Browse By Category

Free Power Tools Brochure
Get Mark Minasi's
17-page guide today!

First Name *

Last Name *

Email Address *

* I agree to this site's
terms of use & privacy statement.

Get Newsletters

Get the Latest News
Product Updates
Helpful Tricks
Productivity Tips

Subscribe Now!

February 15, 2005 04:15 PM

Identifying Web Site Logons in the Security Log

Rating:

(0)

Randy Franklin Smith

Windows IT Pro

InstantDoc ID #45214

Main Article: Access Denied

I run a Windows Server 2003 Web site that requires basic authentication over Secure Sockets Layer (SSL) for logon. In the Security log, can I distinguish logons to the Web site from other logons such as console logons or logons from the trusted internal network (e.g., Terminal Services logons, network connection logons)?

Enable the Audit logon events policy on your Web server, then look for occurrences of event ID 540 (Successful Network Logon) in which the logon process is Advapi and the logon type is 8. Figure 1 shows an example of such an event. Event ID 540 indicates that a client has connected to the computer from over the network to, for example, access a shared folder or log on to the server via Microsoft IIS. Advapi is the logon process IIS uses for handling Web logons. Logon type 8 indicates a network logon that uses a clear-text password, which is the case when someone uses basic authentication to log on to IIS. Of course, because the browser and server have already established an SSL session, the clear-text password isn't visible to eavesdroppers.

Because some other types of connections can generate an event ID 540 with logon type 8, you should ensure that IIS generated the event by checking the Caller Process ID field. This field's value will match the process identifier (PID) of the W3wp process—IIS's core process. You can find W3wp's PID by looking in Windows Task Manager on the Processes tab. You might need to use View, Select Columns to add the PID column to Task Manager. Event ID 540 also provides the IP address of the Web client in the Source Network Address field.

Note that it's normal for an event ID 576 (Special privileges assigned to new logon) to follow an event ID 540 and an event ID 552 (Logon attempt using explicit credentials) to precede it. If your server has good Windows default security settings, users who log on will quite likely have the SeChangeNotifyPrivilege (aka Bypass traverse checking) privilege, which isn't a security problem. And Windows logs event ID 552 whenever a process impersonates another account, such as IIS impersonating the Web user.

ARTICLE TOOLS

Want to use this article? Click here for options!

Add a Comment

I thought Basic Auth logins were processed as "logon locally" under IIS (unless this has changed for v6?). I seem to remember that you had to grant the "logon locally" right in user privileges (which was always a major pain...).

http://www.microsoft.com/resources/documentation/iis/6/all/proddocs/en-us/sec_auth_basicauth.mspx

cheers,
Steve

Anonymous User 2/20/2005 1:24:12 AM

You must log on before posting a comment.

Are you a new visitor? Register Here

Related Resources

Business Process Automation - Managing Cost in Your Enterprise
A EBook by Network Automation

Safeguarding Your Windows Servers
A EBook by Veritas

How to Select the Right Search Solution for Your Business
A Podcast by BA-Insight

8 Things to Consider Before Sinking Money into Endpoint Security
A Tip Guide by Symantec

Setup rights to helpdesk group to unlock shared files

Does anyone know how to setup a group or permissions for a group (helpdesk) to be able to unlock a shared network file such as a spreadsheet or Access...222-96217

Exchange Licenses

Domain Functional Level

Ping Results

GOOGLE LINKS

Podcasts

To successfully implement virtual desktops, IT administrators must carefully match user requirements to specific desktop technologies. Listen to this podcast to learn what you need to keep in mind when formulating your approach to desktop virtualization.

Downloads

PacketTrap IT is a comprehensive and affordable network management and application monitoring solution that solves problems associated with bandwidth, network and application performance, and connectivity. Gain insight into your network - try PacketTrapIT free for 21 days!

Web Seminars

Aside from its employees, data is an organization’s most important resource. Join Windows technical specialist and 11-time MVP John Savill to learn the best practices for managing data using features in Windows Server.
View this web seminar on demand!

eLearning Series

We bring the experts direct to you to share their real-world perspective and expertise. During each event, three sessions stream in real time, so you can learn, ask questions, and get solutions.
Upcoming event: Getting the Most with Exchange 2010 with Paul Robichaux

Windows IT Pro, we're in IT with you