
entry in the Security log periodically. This example involves C:\WINDOWS\system32\drivers\etc\protocol Sometimes it involves other files as well. Namely c:\windows\system32\msdart.dll, C:\WINDOWS\system32\msjetoledb40.dll, C:\WINDOWS\system32\msjet40.dll, or C:\WINDOWS\system32\mswstr10.dll. It appears that w3wp.exe is attempting to access these files and is being denied access. Is there ever a legitimate reason for w3wp.exe to access any of these files as the Internet Guest user, or are these likely indicative of some sort of attempt to circumvent security? Event Type: Failure Audit Event Source: Security Event Category: Object Access Event ID: 560 Date: 5/20/2007 Time: 9:28:35 PM User: XXXXX-EXCH\IUSR_XXXXX-DC Computer: XXXXX-EXCH Description: Object Open: Object Server: Security Object Type: File Object Name: C:\WINDOWS\system32\drivers\etc\protocol Handle ID: - Operation ID: {0,391908395} Process ID: 5540 Image File Name: C:\WINDOWS\system32\inetsrv\w3wp.exe Primary User Name: NETWORK SERVICE Primary Domain: NT AUTHORITY Primary Logon ID: (0x0,0x3E4) Client User Name: IUSR_XXXXX-DC Client Domain: XXXXX-EXCH Client Logon ID: (0x0,0x175BE8B8) Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes WriteAttributes Privileges: - Restricted Sid Count: 0 Access Mask: 0x120189 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
It depends.
w3wp.exe itself does not require those resources, but you may be running code inside of w3wp.exe that require those resources. However, if you don't expect such access, then you can view such log entries as security breach denied. If you want to get rid of these event log entries, then you will have to figure out what code running on IIS6 is causing it and stop it. IIS really doesn't have anything to do with it other than restraining the process identity and denying the security breach. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // On May 21, 10:53 am, JNeilWix <JNeil...@discussions.microsoft.com> [quoted text, click to view] wrote: > Please see the Security Log event below. It appears that I get a similar > entry in the Security log periodically. This example involves > C:\WINDOWS\system32\drivers\etc\protocol Sometimes it involves other files as > well. Namely c:\windows\system32\msdart.dll, > C:\WINDOWS\system32\msjetoledb40.dll, C:\WINDOWS\system32\msjet40.dll, or > C:\WINDOWS\system32\mswstr10.dll. > It appears that w3wp.exe is attempting to access these files and is being > denied access. Is there ever a legitimate reason for w3wp.exe to access any > of these files as the Internet Guest user, or are these likely indicative of > some sort of attempt to circumvent security? > > Event Type: Failure Audit > Event Source: Security > Event Category: Object Access > Event ID: 560 > Date: 5/20/2007 > Time: 9:28:35 PM > User: XXXXX-EXCH\IUSR_XXXXX-DC > Computer: XXXXX-EXCH > Description: > Object Open: > Object Server: Security > Object Type: File > Object Name: C:\WINDOWS\system32\drivers\etc\protocol > Handle ID: - > Operation ID: {0,391908395} > Process ID: 5540 > Image File Name: C:\WINDOWS\system32\inetsrv\w3wp.exe > Primary User Name: NETWORK SERVICE > Primary Domain: NT AUTHORITY > Primary Logon ID: (0x0,0x3E4) > Client User Name: IUSR_XXXXX-DC > Client Domain: XXXXX-EXCH > Client Logon ID: (0x0,0x175BE8B8) > Accesses: READ_CONTROL > SYNCHRONIZE > ReadData (or ListDirectory) > ReadEA > ReadAttributes > WriteAttributes > > Privileges: - > Restricted Sid Count: 0 > Access Mask: 0x120189 > > For more information, see Help and Support Center athttp://go.microsoft.com/fwlink/events.asp.
Thank you for the response. I had more or less assumed most of what you
pointed out. There are three key sites on IIS. 1) OWA/OMA; 2) Citrix Remote access; 3) A website for public use (also has some function restricted to emplyee access.) I'll be getting with the web developer about #3, specifically. I was hoping someone here could comment on the functions of the listed DLLs and the protocol file. Is access to any of these required by OWA/OMA for instance? Is there anything in the information from the event log that would, if properly decoded, help me identify which site/app was causing the access? [quoted text, click to view] "David Wang" wrote:
> It depends. > > w3wp.exe itself does not require those resources, but you may be > running code inside of w3wp.exe that require those resources. > > However, if you don't expect such access, then you can view such log > entries as security breach denied. > > If you want to get rid of these event log entries, then you will have > to figure out what code running on IIS6 is causing it and stop it. IIS > really doesn't have anything to do with it other than restraining the > process identity and denying the security breach. > > > //David > http://w3-4u.blogspot.com > http://blogs.msdn.com/David.Wang > // > > > > > > > > On May 21, 10:53 am, JNeilWix <JNeil...@discussions.microsoft.com> > wrote: > > Please see the Security Log event below. It appears that I get a similar > > entry in the Security log periodically. This example involves > > C:\WINDOWS\system32\drivers\etc\protocol Sometimes it involves other files as > > well. Namely c:\windows\system32\msdart.dll, > > C:\WINDOWS\system32\msjetoledb40.dll, C:\WINDOWS\system32\msjet40.dll, or > > C:\WINDOWS\system32\mswstr10.dll. > > It appears that w3wp.exe is attempting to access these files and is being > > denied access. Is there ever a legitimate reason for w3wp.exe to access any > > of these files as the Internet Guest user, or are these likely indicative of > > some sort of attempt to circumvent security? > > > > Event Type: Failure Audit > > Event Source: Security > > Event Category: Object Access > > Event ID: 560 > > Date: 5/20/2007 > > Time: 9:28:35 PM > > User: XXXXX-EXCH\IUSR_XXXXX-DC > > Computer: XXXXX-EXCH > > Description: > > Object Open: > > Object Server: Security > > Object Type: File > > Object Name: C:\WINDOWS\system32\drivers\etc\protocol > > Handle ID: - > > Operation ID: {0,391908395} > > Process ID: 5540 > > Image File Name: C:\WINDOWS\system32\inetsrv\w3wp.exe > > Primary User Name: NETWORK SERVICE > > Primary Domain: NT AUTHORITY > > Primary Logon ID: (0x0,0x3E4) > > Client User Name: IUSR_XXXXX-DC > > Client Domain: XXXXX-EXCH > > Client Logon ID: (0x0,0x175BE8B8) > > Accesses: READ_CONTROL > > SYNCHRONIZE > > ReadData (or ListDirectory) > > ReadEA > > ReadAttributes > > WriteAttributes > > > > Privileges: - > > Restricted Sid Count: 0 > > Access Mask: 0x120189 > > > > For more information, see Help and Support Center athttp://go.microsoft.com/fwlink/events.asp. > >
[quoted text, click to view]
> Is there anything in the information from the event log that > would, if properly decoded, help me identify which site/app > was causing the access? Unless the event log entry is written by IIS, you really cannot identify actions by site/app. This is because IIS runs site/app code on a thread inside the process, and non-IIS related monitoring only see the thread/process doing something but have no idea what site/app is running on that thread. Only IIS has this information -- so unless IIS is logging that event log entry, you have no generic way to correlate site/app code, unless you isolate one site/app per process or app pool identity. I assume you are running Exchange 2003/2007 on this machine, in which case OWA/OMA runs as LocalSystem process account and is therefore unlikely to be the cause of those event log entries. You will be looking for code running in AppPools configured to run as Network Service. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // On May 22, 5:52 am, JNeilWix <JNeil...@discussions.microsoft.com> [quoted text, click to view] wrote: > Thank you for the response. I had more or less assumed most of what you > pointed out. There are three key sites on IIS. 1) OWA/OMA; 2) Citrix Remote > access; 3) A website for public use (also has some function restricted to > emplyee access.) I'll be getting with the web developer about #3, > specifically. I was hoping someone here could comment on the functions of > the listed DLLs and the protocol file. Is access to any of these required by > OWA/OMA for instance? Is there anything in the information from the event > log that would, if properly decoded, help me identify which site/app was > causing the access? > > > > "David Wang" wrote: > > It depends. > > > w3wp.exe itself does not require those resources, but you may be > > running code inside of w3wp.exe that require those resources. > > > However, if you don't expect such access, then you can view such log > > entries as security breach denied. > > > If you want to get rid of these event log entries, then you will have > > to figure out what code running on IIS6 is causing it and stop it. IIS > > really doesn't have anything to do with it other than restraining the > > process identity and denying the security breach. > > > //David > >http://w3-4u.blogspot.com > >http://blogs.msdn.com/David.Wang > > // > > > On May 21, 10:53 am, JNeilWix <JNeil...@discussions.microsoft.com> > > wrote: > > > Please see the Security Log event below. It appears that I get a similar > > > entry in the Security log periodically. This example involves > > > C:\WINDOWS\system32\drivers\etc\protocol Sometimes it involves other files as > > > well. Namely c:\windows\system32\msdart.dll, > > > C:\WINDOWS\system32\msjetoledb40.dll, C:\WINDOWS\system32\msjet40.dll, or > > > C:\WINDOWS\system32\mswstr10.dll. > > > It appears that w3wp.exe is attempting to access these files and is being > > > denied access. Is there ever a legitimate reason for w3wp.exe to access any > > > of these files as the Internet Guest user, or are these likely indicative of > > > some sort of attempt to circumvent security? > > > > Event Type: Failure Audit > > > Event Source: Security > > > Event Category: Object Access > > > Event ID: 560 > > > Date: 5/20/2007 > > > Time: 9:28:35 PM > > > User: XXXXX-EXCH\IUSR_XXXXX-DC > > > Computer: XXXXX-EXCH > > > Description: > > > Object Open: > > > Object Server: Security > > > Object Type: File > > > Object Name: C:\WINDOWS\system32\drivers\etc\protocol > > > Handle ID: - > > > Operation ID: {0,391908395} > > > Process ID: 5540 > > > Image File Name: C:\WINDOWS\system32\inetsrv\w3wp.exe > > > Primary User Name: NETWORK SERVICE > > > Primary Domain: NT AUTHORITY > > > Primary Logon ID: (0x0,0x3E4) > > > Client User Name: IUSR_XXXXX-DC > > > Client Domain: XXXXX-EXCH > > > Client Logon ID: (0x0,0x175BE8B8) > > > Accesses: READ_CONTROL > > > SYNCHRONIZE > > > ReadData (or ListDirectory) > > > ReadEA > > > ReadAttributes > > > WriteAttributes > > > > Privileges: - > > > Restricted Sid Count: 0 > > > Access Mask: 0x120189 > > > > For more information, see Help and Support Center athttp://go.microsoft.com/fwlink/events.asp.- Hide quoted text - > > - Show quoted text -
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |