[This is preliminary documentation and subject to change]
Detecting Unauthorized Access
You can review IIS logs and Windows security logs to monitor
security events over extended periods of time. You can then use the
Microsoft Management Console to view the Windows Security Log. The
IIS logs can be viewed by using any text editor or word processor.
For more information about viewing IIS logs, see Logging Site Activity.
In the Windows Security Log, you can detect unauthorized access
attempts, which can appear as warning or error log entries. You can
also archive these logs for later use. For more information about
auditing, consult the Windows documentation.
To detect possible security problems by reviewing the Windows
Security Log
- Click Start, point to Settings, click Control
Panel, double-click Administrative Tools, then
double-click Computer Management.
- Expand System Tools.
- Expand Event Viewer.
- Select Security Log.
Note
If you are not able to view the security log, then
the user account you are using does not have privileges to do so.
This happens because the domain-level security policies override
the local computer-level security policies, which means that you
can be logged on as the Administrator of your local computer, but
not have access to its security log. To get these permissions, see
your network administrator. For more information about security
policies, see the Windows documentation.
- Inspect the logs for suspicious security events, including the
following:
- Invalid logon attempts.
- Failed use of privileges.
- Failed attempts to access and modify .bat or .cmd files.
- Attempts to alter security privileges or the audit log.
- Attempts to shut down the server.
To archive a Windows Security Log
- Click Start, point to Settings, click Control
Panel, double-click Administrative Tools, then
double-click Computer Management.
- Expand System Tools.
- Expand Event Viewer.
- Select Security.
- On the Action menu, click Save Log File As.
- In the Save As dialog box, select the directory you want
to save the file to, and type in a name for the file.
Note
The security log can be saved as an event (.evt)
file, a text (.txt) file, or a comma-delimited (.csv) file.
To open an archived Windows Security Log
- Click Start, point to Settings, click Control
Panel, double-click Administrative Tools, then
double-click Computer Management.
- Expand System Tools.
- Expand Event Viewer.
- On the Log menu, select Security.
- On the Action menu, point to New and click Log
View.
- In the Add Another Log View dialog box, select Saved
(opens a previously saved log) and browse to the file.
- In the Log type drop-down list, select
Security.
- Click OK to open the file in the viewer.
To detect possible security problems by reviewing IIS log
files
- In a text editor, such as Notepad, open the log file. For more
information about log files, see Logging Site Activity.
- Inspect the logs for suspicious security events, including the
following:
- Multiple failed commands attempting to run executable files or
scripts. (You should closely monitor the Scripts directory.)
- Excessive failed logon attempts from a single IP address, with
the possible intention of increasing network traffic or denying
access to other users.
- Failed attempts to access and modify .bat or .cmd files.
- Unauthorized attempts to upload files to a directory containing
executable files.
© 1997-2001 Microsoft Corporation. All rights reserved.