I have come across a few instances Root Cause Analysis (RCA) was requested for issues related to a web application that were caused by factors such as:
- Changes in permission of the Application Root folder.
- Web site being deleted.
- SSL certificate binding modified.
Furthermore, there were times when using Process Monitor - Sysinternals | Microsoft Learn was not possible because the problem was intermittent, such as when files were being written to C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys at irregular intervals.
The steps below assisted me in enabling auditing to log the necessary events in each scenario. Please feel free to check other parts of this blog:
- Part 2- Auditing Scenarios for Web Application Hosted in IIS - Part 2 - Permissions changed on Folder - Micr...
- Part 3- Auditing Scenarios for Web Application Hosted in IIS - Part 3 - Website deleted - Microsoft Communit...
- Part 4- Auditing Scenarios for Web Application Hosted in IIS - Part 4 - Files being written to folder - Micr...
Scenario 1: SSL binding modified:
When we configure an SSL Binding for HTTPs in IIS, a registry entry is made to the path HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\HTTP\PARAMETERS\. This is used by HTTP.sys driver for TLS handshake. You can also view all the SSL bindings using netsh http show sslcert.
References:
- Netsh Commands for Hypertext Transfer Protocol (HTTP) | Microsoft Learn
- Introduction to IIS Architectures | Microsoft Learn
Option 1: Using Sysmon to monitor Registry.
===================================
Sysmon - Sysinternals | Microsoft Learn is great tool for "offline monitoring" of processes, file I/O and registry. We can setup Sysmon configuration to write events for Registry activity on HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\HTTP\PARAMETERS\.
Sample Steps (configure as needed):
========
- Download and extract Sysmon from Sysmon - Sysinternals | Microsoft Learn.
- Install Sysmon drivers:
- Sysmon64 -i (run as administrator)
- Create a configuration file - regedit.xml for monitoring the registry path:
<Sysmon schemaversion="4.82">
<EventFiltering>
<!-- Do not log process termination and creations -->
<ProcessCreate onmatch="include" />
<ProcessTerminate onmatch="include" />
<RegistryEvent onmatch="include">
<TargetObject condition="contains">Services\HTTP\Parameters</TargetObject>
</RegistryEvent>
</EventFiltering>
</Sysmon>
- Configure sysmon:
- copy regedit.xml to extracted folder of sysmon.
- cd <folder to sysmon>
- sysmon64 -c regedit.xml
- Notice the events 12,13 after a binding change in IIS:
- Event Viewer -> Application and Services Log -> Microsoft -> Windows -> Sysmon.
- Uninstalling Sysmon:
- sysmon64 -u
- More details and customization - Sysmon - Sysinternals | Microsoft Learn
Option 2: Using Operating System and IIS Auditing.
=====================================
For capturing SSL certificate changes, we found 3 types of Audits would help:
- Registry Auditing – if changes done directly at registry level
- Process Auditing (enabled by default) – If the changes are done using netsh.
- IIS Configuration Auditing – If the changes are done using IIS Manager
- Registry Auditing:
- Open regedit and navigate to the registry key HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\HTTP\PARAMETERS\
- Right Click and Select Permissions
- Select Advanced Permissions
- Go to Auditing Tab
- Click on Add
- Click on Select Principal >> Add Everyone and click on advanced permissions. Select the checked permissions as mentioned in the below image.
- Open Local Security Policy Editor (run >> secpol.msc)
- Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> Audit Registry >> configure for success and failure )
- If changes are made to the Audited Registry folder, we would see an event like below in security event logs:
- Reference - 4657(S) A registry value was modified. (Windows 10) | Microsoft Learn
2. Process Auditing
- If the SSL cert is modified by netsh command, we can review process creation event in Security logs (usually enabled by default):
- If you don't see process creation events, enable the auditing by referring below steps (or use GPO):
- run >> Secpol.msc >> Advanced Policy Configuration >> System Audit Policies:
- Detailed Tracking >> Audit Process creation >> Configure for success and failure
- run >> Secpol.msc >> Advanced Policy Configuration >> System Audit Policies:
- References
3. IIS Configuration Auditing
- If the changes are done from IIS Manager, we can refer IIS configuration Auditing:
- To enable IIS configuration logging, please refer - IIS 7.5 – How to enable IIS Configuration Auditing? - Microsoft Community Hub.
Happy Troubleshooting!