I have come across a few instances Root Cause Analysis (RCA) was requested for issues related to a web application that were caused by factors such as:
- Changes in permission of the Application Root folder.
- Web site being deleted.
- SSL certificate binding modified.
Furthermore, there were times when using Process Monitor - Sysinternals | Microsoft Learn was not possible because the problem was intermittent, such as when files were being written to C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys at irregular intervals.
The steps below assisted me in enabling auditing to log the necessary events in each scenario. Please feel free to check other parts of this blog:
- Part 1- Auditing Scenarios for Web Application Hosted in IIS - Part 1 - SSL Binding Modified - Microsoft Com...
- Part 2- Auditing Scenarios for Web Application Hosted in IIS - Part 2 - Permissions changed on Folder - Micr...
- Part 4- Auditing Scenarios for Web Application Hosted in IIS - Part 4 - Files being written to folder - Micr...
Scenario 3: Website deleted:
An IIS Web Site has 2 main components which can be deleted. Firstly, the configuration from IIS and the Site's content on the filesystem (Application DLL's, static files like HTML, CSS etc.).
With Configuration Auditing feature of IIS, it is possible to see changes made to IIS configuration through Event Viewer. Please note that this is not enabled by default. If this is enabled previously, you can follow below article to view the logs:
You would see an event like below when a site is deleted (if the configuration auditing was enabled before the deletion). It shows the details of user who made changes and the section of configuration changed.
By default, IIS backups the configuration so you might be able to restore the configuration, please refer below article for the same:
- Using Configuration History with IIS 7 and IIS 8 | Microsoft Learn
- Manual back up with AppCMD - Getting Started with AppCmd.exe | Microsoft Learn
In case the website’s content is deleted, a file system auditing can help to show changes made to specific folders. This is not enabled by default:
Please find references that can help with folder permission auditing which adds event logging in Security Event logs. As this is not enabled by default, you can plan to enable it to see changes made to folder permission.
- Event 4659 - A handle to an object was requested with intent to delete, can be referred to see the principle who deleted a particular file/folder. The event will look like below:
-
- Audit the access of global system objects (Windows 10) - Windows security | Microsoft Learn. Please refer below steps to enable the auditing for folder deletion which can be added to site’s root folder.
- Apply a basic audit policy on a file or folder (Windows 10) - Windows security | Microsoft Learn
- To create Auditing policy for all the users and only for folder/file deletion, you can refer below (folder to be audited >> properties >> security >> advanced >> auditing >> add >> show advanced permissions):
-
- Adding all permissions would result in lot of events, also please refer to ‘More considerations’ section of Apply a basic audit policy on a file or folder (Windows 10) - Windows security | Microsoft Learn.
- Enable File System Auditing:
- Open Local Security Policy Editor (run >> secpol.msc)
- Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit File System >> configure for success and failure
- Reference:
Happy Troubleshooting!