Auditing Scenarios for Web Application Hosted in IIS - Part 2 - Permissions changed on Folder

I have come across a few instances Root Cause Analysis (RCA) was requested for issues related to a web application that were caused by factors such as:

• Changes in permission of the Application Root folder.
• Web site being deleted.
• SSL certificate binding modified.

Furthermore, there were times when using Process Monitor - Sysinternals | Microsoft Learn was not possible because the problem was intermittent, such as when files were being written to C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys at irregular intervals.

The steps below assisted me in enabling auditing to log the necessary events in each scenario.  Please feel free to check other parts of this blog:

• Part 1- Auditing Scenarios for Web Application Hosted in IIS - Part 1 - SSL Binding Modified - Microsoft Community Hub
• Part 3- Auditing Scenarios for Web Application Hosted in IIS - Part 3 - Website deleted - Microsoft Community Hub
• Part 4- Auditing Scenarios for Web Application Hosted in IIS - Part 4 - Files being written to folder - Microsoft Community Hub

Scenario 2: Permissions changed on Application Root Folder:

• 4670(S) Permissions on an object were changed. (Windows 10) - Windows security | Microsoft Learn – Event can be referred to review changes made to permissions of the folder. This is written to Security event logs when an audit policy is created for a folder followed by enabling auditing. Please find the steps for the same.

1. Apply a basic audit policy on a file or folder (Windows 10) - Windows security | Microsoft Learn
   • 

      

      

      

      

• To create Auditing policy for all the users and only for permission change events, you can refer below (folder to be audited >> properties >> security >> advanced >> auditing >> add >> show advanced permissions):
• Adding all permissions would result in lot of events, also please refer to ‘More considerations’ section of Apply a basic audit policy on a file or folder (Windows 10) - Windows security | Microsoft Learn.
2. Enable File System Auditing:

• Open Local Security Policy Editor (run >> secpol.msc)
• Advanced Audit Policy Configuration >> Audit File System >> configure for success and failure.

• Reference:
  • Advanced security audit policy settings (Windows 10) - Windows security | Microsoft Learn
  • Audit File System (Windows 10) - Windows security | Microsoft Learn

• A Sample 4670(S): Permissions on an object were changed event, which will be written to security event logs:
  
  • 

     

  • More details on event - 4670(S) Permissions on an object were changed. (Windows 10) - Windows security | Microsoft Learn
  • Reading Security Descriptor (which has the details of old and changed permissions in the event):
    • 4670(S) Permissions on an object were changed. (Windows 10) - Windows security | Microsoft Learn
    • The Security Descriptor Definition Language of Love (Part 1) - Microsoft Community Hub
    • The Security Descriptor Definition Language of Love (Part 2) - Microsoft Community Hub
  • The principle for which the access for modified is written in the SID string format. You can decrypt the SID using the tool PsGetSid - Windows Sysinternals | Microsoft Learn.
    • Ex - .\PsGetsid.exe S-X-X-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    • Please note this command should be run on the machine where the principle is present/accessible.

Happy Troubleshooting!