I have come across a few instances Root Cause Analysis (RCA) was requested for issues related to a web application that were caused by factors such as:
Furthermore, there were times when using Process Monitor - Sysinternals | Microsoft Learn was not possible because the problem was intermittent, such as when files were being written to C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys at irregular intervals.
The steps below assisted me in enabling auditing to log the necessary events in each scenario. Please feel free to check other parts of this blog:
Scenario 1: SSL binding modified:
When we configure an SSL Binding for HTTPs in IIS, a registry entry is made to the path HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\HTTP\PARAMETERS\. This is used by HTTP.sys driver for TLS handshake. You can also view all the SSL bindings using netsh http show sslcert.
References:
Option 1: Using Sysmon to monitor Registry.
===================================
Sysmon - Sysinternals | Microsoft Learn is great tool for "offline monitoring" of processes, file I/O and registry. We can setup Sysmon configuration to write events for Registry activity on HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\HTTP\PARAMETERS\.
Sample Steps (configure as needed):
========
<Sysmon schemaversion="4.82">
<EventFiltering>
<!-- Do not log process termination and creations -->
<ProcessCreate onmatch="include" />
<ProcessTerminate onmatch="include" />
<RegistryEvent onmatch="include">
<TargetObject condition="contains">Services\HTTP\Parameters</TargetObject>
</RegistryEvent>
</EventFiltering>
</Sysmon>
Option 2: Using Operating System and IIS Auditing.
=====================================
For capturing SSL certificate changes, we found 3 types of Audits would help:
2. Process Auditing
3. IIS Configuration Auditing
Happy Troubleshooting!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.