I have come across a few instances Root Cause Analysis (RCA) was requested for issues related to a web application that were caused by factors such as:
- Changes in permission of the Application Root folder.
- Web site being deleted.
- SSL certificate binding modified.
Furthermore, there were times when using Process Monitor - Sysinternals | Microsoft Learn was not possible because the problem was intermittent, such as when files were being written to C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys at irregular intervals.
The steps below assisted me in enabling auditing to log the necessary events in each scenario. Please feel free to check other parts of this blog:
- Part 1- Auditing Scenarios for Web Application Hosted in IIS - Part 1 - SSL Binding Modified - Microsoft Community Hub
- Part 2- Auditing Scenarios for Web Application Hosted in IIS - Part 2 - Permissions changed on Folder - Microsoft Community Hub
- Part 3- Auditing Scenarios for Web Application Hosted in IIS - Part 3 - Website deleted - Microsoft Community Hub
Scenario 4: Files being written to folder:
- 4663(S): An attempt was made to access an object , event can be referred to see the process and user writing file to folder or file. The event will look like below:
-
- Audit the access of global system objects (Windows 10) - Windows security | Microsoft Learn. Please refer below steps to enable the auditing for files being written to C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys in this example.
- Apply a basic audit policy on a file or folder (Windows 10) - Windows security | Microsoft Learn
-
- We can enable auditing for create files/ write data, please refer below (C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys or <folder to be Audited>>> properties >> security >> advanced >> auditing >> add >> show advanced permissions):
2. Enable File System Auditing:
- Open Local Security Policy Editor (run >> secpol.msc)
- Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit File System >> configure for success and failure.
-
- Reference:
Happy Troubleshooting!
Updated Apr 07, 2023
Version 3.0manojdixit
Microsoft
Joined May 31, 2022
IIS Support Blog
Follow this blog board to get notified when there's new activity